mongodb node

node discovery

  • Likely found from LinEnum or LSE

ps -ef | grep sched  ..running as 'tom'
Found 'mongo' running with localhost:27017

/usr/bin/node /var/www/myplace/app.js    ..service running as who?
/usr/bin/node /var/scheduler/app.js

cat /var/scheduler/app.js
cat /var/www/myplace/app.js

Naughty node app

  • Found that bad app running with node: Ex: "app.js"

  • Connects to Mongo

  • Executes bash/cmd task found in mongo>tasks>docs

  • Delete after execution

  • REF: nodeHTB

const url = 'mongodb://mark:mypassword@localhost:27017/scheduler';
MongoClient.connect(url, function(error, db) {}
setInterval(function () {
    db.collection('tasks').find().toArray(function (error, docs) {
      if (!error && docs) {
        docs.forEach(function (doc) {
          if (doc) {
            console.log('Executing task ' + doc._id + '...');
            exec(doc.cmd);
            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
          }
        });
      }
      else if (error) {
        console.log('Something went wrong: ' + error);
      }
    });
  }, 30000);
});

Exploit

  • Since node is running elevated and SUID bit set - we can do a few injections:

PreviousMonitor FilesNextPivots

Last updated

Was this helpful?