webPromedium

Lab 332 — CloudGate ID — Blind LDAP Injection in People Directory

hackadvisor

Task: Enterprise identity management platform with LDAP-backed People Directory search, flag hidden in unmapped employeeNumber attribute. Solution: Blind boolean-based LDAP injection via uid search parameter, character-by-character extraction using wildcard matching with parallel workers.

nodejs nginx express character_extraction boolean_based ldap ldap_injection openldap decoy_flag blind_ldap_injection employee_number unmapped_attributes

ldap_filter_injectiondecoy_flag_identificationblind_ldap_injectionboolean_based_extractionldap_wildcard_matchingparallel_character_bruteforceattribute_enumeration

$ ls tags/ techniques/

nodejs nginx express character_extraction boolean_based ldap ldap_injection openldap decoy_flag blind_ldap_injection employee_number unmapped_attributes

ldap_filter_injectiondecoy_flag_identificationblind_ldap_injectionboolean_based_extractionldap_wildcard_matchingparallel_character_bruteforceattribute_enumeration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups