Rocket — CVE-2021–22911 NoSQL Injection + Ruby cap_setuid to Root | TryHackMe The Rocket machine presents a layered, multi-service attack surface that rewards methodical enumeration and precise …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A detailed TryHackMe CTF walkthrough for the 'Rocket' machine (Hard difficulty, Ubuntu 18.04). The attack chain starts with CVE-2021-22911, a blind NoSQL injection in Rocket.Chat 3.12.1's password reset flow, used to extract reset tokens character by character and take over the admin account. A webhook delivers a reverse shell into a Docker container. From there, Chisel tunneling exposes an internal Mongo Express interface vulnerable to SSJS injection (CVE-2019-10758), yielding a second container shell. A bcrypt hash from a database backup is cracked with John the Ripper, credentials are reused to access Bolt CMS, and a PHP file editor provides host-level code execution as user 'alvin'. Root is achieved via cap_setuid on the Ruby 2.5 binary. The writeup includes a full vulnerability summary and defense/mitigation section covering all nine vulnerabilities in the chain.

Rocket — CVE-2021–22911 NoSQL Injection + Ruby cap_setuid to Root | TryHackMe

2. Initial Access — CVE-2021–22911 NoSQL Injection to Rocket.Chat RCE

2.2 Account Registration and User Enumeration