WEBVERSE

Loading...

mediumLDAPPro

Semaphore

Meridian Transit Authority's internal staff portal accepts an ID and tells you whether that person is on record — nothing more. Somewhere in that one-bit answer is everything you need.

Unlock with Pro

The Scenario

Meridian Transit Authority runs one of the region's busiest commuter rail

networks. HR issued a policy requiring that every contractor and visiting

vendor verify a colleague's active employment status before exchanging

sensitive schedule data. The solution was an internal portal: enter a staff

ID, get a "found" or "not found" response. No names, no titles, no contact

details — just a boolean, per policy.

The developer who built it kept the implementation tight. The portal binds

to the authority's staff directory, fires a lookup, and reports back. One

bit of information per request, every time, no exceptions.

That one bit turns out to be enough.

Challenge Intel

Synopsis

The staff-ID lookup passes user input directly into an LDAP search filter; the boolean found/not-found oracle lets you extract attribute values one character at a time via substring wildcards.

What It Is

The portal's PHP code concatenates the POST'd uid directly into an LDAP filter without escaping: $filter = "(&(objectClass=inetOrgPerson)(uid=$uid))"; An attacker can close the uid assertion early and append a second condition that tests an attribute value with a wildcard: uid = admin)(employeeNumber=WEBVERSE{W* If the employeeNumber of the admin entry starts with "WEBVERSE{W", the compound filter matches and the portal returns "Record found"; otherwise "No record found". This is a classic blind boolean LDAP injection. The flag is stored in the admin entry's employeeNumber field. Iterate through the alphabet position by position — each character costs at most ~65 requests — to reconstruct the full value.

Who It's For

Players who have done basic SQLi blind extraction and want to see the same pattern applied to LDAP. Assumes familiarity with LDAP filter syntax (RFC 4515) and substring matching.

Skills You'll Practice

  • Reading and constructing LDAP filter expressions
  • Identifying filter injection in PHP ldap_search calls
  • Blind boolean oracle extraction via attribute substring wildcards
  • Iterative brute-force scripting against a boolean oracle

What You'll Gain

  • LDAP injection as a distinct attack class from SQL injection
  • Practical experience with RFC 4515 substring filter abuse
  • Scripting a character-by-character oracle loop in bash or Python

Ready to hack Semaphore?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans