Skip to content

AoC3 Day 7: NoSQL Injection

    If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

    Types of Challenges

    The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:

    Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

    Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

    Clicking “Save File”

    And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

    Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

    After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

    In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

    Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

    Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

    Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.

    TryHackMe; Advent of Cyber 3; Day 7 Walkthrough

    Day 7 introduces us to NoSQL and how it differs from relational databases, how to interact with it from the command line, and how it can be susceptible to command injection if inputs are not validated.

    First, let’s access the target machine through SSH. When asked whether or not you would like to continue connecting, type in “yes” and hit enter.

    We’ll then fire up MongoDB by typing in “mongo” on the command line.

    We’ll use the command “show databases” to list all the databases hosted on this MongoDB server. “flagdb” surely seems pertinent to us, so we’ll use the command “use flagdb” to select it and interact with that specific database. The next command, “show collections” is similar to listing the “tables” in a traditional SQL database. This returns one collection, “flagColl”. We can return documents (NoSQL version of “rows”) in this collection by using the dot-notation command “db.flagColl.find()”. This gives us our first flag for this challenge.

    The next task will require the use of Burp Suite to intercept and modify our HTTP requests. Let’s fire that up, either on your own VM or on the THM hosted machine. At startup, we’ll choose “Temporary project” and hit “Next”.

    I’ll be using my usual browser, Firefox, with the FoxyProxy extension for use with Burp Suite. If you have not yet set this up, please see my write up for day 4 on how to do so. We’ll need to enable the Burp proxy by clicking the plugin icon in our toolbar:

    We’ll type in “admin” as the user, and an arbitrary value for “password”. Making sure we have the Burp suite intercept enabled, we can see the request pop up on the “Proxy” tab.

    We’ll modify this request, by typing “[$ne]” after “password” and before the equal sign. This is equivalent to saying we want to authenticate as the user “admin” and our password is not “admin”, which if NoSQL evaluates as “True”, will log us in. Click “Forward” after you have made the changes to the “password” attribute.

    There may be a redirect involved, in which case you will want to continue clicking “Forward” until you are successfully logged in. You should be presented with a “Welcome admin!” screen. Click on “Flag!” to retrieve the next flag.

    Next, we’ll choose “Search”, put in an arbitary value for “username”, and click “Search”

    We’ll modify this request using Burp Suite in a similar fashion, this time appending “[$ne]” after the “username” attribute, and setting the “role” attribute to “guest”.

    Once done, we’ll click “Forward” once more. We’ll be presented with a list of users with the role “guest”, which in our case should be only one, a user who’s ID string contains our flag.

    Return to the search bar, and type in “mcskidy” as the username, and click “Search” again. This time we will modify the “role” attribute to “role[$ne]=user”. This will theoretically return a user named “mcskidy” who has a role other than “user”. Forward this request using Burp suite, and you will see the final flag in the “Username details” field, similar to the last example.