📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  • The advent of Cyber 3 (2021) [Day 7 - NoSQL]
  • First Flag
  • Second Flag
  • Third Flag
  • Fourth Flag
  1. TryHackMe

THM Advent of Cyber 3 (2021) NoSQL WriteUp

PreviousTryHackMeNextWeb-CyberTalents

Last updated 2 years ago

The advent of Cyber 3 (2021) [Day 7 - NoSQL]

[Day 7] Web Exploitation Migration Without Security

Please Read Day 07 About NoSQL

First Flag

Q: Interact with the MongoDB server to find the flag. What is the flag?

  1. As you read turn on your Machine

  2. Open Terminal

  3. Type ssh thm@MACHINE_IP -p 2222

  4. As you read in This room on day 07

  5. Do the same steps as the image Below

  7. login ssh

  8. Interact with Mongo DB

  9. show your databases

  10. Use flagdb DataBase

  11. So now you are in flagdb Database

  12. List All Collections == Tables

  13. Will Find flag Column == Fields in this Records == Documents

Second Flag

Q: Interact with the MongoDB server to find the flag. What is the flag?

  1. Open http://MACHINE_IP

  2. Try to inject dummy data in username and password Fields

  3. Fire up Your Burp

  4. Intercept the Request after sending username and password Inputs Fields

  5. As you read in This room on day 07

  7. As You learned send username parameter with admin

  8. Change the password parameter to anything

  9. Parameter password[$ne]=anything

  10. $ne == Not Equal

  11. To make all statements Like True as SQLI

  12. Username is admin & Password not equal anything == [TRUE]

  13. The response will be 302 Found

  15. Press Follow Redirection

  16. You will find the flag Directory

  17. Click Right and Choose Copy Response Link from burp response in the repeater

  18. Paste the Link in the Browser and click on flag link

Third Flag

Q: Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag?

  1. After login, you will see search link

  2. Search with any dummy data

  3. As you read in This room on day 07

  5. Change GET Parameters username & role to be TRUE

  6. How to make it True First and Second Parameter each parameter should be TRUT to make all Request True

  7. Username Paramter Not Equal admin == anyusername

  8. Role Parameter Not Equal admin also == Role=guest

  9. From 7,8 The Request will be True To get All guest's Usernames Not Admin

  10. The Response Will Retraive The THM flag

Fourth Flag

Q: Use the gift search page to perform a NoSQL injection and retrieve the mcskidy record. What is the details record?

  1. After login, you will see search link

  2. Search with any dummy data

  3. As you read in This room on day 07

  5. Change GET Parameters username & role to be TRUE

  6. How to make it True First and Second Parameter each parameter should be TRUT to make all Request True

  7. Username Paramter Value mcskidy

  8. Role Parameter Value Not Equal admin also

  9. But I didn’t ant flag in response

  10. Change Role Parameter Value Not Equal admin guest == Role=admin

  11. From 7,10 The Request will be True To get mcskidy Username with Admin Role

  12. The Response Will Retraive The THM flag

Credits:

😈
RealTryHackMe