tsustyle

Red Team Aspirant

Lightweight Contact Book

less than 1 minute read

img

img

While enumerating this I found that you can dump the database using ‘*’, which means it’s probably LDAP

img

To confirm, we can try some injection

img

LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator’s account

img

So there’s a description field in the database that we haven’t uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field

It works like this

administrator)(description=a*

if the value in the description field starts with ‘a’, then it will return the public data. If not, then it wont. So we can bruteforce this.

Correct:

img

Incorrect:

img

You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option

img

img

Log in with administrator:very_secure_hacktivity_pass

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root