 What's up YouTube? This is a video right up for the challenge LDab in the web category of CSAW CTF 2018. So it gives us this link here and we can go ahead and visit it in our browser. And we're greeted with this AnyCop directory with a search field and looks like a listing of employees with some information. So from the headers of the table here you can see that it has OU, CN, SN, given name, and UID. So I'm going to assume given based off of the challenge title LDab and some of these letters here that this is a reference to LDAP. So LDAP being the Lightweight Directory Access Protocol, which is kind of, at least from my understanding, a Windows thing. What Microsoft includes as part of Active Directory and stuff that you would see in a domain controller for handling multiple users in a big corporate network or kind of business infrastructure, etc. So it is like segregated or split up into a hierarchy, whoa, sorry, that was a weird hierarchy, not hierarchy, auto-carcophagus. OU is the kind of abbreviation for organizational units. CN is kind of the abbreviation for canonical name, at least from what I'm understanding. And I'm not an expert here, so please do criticize me in comment. I would appreciate that. UID is from what I understand the unique identifier that will keep track of one individual user. So that is kind of the special spot here. What I'm going to assume again is that this is LDAP injection being a web challenge with a search functionality. Normally you'd expect like a SQL injection kind of thing, but this is a different kind of database structure. So it's LDAP. And there is such thing as LDAP injection. And I've actually seen this before in the Sands Holiday Hack Challenge. You can actually take a look at some of these things for OWASP. There's some information on, okay, this is how you can test for LDAP injection. And it goes through and explains that an LDAP search filter is constructed in Polish notation or prefix notation, where the queries that you're kind of trying to use like and or etc. don't come while you're kind of building out your condition. They kind of come before you have the parts of your condition. So it gives you an example here on Wikipedia. Rather than saying 5 minus 6 times 7, you essentially say times minus 5, 6 in that group again times 7. So kind of weird to read. Doesn't make a whole lot of sense in my mind, admittedly, but it is a thing. So that's what LDAP and that's what we're working with. When I had seen LDAP injection before, it was for the Sands Holiday Hack Challenge. So my first like gut instinct was to go review this page. But this was kind of a specific thing that's supposed to be crafted for the Sands Holiday Hack Challenge. So they were giving a kind of specific example where they're actually reading out of the page itself. And the attributes or some of the inputs that you're using were actually being implemented in the request back to the database. So if you, I guess, have taken part in the Sands Holiday Hack Challenge 2017 before, you may recognize this. Admittedly, this is a rabbit hole for the challenge that we're working with right now. There are some really cool tools though, like something that I don't remember the name of, but I know there is like an LDAP dump thing that you could probably find the GitHub page for whatever cool weapon that thing is. And again, please direct me in the comments to share the knowledge, spread the love here. What I ended up doing, again, because I dislike that prefix notation, that Polish notation for actually searching for stuff, I knew that I had a wild card that would work, and I would be able to retrieve stuff just like that other than searching for strictly someone named like Bob. I could return everything with a wild card, an asterisk there. But I wanted to be able to reach out more based off of a given field, like a canonical name, unique identifier, etc. So me being a lazy stupid kid, I just figured like, alright, let's look up sample LDAP injection payloads. Thanks, Google. And some of the top results here were from payload, all the things, the GitHub repo, which is an incredibly awesome archive. If you haven't seen that before, totally check that out. Huge props to ever put this thing together. It's incredible. It has a lot of payloads and like sample commands that you can just literally slap at a service or application and just see what it does. Kind of help fuzz a little bit. So I got to this LDAP injection page where it gives us an example here, and you can start to, again, throw some of these filters at the application. I thought I'd just try this payload here, go ahead and throw it in the search field, and this gets results for us. And if you go ahead and explore it, you can see, whoa, there's the flag. Kind of crazy simple, not a whole lot, very difficult, hard thing. But again, that's just knowing your arsenal, trying to track down this example payload. And admittedly, it's probably a better thing for me to kind of piece this together and understand a little bit more. But I think if I could just detect, okay, there is LDAP injection in a vulnerable service, at that point, I would say, okay, let's put together what would be a query or whatever attack to load something that we need. So at this point, I feel like I've done that. I've just tracked down the payload that is getting what we need with the UID, unique identifier segment here. So cool. Hope that one was kind of interesting. Hope that one was kind of neat. Totally keep this in mind. LDAP injection is a thing. And once you recognize it, once you're kind of seeing OU organizational unit, CN and canonical name, et cetera, know that that is your target and know that that's what you can narrow down your search for. Hey, quick shout out to the people that support me on Patreon. Thank you guys so much. This list is getting long, and it's just incredible, really surreal that you're just willing to like from the goodness of your heart from literally just generosity that's built inside of a human to help out another human being. So thank you. $1 a month on Patreon will give you a special shout out just like this in every video just to make you feel special and good and warm inside. $5 a month on Patreon has a little bit more incentive in that you get early access to everything that released on YouTube before it goes live. So if I like to record videos in bulk, it'll be published in like a shared Google Drive that you'll have access to before YouTube will gradually like delay schedule or release. And that's hopefully not too much $5 on Patreon. That's all it asks for. If you did like this video, please do like comment and subscribe. Link to our Discord server is in the description. It's a cool community full of CTF players, programmers and hackers. If you want to come hang out with me or other cool people, that's the place to do it. We like to get together for CTF competitions. So CESAW right that's happening this weekend. Again, kind of piggybacking off CESAW. Pico CTF that's coming out very, very soon, 2018. We're stoked for the game. So please do join the party. I will personally greet and welcome each and every one of you if I'm awake and functioning. Hey, thanks again guys. Hope to see you on Patreon. Hope to see you in the next video. Love ya. Bye.