Renaud11232.github.io

View on GitHub

Password

~$ cd ..

For this challenge, we were given a sheet of paper with some story about the challenge with telegram://CSCBEBot written on it.

So we installed Telegram and joined the bot and were greeted with :

start

So one of the first things we tried was just /flag. You never know :).

flag not admin

Then we tried logging in as the admin :

login admin

Sadly, but expectedly it didn’t work. We also tried some very crude buffer overflows.

overflow

SQL injections :

sql

Then we tried logging in as * to see what would happen.

star

We were onto something. We tried logging in as admin*, sadly there was still more than 1 result, then we tried /login b*:

login b star

Now from here we were pretty sure we were talking to a bot with an LDAP injection vulnerability. The only missing piece was to know how the requests were made.

And after a bit of tinkering we just tried with **

crash

So we knew how our input was concatenated into the filter :

"(&(objectClass=posixAccount)(uid=%s))" % (name)

& is a and. So one way of logging in as the admin was to filter posixAccounts all of them then only filter the admin one:

(&(objectClass=posixAccount)(uid=*)(uid=admin))

ldap injection

DONE