1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
LDAP Hit-and-Run
##################################
:date: 2014-02-24 22:44
:tags: ldap, hackery, quickstart
I was in the unfortunate situation that i needed to fix an ldap server,
specifically fixing a 'login failed' situation. There was only one problem, i
had fucking clue how ldap is configured, or even working. Also, i didn't
knew any passwords. But i had a user account on the system and google.
This article may be used as a quickstart for using (or hacking open) LDAP server installations.
Finding what you need
---------------------
For working with the ldap you will need to find the configuration of the ldap
server. The Solaris server was running an old version (current_ldap is a lie of course)
of OpenLDAP bundled in the customized application.
The process list showed something like this: `/opt/somewhere/current_ldap/libexec/sldap ldap:// ldaps:// ...`
As the ldap configuration most of the time resides somewhere in
`<ldap-installation>/etc/openldap/sldap.conf` this was my first lucky guess.
The configuration file was readable for every user on the server (duh!) and
contained the following *interesting* parameters:
.. code-block:: yaml
...
database: bdb
rootdn: "cn=master,dc=company-name,dc=com"
rootpw {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Cracking LDAP passwords
-----------------------
As i needed full write-access to the ldap server, i threw the root password
into john-the-ripper:
The pass-file:
.. code-block:: yaml
rootpw:{SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Running john:
.. code-block:: bash
# john pw
Loaded 1 password hash (Salted SHA-1 [128/128 SSE2 intrinsics 4x])
newuser (rootpw)
guesses: 1 time: 0:00:00:00 DONE (Mon Feb 24 23:10:02 2014) c/s: 66860
trying: ncc1701d - pat
Use the "--show" option to display all of the cracked passwords reliab
After a whopping , ummm, 0 seconds i recovered the root password. But this was
not really what was looking for, i wanted to make the GUI user log in again.
The server provides the tool `ldaplist` which lists all ldap entries.
The ldap client was somehow correctly configured in
`/var/ldap/ldap_client_file` and `/var/ldap/ldap_client_cred` so the root
password was not needed for that. Look somewhere else how to configure this
damn client :D.
Find the troublesome account
----------------------------
`ldaplist -v` returned all entries for all ldap users. There are also lots of
examples of how to use the ldaplist to query specific informations. *I* knew i had to change
the password for the gui user but it seemed like the user was also blocked from
logging into the gui:
.. code-block:: bash
user@ldapsrv$ ldaplist -v
...
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
uid: appadmin
cn: appadmin
...
userPassword: {crypt}J6vlYXRU.sW8c
isLocked: TRUE
`ldaplist -v` returned the hashes for all users so we could try to crack them similar to the root password one but the appadmin was additionally locked even if we recover the password
Fix the raw LDAP entries
------------------------
For modifying ldap entries there is `ldapmodify` which will either take commands via stdin or via file. For this tool we need the ldap root password an I used direct command entry like this:
.. code-block:: bash
user@ldapsrv$ ldapmodify -D "<rootdn>" -w "<rootpw>"
# input follows:
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Ctrl-d
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
changetype: modify
replace: isLocked
isLocked: FALSE
Ctrl-d
Ctrl-d
At first i replace the userPassword with one we know (in this case the root user).
After that i set the isLocked Variable from `TRUE` to `FALSE`.
Now i could finally use the GUI and log in as the `appadmin` user with the password we just cracked.
Wrap-up
-------
OpenLDAP can be pretty handsome after a bit reading the fucking manual. It is also a great idea to leave config files unprotected in order to recover root passwords as an ordinary user.
|
