This task requires us to interact with a Mongo DB Server. Deploy the machine and the attack box.
For the first question, we copy the script from the tutorial but use port 2222 shown in the diagram, instead of the default port mentioned in the text, because, this will refuse a connection. After attempting a connection via port 2222, we enter the provided password of ‘tryhackme’ when prompted.
To begin interacting with the mongoDB server, we type ‘mongo’ at the modified command prompt.
After the displayed text which appears, we type the command ‘show databases’ and return, which will list databases on the server.
As one is called flagdb, we type ‘use flagdb’ and press return, to switch to this database. We use the command ‘getCollectionNames()’ to list names of all collections within this database.
The ‘flagcoll’ collection is returned so we use the command ‘db.flagColl.find()’ to return all documents in this collection. This returns our flag.
We can paste this flag into the answer box for the flag question and submit.
Question 2 requires us to use Burp Suite to intercept a login request for the URL specified above the additional resources heading. So we open Firefox browser, activate the Foxy Proxy and open Burp Suite. We will need to click through to select a new project and we must ensure that ‘intercept’ (under the ‘proxy’ heading), is off otherwise pages will not load. We navigate to the specified URL which will take us to the ‘Gift Requests WebApp’ site.
Once on the login screen, we go back to Burp Suite and activate the aforementioned ‘Intercept’ function.
We then return to the login screen and submit ‘admin’ for the username and the password.
Because Burp Suite intercepts the request, the page will hang.
In Burp Suite, under the HTTP History tab, we see the intercepted request with the username and password we submitted. We can directly edit this on the same screen to look for a password which is not equal to the one entered, as per the diagram.
We click on ‘Forward’ to send the modified request on, and then deactivate ‘Intercept’.
When we return to the login page, we will see that we have been logged in successfully.
We can submit the flag found in the ‘Flag!’ link visible on this page.
For the third question we use the ‘Search’ link visible on this page.
The search field is for usernames, but we need to find a specific role.
(If we try entering ‘admin’ the page will return no results so we will know that there is no user with that name in this database.)
We go back to Burp Suite and activate the Intercept function. We then type ‘admin’ into the field and submit.
We then see the request within Burp Suite and it shows the role of ‘user’ which has appeared most likely as a default to submitting a username.
We can edit this as before so that it looks for a user without the name of ‘admin’ and with the role of guest. We then click on ‘Forward’ before deactivating the Intercept function.
We then return to the search screen on the webpage.
Three results are returned. The flag is within one of these and it can be pasted into the third answer box.
For the fourth question, we are required to obtain the ‘mcskidy’ record, but this username is not found, if we type it directly into the search box.
Checking the HTTP history in Burp Suite will show that this username has been submitted with a role of ‘user’.
We submit this username into the search field again, but this time after activating the Intercept function on Burp Suite. We edit the request to search for a role not equal to ‘user’.
This was repeated to correct the misspelling of the username.
The record is returned and can be pasted into the final answer box.
