> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/hack-the-box/labs/offense/tier-0-pen-testing/exploiting-mongodb-misconfigurations-for-anonymous-access-in-htb-mongod-lab.md).

# Exploiting MongoDB Misconfigurations for Anonymous Access in HTB Mongod Lab

<figure><img src="/files/7AjjU1nCzSEbSomn22Ym" alt=""><figcaption></figcaption></figure>

Target Machine IP address:

10.129.194.201

Task 1

How many TCP ports are open on the machine?

\*

I'm going to guess less than 10.

<figure><img src="/files/ump7zaWFJKdZilaxnnk1" alt=""><figcaption></figcaption></figure>

I pinged the target IP address to make sure I had connection. I first attempted to run the following command "nmap -p- 10.129.194.201" but then canceled the command from running by hitting crtl C because I realized I might want to run the switches -sV for service version and -sC for default scripts, so I ran "nmap -sV -sC -p- 10.129.194.201" ... But the output ended up being too large so I reran the command this time without the default script switch "-sC" to shorten up that output.

Looks like two ports are open, ports 22 for ssh and 27017 for mongodb

<figure><img src="/files/LnJAkxTevQDItc9bjOYh" alt=""><figcaption></figcaption></figure>

The answer I submitted was correct for "2"

Task 2

Which service is running on port 27017 of the remote host?

\*\*\*\*\*\*\* \*.\*.8<br>

The answer to task two is in the output for the nmap scan:

<figure><img src="/files/q6ROnUZ8p8lOFPBncgz3" alt=""><figcaption></figcaption></figure>

The answer to task 2 should be "MongoDB 3.6.8"

<figure><img src="/files/h6fs0a662s6iJL80hIQB" alt=""><figcaption></figcaption></figure>

The answer was correct when I submitted it.

Task 3

What type of database is MongoDB? (Choose: SQL or NoSQL)

\*\*\*\*L<br>

The answer to task 3 should be "NoSQL"

<figure><img src="/files/aEQOzcGNjHO0usrMi0oI" alt=""><figcaption></figcaption></figure>

The answer submitted was correct.

Task 4

What is the command name for the Mongo shell that is installed with the mongodb-clients package?

\*\*\*\*\*\*h

I have no idea what the answer to this task is, so I will check the writeup.

The writeup told me install the "mongosh" tool for interfacing with the mongodb so that seems to be the answer:<br>

<figure><img src="/files/JPQvvpYBflPO9vwOFcZG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/YK5P1zFafpFBkLliPyWO" alt=""><figcaption></figcaption></figure>

The answer mongosh was correct when submitted to task 4.

I had to use "curl -O" to download the mongodb mongosh tool to interface with mongodb databases.&#x20;

I also ran commands to extract it as well and run it.&#x20;

Task 5

What is the command used for listing all the databases present on the MongoDB server? (No need to include a trailing ;)

\*\*\*\* \*\*s<br>

The answer to task 5 is "show dbs"

This listed the different databases on the server, there were five, named admin, config, local, sensitive\_information and users.

<figure><img src="/files/ukr9v4xiMY97GAxm1jGo" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oolnoYB7sstBpvXP7gsz" alt=""><figcaption></figcaption></figure>

The submitted answer is correct.

Task 6

What is the command used for listing out the collections in a database? (No need to include a trailing ;)

\*\*\*\* \*\*\*\*\*\*\*\*\*\*s<br>

The answer to task 6 is "show collections;"

I changed to the "sensitive\_information" database with the "use" command and then the "show collections command" to show whatever files are on the database.

<figure><img src="/files/jgsPhAydU1H2aPzTIi0X" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/HGAIwPOskqINvaSaOkIl" alt=""><figcaption></figcaption></figure>

The submitted answer is correct.

Task 7

What is the command used for dumping the content of all the documents within the collection named flag in a format that is easy to read?

\*\*.\*\*\*\*.\*\*\*\*().\*\*\*\*\*\*()<br>

The answer to task 7 is "db.flag.find().pretty();"

I had to use this command to ouput the content of the "flag" file in a user readable format... or a "pretty" format.

<figure><img src="/files/QLPMOa9mDoSAdc7628bx" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/PeUBjfVlqDjf6FMAfUaf" alt=""><figcaption></figcaption></figure>

The answer submitted is correct.

Submit Flag

Submit root flag

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*<br>

The root flag is "1b6e6fb359e7c40241b6d431427ba6ea"

<figure><img src="/files/CYMlef7rtsNBzmsvtewD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Y1syrnDEK7EJ1i0CH0HB" alt=""><figcaption></figcaption></figure>

Machine is successfully pwned.

<https://www.hackthebox.com/achievement/machine/1971858/501>
