

While enumerating this I found that you can dump the database using '*', which means it's probably LDAP

To confirm, we can try some injection
```
administrator)(objectClass=*
```

LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator's account

So there's a description field in the database that we haven't uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field
It works like this
```
administrator)(description=a*
```
if the value in the description field starts with 'a', then it will return the public data. If not, then it wont. So we can bruteforce this.
Correct:

Incorrect:

You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option


Log in with administrator:very\_secure\_hacktivity_pass

---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #ldap_injection #scripting #web
Related: