search

Light

Welcome to the Light database application!

hashtag
Intro

Hello everyone its been so long since our last Try hack me machine a simple and cool sql injection machine let's goo.

hashtag
Enumeration

hashtag
Port scanning.

PORT     STATE SERVICE
22/tcp   open  ssh
1337/tcp open  waste

hashtag
Testing the DB.

after some trys i came to this

As you can see when we change the case of the word 'Union' and ' Select' it did not detect and infact we are able to find the password parameter.

also in the image below we can see that the db is sqlite db which we can confirm from that way we get the version of the sql. I also was able to get the names of the tables that exist in the database from the sqlite_master table.

hashtag
Final steps

From there i have everything i need to find the users and password for both tables the image blow shows that too.

It was just normal sql commands to read from the tables and we are able to find the admin user along with our flag.

hashtag
More useful stuff.

After i have done with my work i want to check others solutions in case i miss something would have give me useful information and i found something.

LogoLight | Writeups0xb0b.gitbook.iochevron-right

From Mr. Bob writeup we can see this command.

Which gonna give us the sql commands that have been run on the database.

Image from bob's writeup

hashtag
Conclusion.

At the end this machine was quite good for testing you sql injection basic techniques also keep in mind every time you finish a machine look for other solution you maybe have miss something that would make you exploration much more easier.

PreviousSmol (THM)NextSilver Platte (THM)

Last updated