Advent of Cyber 2021 — [Day 7] Migration Without Security

“The development team that handles gift requests from Children migrated over to a new technology stack. In doing so, they left their application vulnerable, and Grinch Enterprises now controls access to the system. Fortunately, Grinch enterprises forgot to patch the system so you can use the same vulnerability to retrieve the gift requests for the students.”

Link to Room: https://tryhackme.com/room/adventofcyber3#

The first step is to log into the server via SSH to access the database

Username: thm

Password: tryhackme

Next, connect to the Mongo database:

If you use the “show databases” command, you can see all of the databases:

Switch to the flag database and show the collections it contains:

There is only one collection here, which is called “flagColl”. To access it, use the following:

Note: I used this link HERE to help me with learning the correct commands.

THM{8814a5e6662a9763f7df23ee59d944f9}

Question #2: We discussed how to bypass login pages as an admin. Can you log into the application that Grinch Enterprise controls as admin and retrieve the flag? Use the knowledge given in AoC3 day 4 to setup and run Burp Suite proxy to intercept the HTTP request for the login page. Then modify the POST parameter.

Open up both Burp Suite and Firefox on the Attack Box. Navigate to the website provided.

We are going to be doing something similar to what we did on Day 4, except this time we will be taking advantage of Mongo DB vulnerabilities instead of using a list of passwords in a Sniper attack.

Turn on FoxyProxy:

Then send an admin login attempt to Burp (password doesn’t matter):

In the password part, add in this:

What this means is that you want to login as admin, and the password should NOT EQUAL “admin”.

From here you can forward the request. Back at the login page you should see something like this. This means that you were able to bypass the login page.

From here, turn off Burp:

Refresh the page and click OK if you get a pop-up about resending info. Then, hit the back button on your browser to get back to the login page, hit refresh again, you should now see that you are logged into the dashboard:

Choose “Flag!” to show the flag:

THM{b6b304f5d5834a4d089b570840b467a8}

Question #3: Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

Use the search link to search a random user. I chose “admin”. You will get something like this:

Look up at the top at your URL, which should look like this:

We can change this, like so:

This means that we are looking for a username that is NOT EQUAL to “admin”, which also has the role of “guest”. Hit enter and you will be able to see all the users with the guest role:

THM{2ec099f2d602cc4968c5267970be1326}

Question #4: Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

You can use the same technique here, by changing the URL like this:

Hit enter and McSkidy’s record will pop up:

ID:6184f516ef6da50433f100f4:mcskidy:admin

Happy Holidays! ❤

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samantha

Samantha

CTF Writeups to facilitate cyber education.