From df5eb16d803addeea8eac6b5ca3d03f48db8c4d1 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Wed, 16 Sep 2020 10:00:23 +0000
Subject: [PATCH] GitBook: [master] one page and one asset modified

---
 .../assets/id-and-objectids-in-mongodb.png     | Bin 0 -> 6336 bytes
 pentesting/27017-27018-mongodb.md              |  17 +++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 .gitbook/assets/id-and-objectids-in-mongodb.png

diff --git a/.gitbook/assets/id-and-objectids-in-mongodb.png b/.gitbook/assets/id-and-objectids-in-mongodb.png
new file mode 100644
index 0000000000000000000000000000000000000000..9b8348bf7c08fcce2a5f19290d29605a1832fb7e
GIT binary patch
literal 6336
zcmb7oWmJ@5xArKdgrrEPgusB5C?H5nH^R_83?QO}NJt8Tq=ZN_3_S=qLrSOQ5W`4H
zNrTc2=Rx1~{rJ{7Yn`)y?6vQGU)Qx`J@=pIy^fX&88HJf2m~TieX6Jj0$qmyG42K)
z;P=JI4?!S2kdB6dlFADWoeCx%Sl=aJO`s_v&{f<70!~1FlISY)?@Fhf>0kbP?z_uI
z(A5#ZlrsT<A0QBr0giF$_W+D`ITMfvbO8DUAqdED*!5g-|FQmxU*Q`-lYeh{oO*Q1
z8LueLeLS#U-D*m}18M;MU&Sc`&}H2fee%W?1%LqoH>~$x^{b$Q5xBi#{T<<|=W>uX
zko-3Y(Busek5m6u(OM7}tpA@r00R`Rrl_F%N586A2fFfq#{oJ70^M>(00V$=z?k2z
z+6Gtv=4w#@pb1d!14jM{u>RR!?tfPLcSZknu4FGSfznq&)!#v!dI5c{@;g8tP`F|@
z{jGj^*#Xr0YyZgu+aLr@;Db&ZL8`@f?n1jS>#qR+H2)z1<^L4@JGES@`C#o$;A#Tc
z9$-M{jUZdi6u{TcA})WWj?V3Gr>6op9xZD6@5e6tL>C^3>Q*rGI$wPNz{a?E`18w~
z@6gk;+@YqqO-W8h%*xG-Pk=AT&g>j)l~Ns^(;mmlMk_7E6<hYUEx=b>?tWSA_Z3Ve
zD%Yg~m)SqQIU5%}-5Ht#bqLP%h&6*4LTp~OsOBfxrhhOmb#t|_bHznPh)F-twRvi$
zC(+n5m6V0livT(i`E$4*9+w{d*5Etp_1<K{E8j2`BU$V>VxI(;xYPoV=b=_rJlcB7
zOVR}T&$1UDiahkh2ndS6k>65tE7A~Od%C4IUx-8&`05&&>)EPi71h*tjbrNk(yJ+=
zMNF*JKb#hV{<wkW`9P)}yf(m-DDcqJ(g#gWPfcE2*~H=M@z$TC>$9iZ3)|!yq(o7#
zb57>it;m;}zIkQs3!39tBK!ZW-a2T`&RGy7FJ9JcEQsDeGm}ZmI*)HA6~YK6t;x8u
z3L(`}k<9D^gOQ9Su`)8X*0|m~4|LiwiRytK8nPuk>3z7!no*PR8bp2tjfYknBgQST
zVzc6gH;r+eMZn`F8Xit#SG(t*x&mMICOrg;NhI=i^BGzDCQX4rG~KF-at5y_HZpuQ
z491zezGxw<C0j`|0zV<xNK&CDH|Xh%??@ye^w<%45Z-aYQnB&42?DjduIKPH9mw@-
zhp`YYXUz}ep<PNDzCwL??+z7MB1=lgV8}Wd__SyBbk(HyV8iYcvyMlt_FK(|yIs<P
zhkdoLmOlRc?LE-&hMo{u+y7+ExvemVCLGRLbN51rEGo!6(_lk<y|44EtGMGRe=I;-
z^zphp2^#dVz*gLlt8}j07P~_RuO4st+*Y~;?Y~w?(2Cw*-|+~<u4I{mciZ}nMX5OA
zT1id0WO0?z3AEUK<*#Lnae4G#aY<9sK3`Sgq6WWef8I_?^PK2mcw}d|=CJt?o_wKm
zQx(0B)p0h_>)rBBQg^9kLW_NF&~)(nBA`EWfk%Wc<#AgpzLnxU{`fh&Cz|Y+gHLr`
zourXE%bHBVn8n!CXr3@946H5Y62{M4!IePkvPqb5m*3=(<f>z(NuyjE7@_^~EQPbQ
zRz6c!=DE$PA%85Alt;?20;p+Y)n+b!$2ksL{6bat;%Uw(+p_w*@5#FbL+3H6`pB0l
z+2cCSKCP8+1}lU124)ZX&LSXOrTp@%o)90~269;H^w?T9ZEiA-GGvPqJ(W~f55dvX
zv5xL+*uR4mqQ61>EWpz&<fE{h4_&13&>UYi`8^lXf~OILg=nTB)<0#=n<@NXHfnoc
z4;Hs>h*&sg!asa@Lf<5P6IV%;nu>j0r6&9JsJRc~_i+AA{8hME@6Bhun^kjEo<j=*
z>pNsAl!`fjmR8UIN{rwDJBvKPCYSH5wkQlI6jcl_^s$fm9ThUIIAka!CTm19XmX80
z^6g~(ekqtY>aIT;60Ilv@})>@r7xcW7gI+4*jL&KU8d-GUpUs{m@R9?sn{(LGFu_~
z^uskBeB?D-P-6Db;~;#iIo^A+exvOSmBLh3K}90#Pkk(dg8thNZMFz1Mu(SugDG4X
zq(g#FG0qeo^*M-2?4=o}@-^PT_X`?y1m%Bd+(S7&;2B%(&0*7rx(&l^d7E1kEc@wO
z+sMp3Wje15EG}ZY-G`fe`X9VVryNlvZe?WD;HD;8YQ7s@;`d>A3T`JNF7|HFfKr+C
zyFP}lVc$1iH)Q)Yv2wMUUfh?mdwi{nM15}=%nc0mH~CodE_LHan)%A(0-PQyG=8Iq
zxG8QtJJA4vn03AvF8>o1SZPR>PN{H>mVp!ZWXGC?@VbD<j~-6?_yrxOps+7h4{xPZ
zUsH-3ZG9_7O4A%zNRSu>(II&P2BATt!4MD(cpIS6>%h2qkj=zzxUx>#w=!D2th6~D
zmRgt{o;6zUn4y<Gln@GZnVFL%71J{=9@-#V*y2tSf1mGWe<G@+vSWJzoG73iMa?t8
zo8#ubVa(4JH8j5?oX-rC11mwEfC~xG*|b149TFh%e?2&>7Gu5PzHwWQveWjPlA73g
zT2GRfX48)iV4jmMRRMgu%Hgi(%TP%AUGpDxgTsa5n;wz{MWdg+CejreOZLZ8w}=*3
z<-*bM5eeNX@RT+USTJ7Z`AFe@wW+xWZ2!@lG$LkO8t|J<|Nbnm*r6iNoG3Nq`mHrO
zF+a5Z%UMbLQ3g+o0v+d8_r}d{w!!kq-I$yz{Rcm>Z!Tk*7aduvFB|rQJg0bc&A`&y
zjnzjDwt46gVXY*Jdsv2bF7h#p&$RxFEkh~@qrvE(x<%qna6{+O1A&{{^Cq7|AKq29
zVa?T99|if8lj+`7Ty<>n2>Mp@;(OQLl2?x-+N?e%Htx<CB^UN(2YU~l*w}~?R>ks?
zE(3B|PQE9lt%s-%iqcv(QA3xJVX%-Yeb<qy2M~060WbDsmej|62~P=|KvxmNUuwka
z`fGHd{FWZN=0#nq7ILTr4#qKkq{&U+Y#b9&#mcMY@~i?|d&pcc!Am{waY%!Jc+aHl
zj4>myC#4GuM)ugXO<7ImWx`Fdd#Gh)Q3Rxn^@2%r^rhPICQ}jw?o~%WALp9u+N%7K
zLN&*pk>z!M;r=rO+{h7!0LTm*zY(TtD<2P<FbYHS%Fmvqw9P2M$2=iuZZ6GtgL*}t
zTO1h>{kBEx*O6Y^EdduMFl4NZkr8sBEdGkV&YEY2I7#fIINb<IbdM2)Wo)ES&GSa{
z;w?v57=R&y7KjfJuZcqOxpZh60~BuHJawYF&LcBGkyZQQ_gbDAZmrULvMAud)b4Hl
zxmYys<MXkLOa~<_tajq3>=VPzYK>vq3vJSu+GXhcbgg9?Y~5HQ@P=o+(UPUpUe1or
zj^X=o%Abnv)h}d^XXd@ClU^{EY#T>+y=VEqe$)T$I~db5Sl^mPxR>;&Nnl@>^!pwr
zHer{}PhsD1OW~{{w7tVMa^-A=+k`E-g=b{JJ{HjuH<o;I$A)X7tAKQ&qVBOwcWj~j
z|LUosZ>ZdM8?T`0n{e0vk=F>H*pn4jT9wh;+O1tXU8?nC-!<<oLu8MYrL`*WGh;h_
z=N%BIKhE3&(oPzWA6!iK2?<oF%OQWfB^F+jD*kjCnW}aee=H=U>HkwY`jS%Lsv?i5
z(PTBbK3J!;3eHD+!5L}abD+x|DV+tca?5Pnbtk2^ey>gH@s(-;O!-~jsJJeMPh9<}
z7L|Hi;s$4_fkw|P2^_oM4<|V$U3I)!*?tGV%7kD$IlFz-iru;3a}3NenIfHmmM>ZP
z9!|xeh>n3aqxnu}(P~=P?VX#I8&bgn$q}GT?yZP&<KXUXH)7gQJFEt^1Q&_?{YRe@
zb#yiKpr1b_+>Ojx{Q8RewTy!JNc$9NruGX~O}SDfN*h~S%OAfqtKQdJurboCsotuW
zvJE|^pr+oPP<GSOoIYY0zu!cj7y>oOU%^XFO`VkR)pz`{v}qTjy}1}im(n>HjzXbQ
zs(oI;_Nr38zdQDy)u7OfHMZ7`ykSz-expOum~t*7oQ5a-#_nB{WPWj<#w_ZDjSRy?
zE~UuE_`AKglNT4Z;#FrJ$!m401!UTFzf^MUJA7s2z$;twR9pM4;7n3!ULNBm(|GoL
zJH*WFn^bR7N8Z$DbefAXYM{5L=OC$WI4x0L{V<*^N+PTGyH5e;3II8}HJ*JS^7M=2
z@H69JV&Y%{{$YB55Y6)rcKJU887=Y=vPL33937a#LLK4CKJtv^(nad|d8(tNM;h62
zblQ<+%_g%?`#F?Sn#P1%)l`QNe_nQ&@e}5?>rF~_PKiD&Vk1tcU*Rs&+rcS{D)Hs$
zosIgG8Ql9N5`<qg%Xxj}g(^YTM)d&T7yo)nV-jsQh=3a*X0DO_hT9QxH$`!qtI6|%
zcChKTF^mf$5ahvk&yeEGyOURgrtNIZM{H1qC>avuRhwh^h0p9m6j4@$<QG20QTfpw
zJj)BcC(K*8XQvgrUywVt%a+F+c%U2ijow-xoVtbDS?dIfz|Ltyt|#h{fC>rD^7^zT
z2%8$`Oj~|8@-^@W{PJDLJ-$>Q#FBLg$uvDbudn}g-gvSWwT`ntZ{H99ge_?(Lk9es
zYdSmWVqYI?x=^sJw?vD(_%2R}%X*uiRluZn)5M*tYX(;GT&CqM-V87{o}YuAn~p>L
zch(DkE0&#O2dAQT-Q3J~FAoOJd7@pT7Vz919N9>(iHyGRf!=#}^5ibVI$jQ+41;tP
z{({uAkjII|vUJp=P-G`mLt|p)z3h)8^^v8E4DW*((fdMg$^)&wHr;G19d8>BjdlKF
z;yVUyystEgCe+OsI`OFlbxMwb%vd~*sbx<)Educ^FsYix1J8)g@E*d(r8)@(K(XI`
zrh#+OY>dZr8l}->M=b%h&{UE98B}acWHz{eFJDyUMbqOgvs7c@G-0`F)G?GpGD3?{
zq>Fr*KV*-J<<omDMbYiTPPSqR$n2&s$f8cb3)*moUyTGIR(?}ou(qac-j;FGj1aiQ
z6A}~6^RpXY3qMrWXaL!Ff<MdD<rVglM&HPF6e$;cbJI3?9CsZraq!-^@souRUcZ(h
z+GWzIw-4USh%U5CWIxw|g%r*}O^WVO<ncBsd0`krCz&yPDiqV&)Tp&=Lnf2kvO83z
zNl`{5#EN^wRgG$RP7H&v&DOiBx(y!gF=-Tsr>h|xn#ROeGUMANsuoUfLq2e`nc}WR
zJQ#OULfLULgTfy7I5-JXgL&T6=lOSw+#%Eu%U`5-O)z<_NUF9(V*OR|G=@Y@&6+~I
zIf>QJ+94l8G;@Tc1tn6dDVF0yD&yJW5_u(Xt-rPKZxfQfTFA5GBp}%uA&}cW3XV~~
z*D%ZmV?zb}X!*XhF{2`Tz1s#$%ese2h{gwB#v5=$WC$SK%&2r2YF<6zMZ2?X#0b5x
z@jcSqPPuhOjie2bo8@B~u#>!i={yauW<)*}b*{EBJB+G0nb$wh?aX~`ZdaQM97TXl
zk(o1PI%%F!7=jRx`^{5n9`=sB{>W`2l+npAwjy9J?Qc#`0}bPQrNe{Tm}Rv-U1M5?
z*lY(u1X+>x&bz*L4gRKr5TXYr+c^<NQThThpXMeHkJ#!GLPe+Fy;_ozAz(R)yr6^h
zt$ZYg8@+M$Tl~^(TUZ^!myIPnD@pSoli;CaGZ5LV*M?$FmVb|#V5BEc4o&yF-=?*E
zANb*;Qacp&;8<f76}yEnfa)qZn2B_-uhAuI_=@tnUrH)y=Z~mx(=@C^h3vJ*KZ+Sj
zWJC`i*}^***EX{mo<;b|B3ok4iyjC+$O+2~^CyFx4trXqacBBZn3Y2|c+z_9bN8*`
z-sLqIPI8I!)@Cb%Dhzc~_iVfWLN8IlxWq9*XSvWv(d`<c$c0a>g-IV`Ba?Y(Y~$l@
zQ+O$A{V4MkoRwUtEa*<xX0S1PvN2DeK}{O6thQh!MnBJVHdQ!wZGBaBM>yp49?Dd<
z^hk&GJc-!1&HE?jqF%xJ@(<yr=qDD=y6VL5o-FS;qmJg17NRH#Z<<IfbUuA;>~dhO
zT!@^0TGL~0|GYZwS7<b&$;dND0#xNVMVc7C@u*u3^DF#>SJION(W1$_cOSENrB4J!
zd521?1`WDK<Bd^>yiSl_XNMXpn0}B*k|JfzCGBBUjn3nUAB3Q2qw8xEQ{*^JO-(h7
zf4ImkylR(9R}Uk|$M}SE&TUVb7q2yOo2C!CC`H*X7npcW{0cm9B9(a(x^|Nd`f!UO
z)7>BGen0va@+&(UujTWrn;T(2T!W2%y;&xMvk^$~J?Bt9^2^n-^)4U;I~X4+TZ#^c
z=+ZmMZ*1IZOI}-U`y|QjNA$QB_CC4K=21^aXQ-muYh81Jfc#xC#wXDIv({_U?D<|G
zIfbFv3{I#aJF8=)Hgw?q>6g@WTJY#c)>R|8I7h$|bAF69Z0}n<6?FT^K2X&l^EPK<
zh(h+ZBd$rFf3TSO2`1a@Pj^<1Q1$-lxbjl1!{wu|C2}RE4&6f&Nix65;0u&%x<ewf
zcQ_RKMiDO4{S`6INilf16SK@^n-zhukk&`M*_4Kb@=OW8y;a1Z^y=AM+<SU@gLLZ=
z$#8Wl<rThJD}@3W(TH@~CZuU%$rCew6G9f6?5(KRFeFlrThq>XL+qsAB4?!WeGe0P
z?nG_#m@A9Id!M^~%My<6<%JYGzcc!9`3#j%I?&`WXA2_|_FJ6D389rb4@Ye8k6M2h
zYh>&wXH>p}jF61}A`bECT5Zbl>~TMeN9_KQbfdvOUS=jl<FS|%9`vpLg19srIc>|0
zq)p)Sy_lWYxB>Yyy({kQ>%VlGEp1h-729aw_rx&#dBqV$P`J*cmgHd-XWXO-ugt7-
z>%agc*Ivr@*p7<e<MHOcXtI>)&&+2Zg?lPYv|kFw=HBTg2qkZ4(&MmvF-z+;#Uhx6
zRbTK?sBBGG<@a=h(L*=IlU|k+fA%sueZYm<at<-d=Z5N<YTOkU2?+mm%p}L9FGQ@E
zMgM#5sLWmW4ien?sW+!}#nO7|xpc}z$54rbZq!Rg8?$72Ljv9B;`F1Q&v<DUzCNeR
znlc$+2QTw7o7vYIH<olELyRs)+q!nJ<}3H`kQoV@5eKuQ3xjr8c@m*Lf%&jZMihoq
z#%O2X=5G30-)e4H@~f>E4hOCkQZ`H%V<x7kV!CU+-;7>Mqc#wjN-Sa*t0-|MvA<~W
z2(mL{U}_rP(X@N>(3tm){%!LTf0B9T-wZ@N2a4}0?F;yg5e{Lj`@ZDz8F{Pn-)FpB
zM9A|cWH2<kZ8==OH8=4NDwyk;RlrJa#ktOCB$7;wB<(?T$S`M**0cNNKc^%PcF(E<
z7JhG56QFWYLKz3g8u&;;#VEcRmJ`Y;5}yQDve`+6UkycT0Y<-2Jk@(D1{r19$1F4U
zmy;ybR1gJ^CB36)a%ixTEnGaX=`iI<fWFk0rs3gN85*!*0Y50|Jc{%t^0r^vD_OY`
zIWGT8uRx)#;E5RnPuX>aAwAE!>m-J^QGR<|ZzQNu42<BSeoWcs|Kpdel-Z#2o-4A-
ztvh8SM$(F(|Ma;J>CwWe@zcOiPZ@r$P}^Kz#u~Z0!4S|QN%NAhWHENhn~><}<WHTK
zAfSvmg!c3|V%t#JIZXKyRTh@F4cu*V)`Uw;WZ}8G6*C}X+IR4x$Ro9Iu$-_c@)Q+d
z{={4fPtcF9lh2=NQ4K{f)I_Lg7opfKno(Zm#Ei0}Y^=y=fcoH66**d`#%{t{#Qp{(
zng>{M4d!bx&^(-A&_!nGp^grmN!O#!D0nPkuNiJzT#gZy!*Kk6##eNS*XeEbX;~Y_
Rc=eA*RY^;+Ox`N^zW@l~So{D0

literal 0
HcmV?d00001

diff --git a/pentesting/27017-27018-mongodb.md b/pentesting/27017-27018-mongodb.md
index 0a9c63f18..5aeb3ff71 100644
--- a/pentesting/27017-27018-mongodb.md
+++ b/pentesting/27017-27018-mongodb.md
@@ -79,6 +79,23 @@ grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
 grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed
 ```
 
+## Mongo Objectid Predict
+
+Mongo Object IDs are **12-byte hexadecimal** strings:
+
+![](../.gitbook/assets/id-and-objectids-in-mongodb.png)
+
+For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019
+
+1. 5f2459ac: 1596217772 in decimal = Friday, 31 July 2020 17:49:32
+2. 9fa6dc: Machine Identifier
+3. 2500: Process ID
+4. 314019: An incremental counter
+
+Of the above elements, machine identifier will remain the same for as long as the database is running the same physical/virtual machine. Process ID will only change if the MongoDB process is restarted. Timestamp will be updated every second. The only challenge in guessing Object IDs by simply incrementing the counter and timestamp values, is the fact that Mongo DB generates Object IDs and assigns Object IDs at a system level.
+
+The tool [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict), given a starting Object ID \(you can create an account and get a starting ID\), it sends back about 1000 probable Object IDs that could have possibly been assigned to the next objects, so you just need to bruteforce them.
+
 ## Post
 
 If you are root you can **modify** the **mongodb.conf** file so no credentials are needed \(_noauth = true_\) and **login without credentials**.