/var/scheduler
After conducting some manual enumeration, I was strolling through the system and stumbled upon this.
mark@node:/var/scheduler$ ll
total 28
drwxr-xr-x 3 root root 4096 aug 16 17:08 ./
drwxr-xr-x 15 root root 4096 aug 16 17:08 ../
-rw-rw-r-- 1 root root 910 Sep 3 2017 app.js
drwxr-xr-x 19 root root 4096 aug 16 17:08 node_modules/
-rw-r--r-- 1 root root 4709 Sep 3 2017 package-lock.json
-rw-rw-r-- 1 root root 176 Sep 3 2017 package.jsonI found an unusual directory; /var/scheduler
It appears to be another application built on Node.js
mark@node:/var/scheduler$ cat app.jsconst exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteone({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('something went wrong: ' + error);
}
});
}, 30000);
});checking the app.js file reveals that this node.js script:
- connects to another DB named,
scheduler, with the same credential - sets an interval of 30 seconds that:
- queries the
taskcollection and retrieves documents - iterates over documents and executes command in the
cmdfield - deletes executed command from the
taskcollection
- queries the
mark@node:/var/scheduler$ ps -auxwww | grep -i 'scheduler'
tom 1244 0.0 5.9 1074104 44888 ? ssl jan18 0:04 /usr/bin/node /var/scheduler/app.jsI was wondering if the app is already running and decided to check it with the ps command
It is already running with the privileges of the tom user
This certainly is a lateral movement vector