2.2 KiB
2.2 KiB
LDAP null-bind challenge explained simply
Think of LDAP like a big company phonebook/tree.
Each node in the tree is a folder or a person record:
dc=challenge01,dc=root-me,dc=org
|
+-- ou=anonymous
|
+-- uid=sabu
+-- mail: sabu@anonops.org
In this challenge, the server allows anonymous login (called a null bind). That means we can connect without a username/password and ask some questions.
What we did (step by step)
- Checked if anonymous access works
ldapwhoami -x -H ldap://challenge01.root-me.org:54013It returned `anonymous`, so null bind is enabled.
- Tried to list everything from the main base DN
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"Server replied with `Insufficient access`.
So: anonymous is allowed, but not everywhere.
- Probed likely child branches under the base DN
We tested candidate DNs and found one readable branch:
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dnThat confirmed `ou=anonymous` exists and is accessible.
- Enumerated that readable branch
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"This returned a user record:
- `uid=sabu`
- `mail: sabu@anonops.org`
So the requested email is:
Why this works
- LDAP permissions are often set per branch (subtree).
- Root/base queries may be blocked.
- A specific subtree can still be world-readable.
- Enumeration is about finding where read access is allowed.
Tiny mental model
[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
|
v
[Find readable subtree]
|
v
[Dump entries + get mail]