review for mongodb ops manager

rapid7 · Apr 7, 2024 · b83a91a · b83a91a
1 parent f9de96c
commit b83a91a
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 20 deletions.
diff --git a/...ntation/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.md b/...ntation/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.md
@@ -24,7 +24,6 @@ Successfully tested against MongoDB Ops Manager v6.0.11.
 7. `sudo systemctl start mongod.service`
 8. `sudo systemctl start mongodb-mms.service` (wait a little while for it to initialize and run)
 9. Browse to http://<ip>>:8080/account/register and perform the install, the SMTP fields can use values for a server which doesn't exist.
-    password: PassW0rd1!
 10. Top left corner of the page after install should be "Project 0", click the drop down and create new project. Any name is fine, I called it 'test'
 11. Top right of the screen, click Admin, API Keys, Create API Key. Create a new key, for permissions select
 `Global Monitoring Admin` or `Global Owner` (or both).
@@ -34,31 +33,31 @@ Successfully tested against MongoDB Ops Manager v6.0.11.
 1. Install the application
 1. Start msfconsole
 1. Do: `use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info`
-1. Do: `set API_USERNAME [api_username]`
-1. Do: `set API_PASSWORD [api_password]`
+1. Do: `set API_PUBKEY [API_PUBKEY]`
+1. Do: `set API_PRIVKEY [API_PRIVKEY]`
 1. Do: `run`
 1. You should find similar output to the following: `Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME`
 
 ## Options
 
-### API_USERNAME
+### API_PUBKEY
 
-Username for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+Public Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
 
-### API_PASSWORD
+### API_PRIVKEY
 
-Password for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+Private Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
 
 ## Scenarios
 
 ### Mongodb OPS Manager 6.0.11 on Ubuntu 22.04
 
 ```
 msf6 > use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info
-msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_USERNAME zmdhriti
-API_USERNAME => zmdhriti
-msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PASSWORD fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
-API_PASSWORD => fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PUBKEY zmdhriti
+API_PUBKEY => zmdhriti
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PRIVKEY fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+API_PRIVKEY => fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
 msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set verbose true
 verbose => true
 msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set rhosts 127.0.0.1

diff --git a/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb b/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb
@@ -52,8 +52,8 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8080),
-        OptString.new('API_USERNAME', [ true, 'User to login with for API requests', '']),
-        OptString.new('API_PASSWORD', [ true, 'Password to login with for API requests', '']),
+        OptString.new('API_PUBKEY', [ true, 'Public Key to login with for API requests', '']),
+        OptString.new('API_PRIVKEY', [ true, 'Password to login with for API requests', '']),
         OptString.new('TARGETURI', [ true, 'The URI of MongoDB Ops Manager', '/'])
       ]
     )
@@ -84,11 +84,11 @@ def check
   end
 
   def username
-    datastore['API_USERNAME']
+    datastore['API_PUBKEY']
   end
 
   def password
-    datastore['API_PASSWORD']
+    datastore['API_PRIVKEY']
   end
 
   def digest_auth(url)
@@ -100,7 +100,7 @@ def digest_auth(url)
       }
     )
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
-    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") unless res.code == 401
+    fail_with(Failure::UnexpectedReply, "#{peer} - Basic auth not enabled, but is expected") unless res.code == 401
 
     # Define the regular expression pattern to capture key-value pairs
     pattern = /(\w+)="(.*?)"/
@@ -149,8 +149,7 @@ def get_projects(org)
         'authorization' => auth_response
       }
     )
-    return [] if res.nil?
-    return [] if res.code == 401
+    return [] if res.nil? || res.code == 401
 
     res.get_json_document['results']
   end
@@ -168,8 +167,7 @@ def get_diagnostic_archive(project)
       },
       'vars_get' => { 'pretty' => 'true' }
     )
-    return if res.nil?
-    return unless res.code == 200
+    return unless res&.code == 200
 
     loot_location = store_loot('mongodb.ops_manager.project_diagnostics', 'application/gzip', rhost, res.body, "project_diagnostics.#{project}.tar.gz", "Project diagnostics for MongoDB Project #{project}")
     print_good("Stored Project Diagnostics files to #{loot_location}")