| Title | Rating |
|---|---|
| Light | Easy |
Overview
So the creator asks us to try a database app.
The application is running on port 1337. We can connect to it using nc 10.10.123.134 1337
You can use the username smokey in order to get started.
Recon
Nmap gives use 2 open ports:
Open 10.10.123.134:22 SSH
Open 10.10.123.134:1337 DB app
As per the description, lets try to netcat the database at 1337:
[~] > nc 10.10.123.134 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username:
- It just gives me a password on every attempt.
- I tried these creds to login via SSH but failed.
Now we only have our Light Database! interface to work with. As its a DB, lets try some SQL Injections:
Lets try a basic single quote ‘:
Some kind of filters are preventing us from using comment -- and UNION, SELECT. Let try different variations:
We do get a hit with Union and Select.
Lets try to enumerate it a bit:
We find that target DB is SQLite. Lets start dumping data:
We find the creds and the flag!