Unauthenticated-Access

Box info | OS: Ubuntu (OpenSSH 8.2p1 Ubuntu 4ubuntu0.5) | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: MongoDB CLI, unauthenticated NoSQL enumeration, database inspection Pwned: 2026-04-27 TL;DR Mongod runs MongoDB 3.6.8 on port 27017 with no authentication required and bound to 0.0.0.0. A two-port scan finds SSH (22) and MongoDB (27017). Connecting with mongosh or mongo requires no credentials; listing databases reveals sensitive_information alongside a populated users database. The flag lives in sensitive_information.flag. Going further: the admin database contains a hashed admin credential (testadmin), and the users database has 25 ecommerce user records with MD5/SHA1 password hashes — none crackable with rockyou. Shell access via SSH brute-force also fails. The lesson: an unauthenticated MongoDB instance exposes your entire dataset to anyone who can reach port 27017. ...

Box info | OS: Ubuntu 20.04.2 LTS (Linux 5.4.0-77-generic) | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: Redis protocol, unauthenticated key-value store access, Redis CLI Pwned: 2026-04-27 TL;DR Redeemer runs Redis 5.0.7 on port 6379 with no authentication configured and bound to 0.0.0.0. A full TCP sweep is required to find it — the top-1000 scan returns nothing. Once connected, KEYS * lists four keys including one literally named flag. GET flag returns the hash. The box goes further for curious attackers: loading a rogue Redis module achieves RCE as redis user, but privilege escalation to root is fully blocked (patched OverlayFS, no SUID pkexec, no writable cron paths). The lesson: an unauthenticated Redis instance is a direct data exfiltration path and potentially a foothold — just make sure you actually scan all 65535 ports first. ...