avatarembossdotar

Summary

The content provides a comprehensive walkthrough for the "NoSQL Injection" room on TryHackMe, detailing NoSQL injection techniques, tools, and practical examples using MongoDB, along with additional resources for further learning.

Abstract

The web content is a detailed guide for the "NoSQL Injection" challenge on TryHackMe, a free cybersecurity training platform. It introduces the concept of NoSQL injection, particularly in the context of MongoDB, and covers various injection techniques such as Syntax and Operator Injections. The guide includes step-by-step instructions for bypassing login screens, extracting user passwords, and identifying and exploiting NoSQL injection vulnerabilities using tools like Burp Suite. It also provides screenshots, answers to task-based questions, and a flag for successful completion of the challenge. The author encourages readers to attempt tasks independently, offers tips for overcoming challenges, and includes referral links for premium access to TryHackMe and HackTheBox, suggesting support for the author's work. Additional resources from MongoDB, MITRE, OWASP, IBM, Amazon, and Google are provided for a deeper understanding of NoSQL databases and injection prevention.

Opinions

  • The author believes in the value of hands-on practice, encouraging readers to engage with the tasks on their own.
  • They emphasize the importance of familiarity with tools like Burp Suite for effective security testing.
  • The author suggests that readers should not rush through the tasks but instead take the time to understand the tools and concepts.
  • By providing referral links, the author implies that becoming a premium user on platforms like TryHackMe and HackTheBox can be beneficial.
  • The inclusion of additional resources indicates the author's view that continuous learning from various reputable sources is crucial for mastering NoSQL injection and database security.
  • The author's use of hashtags at the end of the content reflects an understanding of the importance of community and sharing knowledge within the cybersecurity field.

TryHackMe — NoSQL Injection — Writeup

Key points: NoSQLi | NoSQL Injection | Burp Suite | Burp Proxy | Burp Intruder | Burp Repeater | MongoDB | Operator Injection | Syntax Injection. NoSQL Injection by awesome TryHackMe! 🎉

Hi All. First, quick introduction. Mentioned Room is of the Free type. It’s worth considering being a premium user, more info here: https://tryhackme.com/why-subscribe

My referral link 🎁 (“When someone uses your referral link to sign up for a premium membership within 7 days, you both earn $5 credit towards premium access!”): https://tryhackme.com/signup?referrer=655bf0dd7cb6fa588c31d1a3 “It’s a win-win for you and your friends!” 🚀 (Steps: TryHackMe THM — sign up and become a premium user)

If you want to support my work, you can also take a look here: https://referral.hackthebox.com/mz824lPHTB, thanks!(Steps: Register on HackTheBox)

It would be great for you to be more familiar with these topics, so please visit the Room https://tryhackme.com/r/room/nosqlinjectiontutorial to get more details. ✨ I encourage you to do the tasks on your own.

These tasks are well-prepared, so I will try to not repeat the content. You have there what you need, but I want to share some additional helpful and useful resources.

Tip: if you stuck with some task — please take your time, don’t be in hurry. Let’s be a more familiar with mentioned tools, make steps again etc.

Task 1 — Introduction

Get ready! 🚀

Task 2 — What is NoSQL

Q: What is a group of documents in MongoDB is known as? A: collection

Q: Using the MongoDB Operator Reference, what operator is used to filter data when a field isn’t equal to a given value? A: $ne

Q: Following the example of the 3 documents given before, how many documents would be returned by the following filter: [‘gender’ => [‘$ne’ => ‘female’] , ‘age’ => [‘$gt’=>’65'] ]? A: 0

Additional sources: https://www.mongodb.com/ https://www.mongodb.com/docs/manual/reference/operator/ https://www.mongodb.com/resources/basics/databases/nosql-explained https://www.ibm.com/topics/nosql-databases https://aws.amazon.com/nosql/ https://www.geeksforgeeks.org/introduction-to-nosql/ https://cloud.google.com/discover/what-is-nosql

Task 3 — NoSQL Injection

Q: What type of NoSQL Injection is similar to normal SQL Injection? A: Syntax

Q: What type of NoSQL Injection allows you to modify the behaviour of the query, even if you can’t escape the syntax? A: Operator

Additional sources: https://capec.mitre.org/data/definitions/676.html https://cwe.mitre.org/data/definitions/943.html

Task 4 — Operator Injection: Bypassing the Login Screen

Instead of text explanations I will show you some screenshots with solutions and ways to get a solutions with proper descriptions in the next chapters.

Admin’s email address, source: THM — NoSQL Injection

Q: When bypassing the login screen using the $ne operator, what is the email of the user that you are logged in as? A: [email protected]

Task 5 — Operator Injection: Logging in as Other Users

Almost final payload, source: THM — NoSQL Injection
Final payload — no more users, source: THM — NoSQL Injection

Q: How many users are there in total? A: 4

Q: There is a user that starts with the letter “p”. What is his username? A: pedro

Task 6 — Operator Injection: Extracting Users’ Passwords

Tip: You can use here Burp Suite — Proxy — Repeater — Intruder for instance.

Determining the length of the password, source: THM — NoSQL Injection
Final payload, source: THM — NoSQL Injection

Q: What is john’s password? A: 10584312

Determining the length of the password, source: THM — NoSQL Injection
Sniper here (slow method — almost done), source: THM — NoSQL Injection
Flag, source: THM — NoSQL Injection

🚩 Flag

Q: One of the users seems to be reusing his password for many services. Find which one and connect through SSH to retrieve the final flag! A: flag{N0Sql_n01iF3!}

Task 7 — Syntax Injection: Identification and Data Extraction

Final answer, source: THM — NoSQL Injection

Q: What common character is used to test for injection in both SQL and NoSQL solutions? A: ‘

Q: What is the email value of the super secret user returned in the last entry? A: [email protected]

Additional sources: https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html

I hope you enjoy! 🍀

#NoSQLi #NoSQLInjection #BurpSuite #BurpProxy #BurpIntruder #BurpRepeater #MongoDB #OperatorInjection #SyntaxInjection #writeup #hacking #ITsecurity #THM #TryHackMe

Best wishes,

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Cybersecurity
Cybersecurity Awareness
Recommended from ReadMedium
avatarrutbar
TryHackMe — Search Skills | Cyber Security 101 (THM)

Evaluation of Search Results

3 min read
avatarCyferNest Sec
CSRF | TryHackMe Walkthrough

CSRF: The Art of Sneaky Online Mischief

13 min read
avatarAxoloth
TryHackMe | Training Impact on Teams | WriteUp

Discover the impact of training on teams and organisations

2 min read
avatarRosanaFSS
File Inclusion, Path Traversal . TryHackMe Walkthrough

Web Application Pentesting learning path > Advanced Server-Side Attacks > File Inclusion, Path Traversal: Exploit File Inclusion and Path…

15 min read
avatarAxoloth
TryHackMe | Web Application Basics | WriteUp

Learn the basics of web applications: HTTP, URLs, request methods, response codes, and headers

4 min read
avatarCyferNest Sec
Lo-Fi CTF | TryHackMe CTF Walkthrough

You can access the Lo-Fi room on TryHackMe here.

3 min read