VelvetRope
Gilt & Grain runs an exclusive members portal for private single-barrel whiskey allocations. Annual dues buy you access — or so the story goes. The portal has been live for three years and the backend has never been audited.
The Scenario
Gilt & Grain opened its digital cellar doors in 2021: a quiet, members-only
corner of the internet where paying subscribers could browse private
single-barrel allocations before they hit retail. Member IDs were issued by
hand, passphrases set on first login, and the system hummed along without
incident. The founding engineer left the company in 2023 to open a distillery
of his own. Nobody has looked at the authentication code since. The cellar is
still locked — but the mechanism holding the door shut is older than anyone
on the current team remembers.
Challenge Intel
Synopsis
The members portal authenticates via an LDAP search filter built from raw user input with no escaping. Supplying an asterisk (*) as the passphrase converts the (userPassword=VALUE) assertion into a presence check (userPassword=*), which returns TRUE for any entry that has a userPassword attribute set — regardless of its stored value. Targeting the admin uid bypasses authentication and exposes the Cellar API Token stored in the admin's description attribute.
What It Is
Gilt & Grain's /login handler binds to an OpenLDAP server and fires a search filter of the form (&(uid=INPUT)(userPassword=INPUT)). Neither field is sanitised or escaped before being interpolated into the filter string. In LDAP (RFC 4515), (attr=*) is a presence assertion: it matches any entry that has the attribute set, regardless of the stored value. By supplying an asterisk as the passphrase, the filter becomes (&(uid=admin)(userPassword=*)), which matches the admin entry even though the stored password is a strong, unknown value. The admin's description attribute holds the Cellar API Token (flag), which is returned in the search result and written to the session at login.
Who It's For
Players who understand basic authentication flows but have not yet encountered LDAP filter injection. The bypass requires only knowing that * carries special meaning in LDAP filter syntax.
Skills You'll Practice
- Reading LDAP filter syntax (RFC 4515)
- Identifying unsanitised input concatenated into a directory query
- Distinguishing value-match assertions from presence assertions in LDAP
- Targeting a known admin uid to escalate a presence bypass to account takeover
- Session-based flag extraction via an authenticated endpoint
What You'll Gain
- LDAP filter injection intuition
- Ability to spot uid/password filter patterns in source review
- Presence-assertion bypass as a transferable technique
Ready to hack VelvetRope?
Upgrade to Pro to unlock this challenge and the full library.