![e96ac8bdce5c241cdf848bb6ccc7dd23.png](274f00c6403045f5bbf4764c7ad75a39.png) ![a60f4393dfb9e33abf9df7959678d84b.png](0d288153dc0740bb880a74c0d529377d.png) While enumerating this I found that you can dump the database using '*', which means it's probably LDAP ![96f1b5b20b2088a540bde58e9a9de9aa.png](889be0772b894e989a606b02df9a4dc9.png) To confirm, we can try some injection ``` administrator)(objectClass=* ``` ![ba1ea11b918fa9f0d596fac482df73bd.png](9d45c94f247b4805b81ca520a77df6a7.png) LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator's account ![37d476697f5979227387361da635aef4.png](93f7903110be40948036862191c08232.png) So there's a description field in the database that we haven't uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field It works like this ``` administrator)(description=a* ``` if the value in the description field starts with 'a', then it will return the public data. If not, then it wont. So we can bruteforce this. Correct: ![f1fa51835778d4241985d16bc0eef457.png](12c6150c56ac414ab4c2fadc942319db.png) Incorrect: ![0b5988967de2211dc9a69b1a5f691358.png](3c813a5a4af040fdbdbf7449ae929eec.png) You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option ![eb7815cf6d11af26ee5250f1e5143167.png](0c4bd17a2ba24e0f8424c50f508735b3.png) ![47adff1c8dd401b019947d6f905628cf.png](9b5f2afe75b146989e593c4221df4067.png) Log in with administrator:very\_secure\_hacktivity_pass ![7c0f5ce6b2834e5fb2fe835b33a18a2a.png](0ef2bb3b7bc140f9b4151cd21e9fff44.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #ldap_injection #scripting #web Related: