Light
Last updated
Last updated
I started on this challenge with minimal knowledge of SQL/SQLite commands and workings (just the basics as learnt from the TryHackMe course room detailed under the Web Hacking -> SQL Injection section in this gitbook: ). I have gained ideas and insights from a few online resources and also from ChatGPT.
Note: ChatGPT was used to point myself towards the right direction on SQLite specific concepts such as commands to retrieve the table or columns names from the current database instance, but not on specific SQL injection concepts. The SQL injection commands were generated by myself based on multple trial-and-errors. For example, commands to query from sqlite_master was generated by ChatGPT, however, the insertion of specific characters (eg. quotation marks, equal signs, etc.) within the final command sent to the vulnerable database application was added myself based on my own knowledge from past experiences.
The challenge presents a simple interface over the TCP connection at port 1337, prompting for the username, to which it will respond with the password. The goal is to find the name and password of the admin account, followed by a flag.
My first instinct was to perform a brute-force attack on the username. According to the results, I can identify the admin username, and retrieve the password from the application.
Bash script to brute force the password:
The following displays an attempt of using a bash script (not completed) to perform the brute-force attack. However, the script is not working as it simply pauses after the first input.
Python script:
The following shows a Python script that works:
Word-lists to try out:
/usr/share/wordlists/seclists/Usernames/Names/names.txt
/usr/share/wordlists/seclists/Usernames/Names/malenames-usa-top1000.txt
/usr/share/wordlists/seclists/Usernames/Names/femalenames-usa-top1000.txt
I found the username: alice. However this wasn't the admin username. Probably a rookie mistake on my part for not realizing sooner that the answer field for the admin username in the TryHackMe website is 14 characters long. An SQL injection is likely to be more feasible.
As mentioned before, I noticed that the input form length is very long, and realized that it's highly unlikely that I would be able to find the username with a simple brute-force.
As suggested from the challenge name, this database is likely to be a SQLite database application.
Possible SQL statements on the server side:
Attempts with common SQL injection inputs:
Force the statement to resolve to true
Potentially tricking the database to return all the users
Hope to resolve to the following in the server side:
Reponse: For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
This tells us that comment characters are banned.
Another attempt:
Hope to resolve to the following in the server side:
This seems to return a password value (associated with the alice username).
UNION and SELECT statement
The UNION and SELECT keywords (along with their lower capital variations) are all banned too
Reponse: Ahh there is a word in there I don't like :(
Obfuscation of keywords
After pondering for awhile on the error message returned from the statement in point 2 above, I got the idea of using non-standard SQL keyword commands, apart from the conventional fully capitalized, or fully non-capitalized versions (UNION, union).
From the results, I have learnt that SQLite accepts variations of SQL keywords, such as but not limited to: Union, uNion, unIon, uniOn, UNion, etc. are allowed, and are treated as valid commands.
