💉TryHackMe -LDAP Injection

https://tryhackme.com/r/room/ldapinjection

💸 Mentioned Room is Premium type 💸

I - Introduction

LDAP, which stands for Lightweight Directory Access Protocol, is a widely used protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP enables organizations to manage users centrally, as well as groups and other directory information, often used for authentication and authorization purposes in web and internal applications.

Objectives

Provide a thorough understanding of LDAP and its role in directory services.
Explore the LDAP tree structure and its key components.
Introduce LDAP Injection, its impact, and how it can be exploited.
Equip participants with the knowledge and skills to identify and mitigate LDAP Injection vulnerabilities.

II - Structure

III - Search Queries

IV - Injection Fundamentals

LDAP Injection is a critical security vulnerability that occurs when user input is not properly sanitized before being incorporated into LDAP queries. This oversight allows attackers to manipulate these queries, leading to unauthorized access or manipulation of the LDAP directory data.

LDAP Injection exploits the way web applications construct LDAP queries. When user input is directly included in these queries without proper validation or encoding, attackers can inject malicious LDAP statements. This can result in unauthorized access to sensitive information, modification of directory data, or bypassing authentication mechanisms.

The process is analogous to SQL Injection, where malicious SQL statements are injected into queries to manipulate database operations. In LDAP Injection, the malicious code targets LDAP queries instead.

Common Attack Vectors

Authentication Bypass: Modifying LDAP authentication queries to log in as another user without knowing their password.
Unauthorized Data Access: Altering LDAP search queries to retrieve sensitive information not intended for the attacker's access.
Data Manipulation: Injecting queries that modify the LDAP directory, such as adding or modifying user attributes.

V - Exploiting LDAP

Authentication Bypass Techniques

Tautology-Based Injection

(&(uid={userInput})(userPassword={passwordInput}))
# A attacker can do for exemple :
(&(uid=*)(|(&)(userPassword=pwd)))

Wildcard Injection

(&(uid={userInput})(userPassword={passwordInput}))
# A attacker can do for exemple :
(&(uid=*)(userPassword=pwd)))

Authentication Bypass Example

With the site <IP>/normal.php we can see the LDAP Query when we try to login :

We can test with * and * for the login/password and we get account of Bob Smith :

To get the flag for the challenge we need to target a user starting with the letter f :

VI - Blind LDAP Injection

Blind LDAP Injection is a more subtle variant of LDAP Injection, where the attacker doesn't receive direct output from the injected payload. Instead, they must infer information based on the application's behaviour. This type of attack is more challenging but can still be used to extract sensitive information from an LDAP directory.

Blind LDAP Injection requires a different approach due to the lack of explicit query results. Attackers must rely on indirect signs, such as changes in application behaviour, error messages, or response timings, to deduce the structure of the LDAP query and the existence of vulnerabilities.

When we test with username = a*)(|($ et password = pwd) :

This means that a user starting with the letter a exists.

We can test with ab and we can see a different error message :

If we test username=test and password=test we can see that it is the default error message. Like that we can enumerate all the username by brute forcing through Blind LDAP Injection.

VII - Automating the Exploitation

🚧🚧 In construction 🚧🚧

More resources about LDAP Injection

PreviousPremium NextTryHackMe - XXE Injection

Last updated 3 months ago