InfoSec LAB

Beyond the root

There was a root cronjob process running in the background executing a few scripts located at the /root/.backup directory

root@talkative:~/.backup# ll
total 24K
4.0K drwx------ 7 root root 4.0K Apr  4  2022 ..
4.0K drwxr-xr-x 2 root root 4.0K Apr  4  2022 .
4.0K -rwxr-xr-x 1 root root 2.5K Mar 15  2022 run.sh
4.0K -rw-r--r-- 1 root root  470 Mar 15  2022 update_mongo.py
4.0K -rw-r----- 1 root root 1.2K Mar 15  2022 shadow
4.0K -rw-r--r-- 1 root root 1.8K Mar  7  2022 passwd

run.sh

root@talkative:~/.backup# cat run.sh
#!/bin/bash
sleep 7
for i in {6000..6015}
	do
		docker run -p 172.17.0.1:$i:80 -d --rm boltcms:latest
	done
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.0/0.0.0.15 -j DNAT --to-destination 172.17.0.4:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.1/0.0.0.15 -j DNAT --to-destination 172.17.0.5:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.2/0.0.0.15 -j DNAT --to-destination 172.17.0.6:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.3/0.0.0.15 -j DNAT --to-destination 172.17.0.7:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.4/0.0.0.15 -j DNAT --to-destination 172.17.0.8:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.5/0.0.0.15 -j DNAT --to-destination 172.17.0.9:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.6/0.0.0.15 -j DNAT --to-destination 172.17.0.10:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.7/0.0.0.15 -j DNAT --to-destination 172.17.0.11:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.8/0.0.0.15 -j DNAT --to-destination 172.17.0.12:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.9/0.0.0.15 -j DNAT --to-destination 172.17.0.13:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.10/0.0.0.15 -j DNAT --to-destination 172.17.0.14:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.11/0.0.0.15 -j DNAT --to-destination 172.17.0.15:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.12/0.0.0.15 -j DNAT --to-destination 172.17.0.16:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.13/0.0.0.15 -j DNAT --to-destination 172.17.0.17:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.14/0.0.0.15 -j DNAT --to-destination 172.17.0.18:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d 0.0.0.0/0 --dport 80 -s 0.0.0.15/0.0.0.15 -j DNAT --to-destination 172.17.0.19:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 172.17.0.3:3000
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
/usr/sbin/iptables -A INPUT -i docker0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 172.18.0.2 -p tcp --dport 22 -j DROP

172.17.0.4-19 were used for load-balancing Firewall is set to block inbound connection to the port 22, Except from the Docker host; docker0

update_mongo.py

root@talkative:~/.backup# cat update_mongo.py
from pymongo import MongoClient
# pprint library is used to make the output look more pretty
from pprint import pprint
# connect to MongoDB, change the << MONGODB URL >> to reflect your own connection string
client = mongoclient("mongodb://172.17.0.2:27017/meteor")
db=client.admin
# Issue the serverStatus command and print the results
serverStatusResult=db.command("serverStatus")
truncate_integrations=db.rocketchat_integrations.drop({})
print(truncate_integrations)

InfoSec LAB

Explorer

Talkative_Beyond

Beyond the root

run.sh

update_mongo.py

Interactive Graph View

Table of Contents

Backlinks