> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/hack-the-box/labs/offense/tier-0-pen-testing/exploiting-mongodb-misconfigurations-for-anonymous-access-in-htb-mongod-lab/writeup.md).

# Writeup

Alright, buckle up! Let’s dive into the magical world of databases and MongoDB with a sprinkle of ADHD-friendly chaos! 🚀

***

#### 🚦 **Introduction: Databases are like Filing Cabinets for the Digital World!**

Imagine you’re running a super cool candy shop 🍭. Your "database" is like the giant filing cabinet where you store everything:

* What candies you’ve got 🍬,
* How many are left 🍫,
* And which customers *really* like sour gummies (team sour squad 😝).

Now, this cabinet needs to stay **organized** or else... chaos! That’s what databases do — organize your info so you can find it faster than losing your keys (again). 🔑

***

#### 🛠️ **What’s MongoDB? A Fun Twist on Databases!**

Most databases are strict and say, "Hey, give me *tables* and *rows*!" MongoDB, on the other hand, is like, "Chill, let’s keep things loose with documents." 🗂️

MongoDB loves these:

* **Databases** (the big filing cabinet 🗄️)
* **Collections** (drawers inside the cabinet)
* **Documents** (papers in the drawers with all your candy details in a cool JSON-like format).

It’s like opening a drawer to find a note saying:

```json
{
  "Candy": "Sour Gummies",
  "Stock": 42,
  "CustomerFavs": ["Alex", "Jamie", "Taylor"]
}
```

***

#### 😱 **But Wait! What If the Cabinet Has No Lock?**

Imagine leaving your candy shop’s filing cabinet wide open for anyone to snoop around. NOT COOL, right? But that’s exactly what happens when **database misconfigurations** strike! 🫣

MongoDB servers sometimes allow anyone to just waltz in without even a "username" or "password." That's like putting out a sign that says:\
💥 “FREE ACCESS TO ALL DATA! TAKE WHAT YOU WANT!” 💥

This misconfiguration is what hackers LOVE. 🕵️‍♂️ They can connect remotely, peek into your candy stash, and even steal your secrets (or your *flag*, if this is an HTB lab).

***

#### 🎮 **Mongod Box: A MongoDB Playground!**

Here’s the deal: the Mongod Linux box has a MongoDB server. BUT, surprise! It’s misconfigured, so you can sneak in without a key 🔑 (username/password).\
You’ll:

1. **Connect** to the database (like opening that unlocked filing cabinet).
2. **Enumerate** (aka snoop through) databases, collections, and documents.
3. **Retrieve the flag** (the treasure at the end 🏴‍☠️).

***

#### 🌟 TL;DR Version! 🌟

1. **Databases** = organized candy shop cabinet 🍭.
2. **MongoDB** = relaxed cabinet with JSON-like notes.
3. **Misconfigurations** = leaving the cabinet wide open 😬.
4. **HTB Mongod** = fun lab where you break into the cabinet and grab the flag. 🎯

***

Let’s go MongoDB diving and get that flag like the database ninjas we are! 🥷✨

<figure><img src="/files/TUU6tA1wrmc70iEMl06T" alt=""><figcaption></figcaption></figure>

Alright, let’s break this down into an exciting adventure! 🎉

***

#### 🚀 **Step 1: Scanning with Nmap — Finding the Treasure Map!**

Imagine we’re modern-day pirates, but instead of treasure chests, we’re after **open ports and services** 🏴‍☠️.\
We used **Nmap**, the pirate’s telescope 🕵️‍♂️, with these cool flags:

* `-p-`: "I want to see all ports, from 0 to 65535! Show me everything!"
* `--min-rate=1000`: "Speed it up, send at least 1000 packets per second! Gotta go fast! 🏃‍♀️💨"
* `-sV`: "Hey, tell me the version of the service running on each port. Are we dealing with a modern ship or a rusty one? ⚓"

**Result?**

* **Port 22 (SSH):** Secure Shell for remote access. Not our focus (yet).
* **Port 27017 (MongoDB):** Ding ding! A MongoDB database server, and it’s calling for us to check it out. �
* nmap -p- --min-rate=100 -sV �

<figure><img src="/files/E4goR8GwHNZB893AwcmX" alt=""><figcaption></figcaption></figure>

***

<figure><img src="/files/zBQzoFD2QX4YiW5g5PS8" alt=""><figcaption></figcaption></figure>

#### �� **Step 2: What is MongoDB? A Cool New Database Galaxy!**

Forget tables and rows — that’s old-school. MongoDB says, "Let’s go with JSON-like collections and documents instead!" 🌟

**Think of MongoDB like this:**

* **Databases** are giant storage rooms 📦.
* **Collections** are shelves inside the storage room. 🗂️
* **Documents** are the items on those shelves — flexible, schema-less, and super chill. 😎

Here’s an example:

```json
{
  "PirateName": "Captain Mongo",
  "Ship": "NoSQL Voyager",
  "Treasure": ["Gold", "Rubies", "Flags"]
}
```

***

#### 🕵️‍♂️ **Step 3: Why Is This Important?**

Sometimes, MongoDB is left **wide open** (misconfigured) with no lock or password. This is like leaving a pirate ship unguarded 🏴‍☠️ — anyone can walk in and grab the booty (or data, in our case).

On this **HTB Mongod lab**, our goal is to:

1. Connect to the MongoDB server.
2. Peek into its databases.
3. Navigate through collections and documents.
4. Find and retrieve the flag. 🎯

***

#### 🌟 TL;DR Summary

* **Nmap** is our map to find open ports. It revealed Port 27017, a MongoDB server.
* **MongoDB** is a chill NoSQL database with databases, collections, and documents instead of strict tables.
* **Mission:** Explore this misconfigured MongoDB, snoop through its treasures, and grab the flag! 🏴‍☠️✨

Ready to crack open that database and claim your prize? Let’s go! 🧑‍💻

<figure><img src="/files/CB6wavOrTxKrnIYhycMC" alt=""><figcaption></figcaption></figure>

#### 🛠️ Connecting to MongoDB and Extracting the Flag: ADHD-Friendly Walkthrough 🕵️‍♀️✨

***

#### **Step 1: Getting Mongosh Up and Running**

Before we begin, we need **Mongosh**, the magical tool to connect with MongoDB! Here's what you do:

1. Download it using this command:

   ```bash
   curl -O https://downloads.mongodb.com/compass/mongosh-2.3.2-linux-x64.tgz
   ```
2. Extract the files:

   ```bash
   tar xvf mongosh-2.3.2-linux-x64.tgz
   ```
3. Navigate to the folder:

   ```bash
   cd mongosh-2.3.2-linux-x64/bin
   ```

***

#### **Step 2: Connecting to MongoDB**

Time to hack into the treasure vault 🏴‍☠️. Use this command:

```bash
./mongosh mongodb://{target_IP}:27017
```

10.129.194.201

🎉 **Screenshot Recap:**\
You’ve connected to MongoDB as an anonymous user! No locks, no passwords — just pure access magic. 🔓✨

<figure><img src="/files/KE5tM4LAewZpBSLryObo" alt=""><figcaption></figcaption></figure>

***

#### **Step 3: Listing Databases**

To see what’s inside, use:

```bash
show dbs;
```

💡 MongoDB will show you a list of databases, like:

* `admin`
* `config`
* `local`
* **`sensitive_information`** 👀
* `users`

<figure><img src="/files/MtnbLNjQg50ciRv2otvd" alt=""><figcaption></figcaption></figure>

***

#### **Step 4: Selecting a Database**

The juicy one here is **sensitive\_information**! Let’s dive into it:

```bash
use sensitive_information;
```

📂 **Screenshot Recap:**\
You’re now inside the **sensitive\_information** database. 🚀

<figure><img src="/files/TJhDnTjPIsJe55Mb9CuL" alt=""><figcaption></figcaption></figure>

***

#### **Step 5: Listing Collections**

Collections are like folders. Let’s see what’s inside this database:

```bash
show collections;
```

🔥 Oh look! There’s a collection called **flag**. That’s where the prize is! 🏴‍☠️

<figure><img src="/files/DXLGWMghmsCjiiXl4pfa" alt=""><figcaption></figcaption></figure>

***

#### **Step 6: Dumping the Flag**

Now for the grand finale! To peek into the **flag** collection, use:

```bash
db.flag.find().pretty();
```

This command shows the flag in a neat, human-readable format. ✨🎯

<figure><img src="/files/u76X3kFyoPPLQBAEKcD3" alt=""><figcaption></figcaption></figure>

***

#### **Summary Recap**

1. Installed Mongosh and connected to MongoDB.
2. Discovered the **sensitive\_information** database.
3. Found the **flag** collection.
4. Dumped the treasure (flag) using `db.flag.find().pretty()`.

💎 **Mission Complete:** You’ve unlocked the database secrets and retrieved the flag. On to the next adventure! 🚀
