While enumerating this I found that you can dump the database using ‘*’, which means it’s probably LDAP
To confirm, we can try some injection
LDAP indeed. So how do we exploit this? Well, there was a hint when trying to recover the administrator’s account
So there’s a description field in the database that we haven’t uncovered yet. Fortunately, we can use wildcards to try and uncover the password from that field
It works like this
if the value in the description field starts with ‘a’, then it will return the public data. If not, then it wont. So we can bruteforce this.
You could go through this by hand, checking each character and eventually get it, or you can script it. I took the latter option
Log in with administrator:very_secure_hacktivity_pass