LDAP Hit-and-Run

Mon 24 February 2014
By makefu

I was in the unfortunate situation that i needed to fix an ldap server, specifically fixing a 'login failed' situation. There was only one problem, i had fucking clue how ldap is configured, or even working. Also, i didn't knew any passwords. But i had a user account on the system and google.

This article may be used as a quickstart for using (or hacking open) LDAP server installations.

Finding what you need

For working with the ldap you will need to find the configuration of the ldap server. The Solaris server was running an old version (current_ldap is a lie of course) of OpenLDAP bundled in the customized application. The process list showed something like this: /opt/somewhere/current_ldap/libexec/sldap ldap:// ldaps:// ...

As the ldap configuration most of the time resides somewhere in <ldap-installation>/etc/openldap/sldap.conf this was my first lucky guess.

The configuration file was readable for every user on the server (duh!) and contained the following interesting parameters:

...
database: bdb
rootdn: "cn=master,dc=company-name,dc=com"
rootpw  {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2

Cracking LDAP passwords

As i needed full write-access to the ldap server, i threw the root password into john-the-ripper:

The pass-file:

rootpw:{SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2

Running john:

# john pw
Loaded 1 password hash (Salted SHA-1 [128/128 SSE2 intrinsics 4x])
newuser          (rootpw)
guesses: 1  time: 0:00:00:00 DONE (Mon Feb 24 23:10:02 2014)  c/s: 66860
trying: ncc1701d - pat
Use the "--show" option to display all of the cracked passwords reliab

After a whopping , ummm, 0 seconds i recovered the root password. But this was not really what was looking for, i wanted to make the GUI user log in again. The server provides the tool ldaplist which lists all ldap entries.

The ldap client was somehow correctly configured in /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred so the root password was not needed for that. Look somewhere else how to configure this damn client :D.

Find the troublesome account

ldaplist -v returned all entries for all ldap users. There are also lots of examples of how to use the ldaplist to query specific informations. I knew i had to change the password for the gui user but it seemed like the user was also blocked from logging into the gui:

user@ldapsrv$ ldaplist -v
  ...
  dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
    uid: appadmin
    cn: appadmin
    ...
    userPassword: {crypt}J6vlYXRU.sW8c
    isLocked: TRUE

ldaplist -v returned the hashes for all users so we could try to crack them similar to the root password one but the appadmin was additionally locked even if we recover the password

Fix the raw LDAP entries

For modifying ldap entries there is ldapmodify which will either take commands via stdin or via file. For this tool we need the ldap root password an I used direct command entry like this:

user@ldapsrv$ ldapmodify -D "<rootdn>" -w "<rootpw>"
  # input follows:
  dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
  changetype: modify
  replace: userPassword
  userPassword: {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
  Ctrl-d
  dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
  changetype: modify
  replace: isLocked
  isLocked: FALSE
  Ctrl-d
  Ctrl-d

At first i replace the userPassword with one we know (in this case the root user). After that i set the isLocked Variable from TRUE to FALSE. Now i could finally use the GUI and log in as the appadmin user with the password we just cracked.

Wrap-up

OpenLDAP can be pretty handsome after a bit reading the fucking manual. It is also a great idea to leave config files unprotected in order to recover root passwords as an ordinary user.

Comments