THM

1.

Using NMAP

Port 22 (SSH) open among the first 1000 scanned ports

Using SQL Injection

When we enter a username, a “password” is returned. This suggests that the system is likely using a query such as:

1
SELECT * FROM usuario WHERE username = 'smokey'

This makes it possible to use UNION-based SQL injection, allowing us to query a default database table from SQLite that stores database metadata.

Now that we have the table name, let’s test it

How many records does this table contain? (2)

Now attempting to read the discovered records

Since there are two records, we can apply the following approach:

With the usernames obtained, we can now retrieve the passwords

TryHackMeAdmin – Password

flag – Password