Web [150 pts]
Description: Lookup the contact details of any of our employees!
When we visit the page, we see an employee look-up tool.
Given the name “Lightweight”, this hints that the web app is using LDAP (Lightweight directory access protocol)
Resource: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
Typing an asterisk (*) in the search bar gives us all the users.
So, our goal is to do an LDAP injection to leak information. We cannot sign in as admin without the password, but we do see a “forgot password” feature for the web app. Clicking on it gives this information:
The description field is a built-in LDAP field. More reading here: https://docs.bmc.com/docs/fpsc121/ldap-attributes-and-associated-fields-495323340.html
After messing around with the search bar and receiving errors, one payload gives us a pass:
administrator)(&(cn=administrator)(description=v*)
This payload will show the admin user and verifies that our payload matches what is stored in the description field.
Using a short python script, we can do a blind LDAP injection to retrieve the password:
Logging in with “administrator” and the extracted password “very_secure_hacktivity_pass”, we get the flag:
