当前位置:主页 > 资料 >

A walkthrough of my vuLnDAP project
栏目分类:资料   发布日期:2018-08-03   浏览次数:

导读:本文为去找网小编(www.7zhao.net)为您推荐的A walkthrough of my vuLnDAP project,希望对您有所帮助,谢谢! vuLnDAP Walkthrough Fri 3rd Aug 18 This is a full walk through detailing how I would go through myvuLnDAP chall

本文为去找网小编(www.7zhao.net)为您推荐的A walkthrough of my vuLnDAP project,希望对您有所帮助,谢谢! 欢迎访问www.7zhao.net



vuLnDAP Walkthrough

Fri 3rd Aug 18

This is a full walk through detailing how I would go through myvuLnDAP challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know. 欢迎访问www.7zhao.net

Start by browsing to thestock control system, select Fruit and notice the URL is: 内容来自www.7zhao.net

copyright www.7zhao.net

Here is the first injection where you can specify different object classes. You could try to guess or brute force valid values but the easier way is to use a wildcard, for LDAP that is *, that gives you the following URL which shows you a list of all objects in the system including the users and groups.

内容来自www.7zhao.net

欢迎访问www.7zhao.net

本文来自去找www.7zhao.net

Fred the CEO looks like a good target, selecting his account gives you more information but not much.

www.7zhao.net

去找(www.7zhao.net欢迎您

Check the URL and you see the following:

www.7zhao.net

内容来自www.7zhao.net

The parameter disp is a list of search filters, these tell the LDAP query which fields to return for the specified object, any which don't exist are silently ignored. Currently the search returns the stock level, the object description and the common name (cn), which is perfect for a stock control system but not much use for us wanting to extract user data. To see more information, you have to specify the right filters. Unfortunately, there is no wildcard feature here so, without a bit more digging, you would have to guess field names.

去找(www.7zhao.net欢迎您

If you do some more looking around you'll notice that the back link takes you to the following URL with a new object class, posixAccount : www.7zhao.net

去找(www.7zhao.net欢迎您

copyright www.7zhao.net

So, before when looking at fruit the objectClass was fruit , now we are looking at an objectClass of posixAccount and are seeing a list of users. Googling posixAccount and LDAP you'll find that posixAccout is a standard schema used to describe users, here is a good write up on it from the . The following are four extra search filters it mentions: www.7zhao.net

  • uidNumber
  • gidNumber
  • homedirectory
  • userpassword

Lets give these a try: www.7zhao.net

去找(www.7zhao.net欢迎您

欢迎访问www.7zhao.net

That's pretty good, we've got some details for Fred, not his password, I'll come back to that later, but remember the brief also talked about SSH keys so lets look for some of those. Back to Google, this time searching for LDAP and SSH keys. There are plenty of hits, this is a good one , but if you read any of them you should find that when you want to store SSH keys in LDAP you use the sshPublicKey field. Lets try adding that to Fred's search filters.

欢迎访问www.7zhao.net

本文来自去找www.7zhao.net

copyright www.7zhao.net

Jackpot, we've got Fred's public SSH key, but really, that isn't much use as that is designed to be public. What about checking the other users that were listed way back at the start when we listed all the posixAccount objects.

去找(www.7zhao.net欢迎您

Nothing interesting for Sue:

www.7zhao.net

欢迎访问www.7zhao.net

But look what we've got here, looks like someone messed up creating my account and put my private key in by accident 内容来自www.7zhao.net

www.7zhao.net

From here it should be a simple case of grabbing the key and SSH'ing your way round the network having fun as you go. 欢迎访问www.7zhao.net

A quick step back, when we listed the search filters, we asked for userpassword but did not get anything back, that is because the field is only used for authentication, it unfortunately cannot, as far as I know, be retrieved.

www.7zhao.net

I hope you have enjoyed this walk through, as I said at the start, this is my first foray into LDAP and so both the implementation and walk through may not be exactly as they would be in the real world but I hope they are close enough to give you an idea of what to look for when you come across LDAP and give you some ideas for further experimentation on your own. Any constructive feedback is welcome. 去找(www.7zhao.net欢迎您

One final thing, before you go throwing SSH logins at my boxes using that key, save yourself the effort, it was made up just for this project and if you look very carefully you will easily be able to confirm that.

内容来自www.7zhao.net

欢迎访问www.7zhao.net


本文原文地址:https://digi.ninja/blog/vulndap_walkthrough.php

以上为A walkthrough of my vuLnDAP project文章的全部内容,若您也有好的文章,欢迎与我们分享!

copyright www.7zhao.net

Copyright ©2008-2017去找网版权所有   皖ICP备12002049号-2 皖公网安备 34088102000435号   关于我们|联系我们| 免责声明|友情链接|网站地图|手机版