InfoSec LAB

Busqueda_Gitea_administrator

Created: 2 min read

Gitea

As there has been a password reuse case previously, I will check with the Gitea instance for those 2 DB credentials found earlier

Password reuse confirmed for the administrator user; yuiu1hoiu4i5ho1uh The DB password for the DB account, gitea, shares the same password for the administrator user on the Gitea instance

In addition to the existing repository, Searcher_site, there is another repository; scripts

scripts

svc@busqueda:/opt/scripts$ ll
total 28
drwxr-xr-x 3 root root 4096 Dec 24  2022 ./
drwxr-xr-x 4 root root 4096 Mar  1  2023 ../
-rwx--x--x 1 root root  586 Dec 24  2022 check-ports.py*
-rwx--x--x 1 root root  857 Dec 24  2022 full-checkup.sh*
drwxr-x--- 8 root root 4096 Apr  3  2023 .git/
-rwx--x--x 1 root root 3346 Dec 24  2022 install-flask.sh*
-rwx--x--x 1 root root 1903 Dec 24  2022 system-checkup.py*

Checking the scripts repository reveals the /opt/scripts directory on the target system. This explains the presence of the .git directory. It was hosted on the Gitea instance all along

Modifying the Repository (Fail)

Judging by the naming of the current user, administrator, modifying the repository is likely possible. I will attempt to edit the system-checkup.py file, which is the sudo-privileged command granted to the svc account to execute as the root user on the target system Being able to modifying this file grants the direct route to compromising the target system

I appended another conditional statement for privilege escalation to the main function;

The server denies any form of commit This essentially means that the server is configured to deny all the commit regardless of privileges set to the Gitea instance

full-checkup

In frustration, I found something interesting in the original source code of the system-checkup.py file

The conditional statement for the full-checkup sub-command executes a bash script named, full-checkup.sh The important bit here is that the the bash script is invoked with a relative path; ./

This could easily be leveraged for command execution

Test

svc@busqueda:/opt/scripts$ cd /var/tmp
svc@busqueda:/var/tmp$ echo -e '#!/bin/bash\necho Hijacked!' > /var/tmp/full-checkup.sh
svc@busqueda:/var/tmp$ sudo -u root python3 /opt/scripts/system-checkup.py full-checkup
Hijacked!
 
[+] Done!

Moving to the Privilege Escalation phase

full-checkup.sh

The full-checkup.sh file doesn’t contain anything noteworthy

Interactive Graph View

Backlinks