CardCatalog
Thornfield Research runs a public staff directory so affiliated scholars can look up colleagues by ID. The lookup field passes your input directly to the backend query — and the backend stores more than just researcher profiles.
The Scenario
Thornfield Research has operated as a private academic archive for over
sixty years. Its holdings span rare manuscripts, digitised folios, and
decades of internal correspondence. The IT team added a public researcher
directory in 2019 so visiting scholars could look up points of contact by
staff ID without calling the front desk. It was a quick build — two
afternoons, one developer, shipped to production the same week. The
directory has been running untouched ever since, and the same backend
that serves researcher profiles also holds the credentials used by the
archive's automated cataloguing service.
Challenge Intel
Synopsis
The researcher directory passes the uid parameter directly into an LDAP filter with no escaping. Injecting a wildcard (*) broadens the filter to match all entries, including a hidden service account whose description field holds the flag.
What It Is
The /directory route builds an LDAP search filter by string-concatenating the uid query parameter: `(uid=${uid})`. Because ldapjs performs no automatic escaping, the player can inject LDAP special characters directly into the filter. Submitting uid=* produces the filter (uid=*), which matches every entry in the directory — including a service account (uid=svc-archive) that does not appear in normal search results because it has no title or department. Its description attribute contains the flag. The flag is written to the service account at container startup via ldapmodify, so it is unique per session.
Who It's For
Players who understand LDAP query structure and want hands-on practice with filter injection and wildcard enumeration. No prior LDAP exploitation experience required — understanding basic filter syntax is enough to find the vector.
Skills You'll Practice
- Reading LDAP filter syntax
- Recognising unsanitised input in a directory query
- LDAP wildcard injection to enumerate all entries
- Identifying out-of-place accounts in a directory listing
What You'll Gain
- Practical understanding of LDAP filter construction and injection
- Awareness of service/machine accounts as flag-bearing targets in directory attacks
- Confidence with ldapjs and Node.js-based directory applications
Ready to hack CardCatalog?
Upgrade to Pro to unlock this challenge and the full library.