1

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 GETTING STARTED

In this lab you are facing a web application that allows you to browse an unknown datastore. You know
that it is an LDAP-based web interface. Try to explore it in order to find interesting information that can
lead to takeover of the target host. The application is based on the vuLnDAP project available here:

https://github.com/digininja/vuLnDAP

• Explore LDAP and find hidden information

• Find an XSS vulnerability in the application

• Attacking web LDAP implementations

• Performing LDAP injections

• BurpSuite
• Browser

The target application can be found at http://172.16.64.233:9090

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 GETTING STARTED

Explore the application and discover a LDAP Injection vulnerability.

While browsing the LDAP-powered web site, an XSS vulnerability should not escape your attention!

Find data in the LDAP implementation that could lead to compromising the underlying host.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 4

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 SOLUTIONS – TASK #1

Below, you can find solutions for each task. Remember though, that you can follow your own strategy,
which may be different from the one explained in the following lab.

If you first navigate into the application, you can follow the links until you reach a page without more
urls.

Finally, if you supply a wildcard (*) as the value of the objectClass parameter, you will be presented with
all the objects listed in the web page which indicates possible LDAP injection.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 SOLUTIONS – TASK #2

If you try to play with the objectClass parameter, you will notice that it allows for HTML injection.
However, if you try to execute, for example, alert(2), you will face an error which indicates that
parentheses are not accepted.

Thus, in order to produce a proof of concept of a reflected XSS vulnerability, you can use backticks, as
follows.

objectClass=<script>confirm`1`</script>

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 SOLUTIONS – TASK #3

Back to the wildcard revealing more data, we will navigate to bnm who is described as “ssh user”

Now, when holding the mouse over the “Back” button inside the bnm’s screen, we can observe that it
leads into a different page.

If you now start to google for posixAccount, you will figure out that it is a standard LDAP structure used
to describe user account information.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 SOLUTIONS – TASK #3

For example, various container names used in PosixAccount can be found on the page below.

https://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html

We can now try adding the value names from the resource above to the description parameter. These
values are: description,cn,uidNumber,gidNumber,homedirectory,userpassword,sshPublicKey, so the
URL will look like the below.

http://172.16.64.233:9090/item?cn=bnm&disp=description,cn,uidNumber,gidNumber
,homedirectory,userpassword,sshPublicKey

We are supplying such a URL in an attempt to guess as many object names as possible, so that we
eventually discover some sensitive data not linked to the LDAP application with standard links and urls.

We can also compare the view with information about the “nobody” account, as follows.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP

 SOLUTIONS – TASK #3

http://172.16.64.233:9090/item?cn=nobody&disp=description,cn,uidNumber,gidNum
ber,homedirectory,userpassword,sshPublicKey

While in “nobody” there is “nologin” under sshPublicKey, in “bnm” there is a “bnm” string. This is not a
valid ssh public key, but maybe it is a valid password. Let’s try to log in to ssh as bnm is described as
“sshuser”.

Indeed, it was possible to log in into ssh using the bnm username and the bnm password.

© 2020 Caendra Inc. | HERA for WAPTXv2 | Attacking LDAP