| Lab/Room | TryHackMe - Advanced Pentesting |
|---|---|
| Type | Challenge |
| Statut | Done |
| Date | 21/03/2026 |
Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
This room will cover SQLi (exploiting this vulnerability manually and via SQLMap), cracking a users hashed password, using SSH tunnels to reveal a hidden service and using a metasploit payload to gain root privileges.
SQL (Structured Query Language) is the standard language used to interact with databases, allowing applications to store, retrieve, and manipulate data. In a typical authentication mechanism, user-supplied credentials are inserted into a query such as:
SELECT * FROM users WHERE username = :username AND password = :password
During the login process, the application takes the values entered in the username and password fields and directly injects them into this query. If the database returns a matching record, access is granted; otherwise, an error is displayed.
This behavior introduces a classic vulnerability when inputs are not properly sanitized. Because user input is directly embedded into the SQL query, it becomes possible to inject malicious SQL code and alter the logic of the query itself.
The goal of the attack is to bypass authentication without valid credentials by manipulating the query logic. Instead of providing a legitimate password, we inject a condition that always evaluates to true.
' or 1=1 -- -OR 1=1 forces the condition to always be true- - comments out the rest of the query to prevent syntax errorsWhen this payload is inserted, the query executed by the server becomes:
SELECT * FROM users WHERE username = admin AND password = '' or 1=1 -- -
At this point, the query logic is effectively altered. The condition 1=1 always evaluates to true, meaning the database will return a valid result regardless of the actual password. The comment sequence (-- -) ensures that any remaining part of the query is ignored, preventing errors.
An alternative approach is to inject the payload directly into the username field:
' or 1=1 -- -