Root-me.org

LDAP injection - authentication

SSO v0.01

This challenge makes us bypass a ldap authentication.

After trying a few different characters to see if the website is giving us any feedback we found that if we pass ‘)’ a parenthese as username we get an ERROR message.

ERROR : Invalid LDAP syntax : (&(uid=))(userPassword=))

This is valuable information our parenthese is found after uid=.

By having the actual request sent to the server we can easily bypass it by using the * character.

In LDAP * means all of the possibilities. We’ll then close the two parentheses and send a nullbyte.

My first tries didn’t work and i couldn’t figure it why. I kept getting the error. I decided to open Burp and intercept the query.

Our username is being passed as urlencode. This was the problem.

Our actual request will be

username=*))%00&password=%27

The password can be anything. The server never goes there.

Here’s the curl request:

curl -X POST --data-binary $'username=*))%00&password=%27' http://challenge01.root-me.org/web-serveur/ch25/

The password can be found in the value field of the password.