tsustyle

Aspiring Red Team

Lightweight Contact Book

less than 1 minute read

img

img

While enumerating this I found that you can dump the database using ‘*’, which means it’s probably LDAP

img

To confirm, we can try some injection

img

LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator’s account

img

So there’s a description field in the database that we haven’t uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field

It works like this

administrator)(description=a*

if the value in the description field starts with ‘a’, then it will return the public data. If not, then it wont. So we can bruteforce this.

Correct:

img

Incorrect:

img

You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option

img

img

Log in with administrator:very_secure_hacktivity_pass

img

You may also enjoy

THM Challenge

‘THM Challenge’ is a WebApp that I wrote to send along with my CV to TryHackMe when they were recruiting Content Engineers

Granny & Grandpa

Granny & Grandpa are a pair of identical easy rated boxes on Hack the Box. We’ll use metasploit to exploit a buffer overflow in IIS 6.0/WebDav for access and a kernel exploit for privesc

Optimum

‘Optimum’ is an easy rated box on Hack the Box. We’ll exploit a vulnerable version of HttpFileServer for access and use Windows Exploit Suggester to find a kernel exploit for privesc

Bashed

‘Bashed’ is an easy rated box on Hack the Box. We’ll use gobuster to uncover some hidden directories on a webserver, use a custom bash/php client to gain a shell and exploit a script being run as a cronjob for root