# THM Advent of Cyber 3 (2021) NoSQL WriteUp

## The advent of Cyber 3 (2021) \[Day 7 - NoSQL] \[Day 7] Web Exploitation Migration Without Security Credits: [RealTryHackMe](https://tryhackme.com/room/adventofcyber3) Please Read Day 07 About **NoSQL** ## First Flag #### Q: Interact with the MongoDB server to find the flag. What is the flag? 1. As you read **turn on your Machine** 2. Open **Terminal** 3. Type **ssh thm\@MACHINE\_IP -p 2222** 4. As you read in This room on **day 07** 5. Do the same steps as the **image Below** 6. ```

``` 7. **login ssh** 8. Interact with **Mongo DB** 9. **show** your **databases** 10. Use **flagdb** DataBase 11. So now you are in flagdb Database 12. List All **Collections == Tables** 13. Will Find flag **Column == Fields** in this **Records == Documents** *** ## Second Flag #### Q: Interact with the MongoDB server to find the flag. What is the flag? 1. Open **** 2. Try to inject dummy data in **username** and **password** Fields 3. Fire up Your **Burp** 4. Intercept the Request after sending **username** and **password** Inputs Fields 5. As you read in This room on **day 07** 6. ```

``` 7. As You learned send **username** parameter with **admin** 8. Change the password parameter to **anything** 9. Parameter **password\[$ne]=anything** 10. **$ne == Not Equal** 11. To make all statements Like True as **SQLI** 12. **Username is admin** & **Password not equal anything** == **\[TRUE]** 13. The response will be **302 Found** 14. ```

``` 15. **Press Follow Redirection** 16. You will find the **flag Directory** 17. Click Right and Choose Copy Response Link from burp response in the repeater 18. Paste the Link in the Browser and click on flag link 19. ```

``` *** ## Third Flag #### Q: Once you are logged in, use the gift search page to list all usernames that have guest roles. What is the flag? 1. After login, you will see **search link** 2. Search with any **dummy data** 3. As you read in This room on **day 07** 4. ```

``` 5. Change GET Parameters **username & role** to be **TRUE** 6. How to make it **True** **First** and **Second** Parameter each parameter should be **TRUT** to make all Request True 7. **Username** Paramter **Not Equal admin** == **anyusername** 8. **Role** Parameter **Not Equal admin** also == **Role=guest** 9. **From 7,8** The Request will be **True** To get **All guest's Usernames Not Admin** 10. The Response Will Retraive The THM flag *** ## Fourth Flag #### Q: Use the gift search page to perform a NoSQL injection and retrieve the mcskidy record. What is the details record? 1. After login, you will see **search link** 2. Search with any **dummy data** 3. As you read in This room on **day 07** 4. ``` ![](https://i.imgur.com/McV8cSL.png) ``` 5. Change GET Parameters **username & role** to be **TRUE** 6. How to make it True First and Second Parameter each parameter should be TRUT to make all Request True 7. **Username** Paramter Value **mcskidy** 8. **Role** Parameter Value **Not Equal admin also** 9. But I didn’t ant flag in response 10. Change **Role** Parameter Value Not **Equal admin guest** == Role=admin 11. **From 7,10** The Request will be True To get **mcskidy** Username with **Admin Role** 12. The Response Will Retraive The THM flag
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xkourama.gitbook.io/blog/tryhackme/thm-advent-of-cyber-3-2021-nosql-writeup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.