Mongod - Linux

Ping and nmap target Ip, this time using sudo nmap -p- --minrate-1000 -sV {target Ip}, we know -p- means to scan all 65,535 tcp ports and -sV means to try to find the version of the service running, but –min-rate is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher.

After running the nmap, we found 2 open tcp ports, port 22 running the SSH service, and the one we’re interested in port 27017 running a MongoDB server. MongoDB is a document-oriented NoSQL database. It uses collections and documents, so Database -> Collection -> Documents

To connect to MongoDB we run the command curl -O https://downloads.mongodb.com/compass/mongosh-2.3.2-linux-x64.tgz, which downloads mongosh 2.3.3, a tool to access the database, and saves it using the file name in the url (aka mongosh-2.3.2-linux-x64.tgz)

We then extract the contents of the tar archive file (which is used to bundle files together) using tar xvf mongosh-2.3.2-linux-x64.tgz, where the x means extract, the v provides verbose output (shows progress of extraction) and f specifies the file name which comes after.

Next, we cd mongosh-2.3.2-linux-x64/bin to navigate to the location where the mongosh binary is present, and use ./mongosh mongodb://{target Ip}:27017 to successfully connect to the MongoDB server running on a remote host as an anonymous user (27017 is the port number).

We can then use the show dbs; command to list the databases present on the MongoDB server, then run use sensitive_information; to open the interesting database we found.

After entering the database, we can use show collections; to list the collections in the database and next run the db.flag.find(); to dump the contents of the flag collection to read and capture the flag.