![\"0\"](\"https://assets.ine.com/content/ptp/attacking_ldap/0.png\")
In this lab, you will learn to perform LDAP injections on a vulnerable application and steal SSH credentials for a user to gain shell access on the target machine.
", "tasks": "# Lab Environment\n\nIn this lab environment, the user will get access to a Kali GUI instance. A [vuLnDAP](https://github.com/digininja/vuLnDAP) instance can be accessed using the tools installed on Kali at http://demo.ine.local. \n\n**Objective:** Exploit the vulnerable application to perform LDAP injection, retrieve the administrator's SSH credentials, and get the flag from the target machine. \n\n\n\n# Instructions\n\nThe vulnerable application can be accessed via the browser on port 9090. \n\n# Tools\n\nThe best tools for this lab are:\n\n- Nmap\n- ssh\n- A web browser\n\n**Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!**", "tasks_html": "In this lab environment, the user will get access to a Kali GUI instance. A vuLnDAP instance can be accessed using the tools installed on Kali at http://demo.ine.local.
\nObjective: Exploit the vulnerable application to perform LDAP injection, retrieve the administrator's SSH credentials, and get the flag from the target machine.
\n
The vulnerable application can be accessed via the browser on port 9090.
\nThe best tools for this lab are:
\nPlease go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
", "published_date": "2020-10-20T15:32:24Z", "solutions": "# Solution\n\n**Step 1:** Open the lab link to access the Kali GUI instance. \n\n\n\n**Step 2:** Check if the provided machine/domain is reachable. \n\n**Command:**\n```\nping -c3 demo.ine.local\n```\n\n\n\nThe provided machine is reachable. \n\n**Step 3:** Check open ports on the provided machine.\n\n**Command:**\n```\nnmap -p- demo.ine.local\n```\n\n\n\nPorts 22 (SSH) and 9090 are open on the target machine. As mentioned in the challenge description, the vulnerable web application is available on port 9090. \n\n**Step 4:** Check the web application available on port 9090. \n\nOpen the following URL in the browser: \n\n**URL:** http://demo.ine.local:9090 \n\n\n\nA [vuLnDAP](https://github.com/digininja/vuLnDAP) instance is present on the target machine. \n\n**Step 5:** Explore the web application. \n\nClick on the **Stock Control** link: \n\n\n\nSelect the **Fruit** category: \n\n\n\nNotice the URL: \n\n\n\nThe value **fruits** is reflected in the **objectClass** parameter. \n\n# Exploiting LDAP injection vulnerability in the web application. \n\n**Step 6:** Perform LDAP injection. \n\nSet the value `*` in the **objectClass** parameter: \n\n**Note:** `*` is a special character that would end up returning all the `objectClass` items. \n\n\n\n\n\nNotice the output contains the names of the system users as well. \n\nClick on **More Info** link for the administrator (user david): \n\n\n\nClick **Back**: \n\n\n\nNotice the URL parameter **objectClass** contains the value **posixAccount**. \n\nThe page contains the list of system users present in the LDAP database. \n\n**Step 7:** Extract SSH password for user david from the LDAP database. \n\nClick on **More Info** link for the administrator (user david): \n\n\n\nThe resulting page doesn't contain any interesting information: \n\n\n\nCheck the LDAP schema information from the following URL: \n\n**URL:** https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html \n\n\n\nNotice the **posixaccount** object class. Some of the attributes it contains are: \n\n- uidNumber\n- gidNumber\n- homedirectory\n- userpassword\n\nOpen the home page of the vulnerable web application: \n\n**URL:** http://demo.ine.local:9090 \n\n\n\nThe admins store the SSH keys in the database. \n\nSearch for the ssh keys in the posixaccount object class: \n\n**Search Query:** \n```\nldap posixaccount ssh keys\n```\n\n\n\nCheck the [StackOverflow](https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap) link from the results: \n\n\n\nWe can use the `sshPublicKey` attribute to get the SSH keys. \n\nUse the following URL to get the uid, gid, home directory, user password, and SSH public key for the user david: \n\n**URL:** http://demo.ine.local:9090/item?cn=david&disp=uidNumber,gidNumber,homedirectory,userpassword,sshPublicKey \n\n\n\nNotice the `sshPublicKey` returned a password instead of SSH keys. Probably this is the SSH password of the user. \n\n**Potential SSH password for user david:** r0ck_s0l1d_p4ssw0rd \n\n**Step 8:** Retrieve the flag from the target machine using the recovered SSH credentials. \n\nTry connecting to the target machine over SSH using the following credentials: \n\n**Username:** david \n**Password:** r0ck_s0l1d_p4ssw0rd \n\n**Command:**\n```\nssh david@demo.ine.local\n```\n\n\n\nLogin was successful! \n\nRetrieve the flag: \n\n**Commands:** \n```\nls\ncat flag\n```\n\n\n\n**Flag:** 5520dd2d85e5003db92048c629bb5072 \n\nThat was all for LDAP injections! \n\n# Exploiting XSS vulnerability in the web application. \n\n**Step 9:** Identify content injection issues in the web application. \n\nOpen the vulnerable web application: \n\n**URL:** http://demo.ine.local:9090 \n\nClick on **Stock Control**: \n\n\n\nSelect **Fruit** category: \n\n\n\nNotice the value of URL parameter **objectClass** is reflected on the page: \n\n\n\nChange the **objectClass** URL parameter to **more_fruits**: \n\n\n\nAgain, the parameter value is reflected. \n\n**Inject HTML content on the page:** \n\nSend the following HTML injection payload in the **objectClass** URL parameter: \n\n**Payload:** \n```\nfruits\n```\n\n\n\nNotice the specified HTML content is rendered on the page! \n\nCheck the page source (press `CTRL+SHIFT+U`): \n\n\n\nNotice the URL parameter is reflected on the page without any encoding. \n\n**Step 10:** Exploit XSS vulnerability on the vulnerable web page. \n\nEnter the following XSS payload in the **objectClass** parameter: \n\n**Payload:** \n```\n\n```\n\nThe above payload won't work. Check the page source (`CTRL+SHIFT+U`) to identify the issue: \n\n\n\nNotice the content is not reflected as is. The brackets from the payload and the ending script tag are removed. \n\nEnter the following XSS payload in the **objectClass** parameter: \n\n**Payload:** \n```\n\n```\n\n\n\nThis time the XSS payload worked! \n\nCheck the page source: \n\n\n\nThis time the XSS payload is reflected in the DOM as is! \n\nWith that, we conclude this lab on LDAP injection. We have exploited the vulnerable web application and retrieved the SSH credentials of the administrator user, and gained shell access on the target machine. Besides LDAP injection, we also leveraged a reflected XSS vulnerability in the web application. \n\n\n\n# References\n\n- [vuLnDAP](https://github.com/digininja/vuLnDAP)\n- [LDAP Implementation HOWTO](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)", "solutions_html": "Step 1: Open the lab link to access the Kali GUI instance.
\n![\"1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/1.png\")
Step 2: Check if the provided machine/domain is reachable.
\nCommand:\n
ping -c3 demo.ine.local![\"2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/2.png\")
The provided machine is reachable.
\nStep 3: Check open ports on the provided machine.
\nCommand:\n
nmap -p- demo.ine.local![\"3\"](\"https://assets.ine.com/content/ptp/attacking_ldap/3.png\")
Ports 22 (SSH) and 9090 are open on the target machine. As mentioned in the challenge description, the vulnerable web application is available on port 9090.
\nStep 4: Check the web application available on port 9090.
\nOpen the following URL in the browser:
\nURL: http://demo.ine.local:9090
\n![\"4\"](\"https://assets.ine.com/content/ptp/attacking_ldap/4.png\")
A vuLnDAP instance is present on the target machine.
\nStep 5: Explore the web application.
\nClick on the Stock Control link:
\n![\"5\"](\"https://assets.ine.com/content/ptp/attacking_ldap/5.png\")
Select the Fruit category:
\n![\"5_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/5_1.png\")
Notice the URL:
\n![\"5_2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/5_2.png\")
The value fruits is reflected in the objectClass parameter.
\nStep 6: Perform LDAP injection.
\nSet the value * in the objectClass parameter:
Note: * is a special character that would end up returning all the objectClass items.
![\"6\"](\"https://assets.ine.com/content/ptp/attacking_ldap/6.png\")
![\"6_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/6_1.png\")
Notice the output contains the names of the system users as well.
\nClick on More Info link for the administrator (user david):
\n![\"6_2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/6_2.png\")
Click Back:
\n![\"6_3\"](\"https://assets.ine.com/content/ptp/attacking_ldap/6_3.png\")
Notice the URL parameter objectClass contains the value posixAccount.
\nThe page contains the list of system users present in the LDAP database.
\nStep 7: Extract SSH password for user david from the LDAP database.
\nClick on More Info link for the administrator (user david):
\n![\"7\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7.png\")
The resulting page doesn't contain any interesting information:
\n![\"7_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_1.png\")
Check the LDAP schema information from the following URL:
\nURL: https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html
\n![\"7_2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_2.png\")
Notice the posixaccount object class. Some of the attributes it contains are:
\nOpen the home page of the vulnerable web application:
\nURL: http://demo.ine.local:9090
\n![\"7_3\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_3.png\")
The admins store the SSH keys in the database.
\nSearch for the ssh keys in the posixaccount object class:
\nSearch Query:
\n
ldap posixaccount ssh keys![\"7_4\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_4.png\")
Check the StackOverflow link from the results:
\n![\"7_5\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_5.png\")
We can use the sshPublicKey attribute to get the SSH keys.
Use the following URL to get the uid, gid, home directory, user password, and SSH public key for the user david:
\nURL: http://demo.ine.local:9090/item?cn=david&disp=uidNumber,gidNumber,homedirectory,userpassword,sshPublicKey
\n![\"7_6\"](\"https://assets.ine.com/content/ptp/attacking_ldap/7_6.png\")
Notice the sshPublicKey returned a password instead of SSH keys. Probably this is the SSH password of the user.
Potential SSH password for user david: r0ck_s0l1d_p4ssw0rd
\nStep 8: Retrieve the flag from the target machine using the recovered SSH credentials.
\nTry connecting to the target machine over SSH using the following credentials:
\nUsername: david
\nPassword: r0ck_s0l1d_p4ssw0rd
Command:\n
ssh david@demo.ine.local![\"8\"](\"https://assets.ine.com/content/ptp/attacking_ldap/8.png\")
Login was successful!
\nRetrieve the flag:
\nCommands:
\n
ls\ncat flag![\"8_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/8_1.png\")
Flag: 5520dd2d85e5003db92048c629bb5072
\nThat was all for LDAP injections!
\nStep 9: Identify content injection issues in the web application.
\nOpen the vulnerable web application:
\nURL: http://demo.ine.local:9090
\nClick on Stock Control:
\n![\"9\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9.png\")
Select Fruit category:
\n![\"9_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9_1.png\")
Notice the value of URL parameter objectClass is reflected on the page:
\n![\"9_2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9_2.png\")
Change the objectClass URL parameter to more_fruits:
\n![\"9_3\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9_3.png\")
Again, the parameter value is reflected.
\nInject HTML content on the page:
\nSend the following HTML injection payload in the objectClass URL parameter:
\nPayload:
\n
<u>fruits</u>![\"9_4\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9_4.png\")
Notice the specified HTML content is rendered on the page!
\nCheck the page source (press CTRL+SHIFT+U):
![\"9_5\"](\"https://assets.ine.com/content/ptp/attacking_ldap/9_5.png\")
Notice the URL parameter is reflected on the page without any encoding.
\nStep 10: Exploit XSS vulnerability on the vulnerable web page.
\nEnter the following XSS payload in the objectClass parameter:
\nPayload:
\n
<script>alert(1);</script>The above payload won't work. Check the page source (CTRL+SHIFT+U) to identify the issue:
![\"10\"](\"https://assets.ine.com/content/ptp/attacking_ldap/10.png\")
Notice the content is not reflected as is. The brackets from the payload and the ending script tag are removed.
\nEnter the following XSS payload in the objectClass parameter:
\nPayload:
\n
<script>alert`1`</script>![\"10_1\"](\"https://assets.ine.com/content/ptp/attacking_ldap/10_1.png\")
This time the XSS payload worked!
\nCheck the page source:
\n![\"10_2\"](\"https://assets.ine.com/content/ptp/attacking_ldap/10_2.png\")
This time the XSS payload is reflected in the DOM as is!
\nWith that, we conclude this lab on LDAP injection. We have exploited the vulnerable web application and retrieved the SSH credentials of the administrator user, and gained shell access on the target machine. Besides LDAP injection, we also leveraged a reflected XSS vulnerability in the web application.
\n