Directory

volgactf

Task: Corporate directory service with LDAP backend and JWT auth — bypass authentication and find hidden data. Solution: LDAP wildcard injection in email/telephone fields to bypass auth, then brute-force organizational unit parameter to discover hidden OU containing the flag.

flask jwt authentication_bypass gunicorn directory_enumeration ldap_injection openldap ldap_wildcard organizational_unit_enumeration

ldap_wildcard_injectionauth_bypass_via_wildcardou_brute_forceldap_base_dn_manipulationhint_analysis

$ ls tags/ techniques/

flask jwt authentication_bypass gunicorn directory_enumeration ldap_injection openldap ldap_wildcard organizational_unit_enumeration

ldap_wildcard_injectionauth_bypass_via_wildcardou_brute_forceldap_base_dn_manipulationhint_analysis

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 330 — AuthVault — Blind LDAP Injection in Directory Lookup— hackadvisor
[web][Pro]Авторизация 2.0 (Authorization 2.0)— hackerlab
[web][Pro]Lab 331 — PeopleDir — LDAP Injection Authentication Bypass— hackadvisor
[web][Pro]Lab 332 — CloudGate ID — Blind LDAP Injection in People Directory— hackadvisor
[web][Pro]Code Control— undutmaning