Hack The Box — Mongod (MongoDB)

I will cover solution steps of the “Mongod” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’. This is a VIP machine so you’d need an upgrade from your free plan.

---

What is MongoDB?

There are different types of databases and one among them is MongoDB.

MongoDB is a document-oriented NoSQL database. Instead of using tables and rows like in traditional relational databases, MongoDB makes use of collections and documents.

It is crucial to be aware of how the data is stored in different types of databases and how we can connect to these remote database servers and retrieve the desired data. In a document-oriented NoSQL database, the data is organized into a hierarchy of the following levels:

• databases
• collections
• documents

How MongoDB stores data?

Each database contains collections which in turn further contain documents.

Database → Think of it like a big filing cabinet.

Collections → Inside the cabinet, you have *folders *(collections).

Documents → Inside each folder, you have *files *(documents).

Data → Inside each file, you have the actual information (like text, numbers, or dates).

The format looks like JSON (a simple way to store data with key-value pairs, like "name": "Adhishri"). Normally, to access a database, you should have a username and password. But sometimes the MongoDB server is set up wrongly (misconfigured) and allows anyone to log in without credentials. This is called anonymous login. It’s like leaving the filing cabinet unlocked in a public place — anyone can open it and read all the files.

To connect to the server we use a tool called mongosh (Mongo Shell). It’s like a remote terminal for MongoDB. With it, we can:

• Connect to the MongoDB server
• List all databases
• Go inside collections
• Look at the documents

To install MongoDB Shell Utility follow the below mentioned commands:

(This method installed the latest MongoDB client while later I found out that the server was using older version so I again installed another client with older version. Skip this installation if you don't want to download latest version.)

sudo dpkg -i mongodb-mongosh_2.5.7_amd64.deb  (to install)
sudo apt-get install -f                       (to install any missing dependencies)
which mongosh                                 (to see where was mongosh installed)

To connect to the mongosh server I executed below command:

mongosh mongodb://<$IP>:27017

I encountered an error that states that “the machine is using an older server version of mongodb (wire version 6 = MongoDB 3.6) while the mongosh client that we installed is too new and expects at least wire version 8 (MongoDB 4.2).”

I decided to use an older Mongosh shell. To install the older version of mongosh shell that matches the server version I used the following command:

curl -O https://downloads.mongodb.com/compass/mongosh-2.3.2-linux-x64.tgz
tar xvf mongosh-2.3.2-linux-x64.tgz
cd mongosh-2.3.2-linux-x64
cd bin

Then to connect:

./mongosh mongodb://10.129.118.68:27017

Now we have successfully connected to remote MongoDB instance as an anonymous user. Using the following command, we can list the databases present on the MongoDB server.

show dbs;
use sensitive_information;
show collections;

show dbs : to list databases

use : This command switches the current context to the specified database. If the database does not exist, MongoDB will create it implicitly upon the first data insertion into a collection within that database.

db : To check current database. This command returns the name of the database currently in use within the shell.

We can dump the contents of any documents present in the collection by using the db.collectionName.find() command.

db.collectionName.find()

TASK 1: How many TCP ports are open on the machine? 2

nmap -p- --min-rate=1000 -sV <$IP>

• -p- : This flag scans for all TCP ports ranging from 0–65535
• -sV : Attempts to determine the version of the service running on a port
• - - min-rate : This is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher

TASK 2: Which service is running on port 27017 of the remote host? MongoDB 3.6.8

TASK 3: What type of database is MongoDB? (Choose: SQL or NoSQL) NoSQL

TASK 4: What command is used to launch the interactive MongoDB shell from the terminal? mongosh

TASK 5: What is the command used for listing all the databases present on the MongoDB server? (No need to include a trailing ;) show dbs

TASK 6: What is the command used for listing out the collections in a database? (No need to include a trailing ;) show collections

TASK 7: What command is used to dump the content of all the documents within the collection named flag? db.flag.find()

Submit Flag:

• First I performed a basic nmap scan to check the open ports
• I saw 2 TCP ports are open out of which one was a mongodb server running at 27017
• Then I tried to connect to the mongodb server r running on the target box using mongosh (MongoDB shell utility)
• Then I saw a database with the name sensetive_information which had a collection
• To list the content of the collection named flag:

db.flag.find()

And the flag would be displayed. Congratulations, you’ve captured the flag!

On submitting it you will receive message as “Mongod has been Pwned”.

Credits: The Internet 🛜

Dear Gentle Reader feel free to reach out for queries and feedback.🥷