Gitea
What appears to be an undiscovered virtual host, gitea.searcher.htb, has been identified by PEAS
svc@busqueda:~$ cat /etc/hosts | grep -v '^#'
127.0.0.1 localhost
127.0.1.1 busqueda searcher.htb gitea.searcher.htb
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersChecking the /etc/hosts file of the target system indeed confirms the virtual host; gitea.searcher.htb
The /etc/hosts file on Kali has been updated for local DNS resolution
svc@busqueda:~$ cat /etc/apache2/sites-enabled/000-default.conf | grep -v '^#'
<virtualhost *:80>
ProxyPreserveHost On
ServerName searcher.htb
ServerAdmin admin@searcher.htb
proxypass / http://127.0.0.1:5000/
proxypassreverse / http://127.0.0.1:5000/
RewriteEngine On
RewriteCond %{HTTP_HOST} !^searcher.htb$
rewriterule /.* http://searcher.htb/ [R]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<virtualhost *:80>
ProxyPreserveHost On
ServerName gitea.searcher.htb
ServerAdmin admin@searcher.htb
proxypass / http://127.0.0.1:3000/
proxypassreverse / http://127.0.0.1:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>Moreover, 2 active ports found during the preliminary foothold enumeration, namely 3000 and 5000, are used for web applications.
This was confirmed by PEAS as well
- the
127.0.0.1:5000socket is mapped tosearcher.htb, which contains the Searchor web app that was exploited to gain the initial foothold. - the
127.0.1.1:3000socket is mapped to thegitea.searcher.htbvirtual host.- This may indicate the virtual host,
gitea.searcher.htb, is hosting a Gitea instance as a local repository as the name suggests
- This may indicate the virtual host,
It’s also important to note that both socket are INTERNAL proxied through Apache.
svc@busqueda:~$ ll
total 44K
4.0k drwx------ 3 svc svc 4.0k nov 27 18:20 .gnupg
4.0k drwxr-x--- 6 svc svc 4.0k nov 27 18:04 .
4.0k drwx------ 3 svc svc 4.0k nov 27 18:03 snap
4.0k -rw-r----- 1 root svc 33 nov 27 15:51 user.txt
0 lrwxrwxrwx 1 root root 9 Apr 3 2023 .mysql_history -> /dev/null
4.0K -rw-rw-r-- 1 svc svc 76 Apr 3 2023 .gitconfig
4.0K drwx------ 2 svc svc 4.0K Feb 28 2023 .cache
0 lrwxrwxrwx 1 root root 9 Feb 20 2023 .searchor-history.json -> /dev/null
0 lrwxrwxrwx 1 root root 9 Feb 20 2023 .bash_history -> /dev/null
4.0K drwxr-xr-x 3 root root 4.0K Dec 22 2022 ..
4.0K drwxrwxr-x 5 svc svc 4.0K Jun 15 2022 .local
4.0K -rw-r--r-- 1 svc svc 220 Jan 6 2022 .bash_logout
4.0K -rw-r--r-- 1 svc svc 3.7K Jan 6 2022 .bashrc
4.0K -rw-r--r-- 1 svc svc 807 Jan 6 2022 .profile
svc@busqueda:~$ cat .gitconfig
[user]
email = cody@searcher.htb
name = cody
[core]
hooksPath = no-hooksChecking the home directory of the svc account uncovers a relevant file; .gitconfig
The .gitconfig file in stores individual configuration settings for Git, including user-specific settings for Git. Users can customize Git behavior by editing this file manually or using the git config command
It contains a username; cody
svc@busqueda:~$ ll /var/www/app
total 20K
4.0k drwxr-xr-x 8 www-data www-data 4.0k nov 27 15:51 .git
4.0K drwxr-xr-x 4 root root 4.0K Apr 4 2023 ..
4.0K drwxr-xr-x 4 www-data www-data 4.0K Apr 3 2023 .
4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 1 2022 templates
4.0K -rw-r--r-- 1 www-data www-data 1.1K Dec 1 2022 app.pyThere is a GIT repository in the web root directory; /var/www/app/.git
svc@busqueda:/var/www/app$ git rev-list --count HEAD
fatal: detected dubious ownership in repository at '/var/www/app'
to add an exception for this directory, call:
git config --global --add safe.directory /var/www/appThe output indicates that there is an issue with permissions with the current credential of the svc account
svc@busqueda:/var/www/app$ git config --global --add safe.directory /var/www/app/.gitI can add the directory
svc@busqueda:/var/www/app/.git$ git log
commit 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4
author: administrator <administrator@gitea.searcher.htb>
date: Sun Dec 25 12:14:21 2022 +0000
Initial commitThere appears to be only a single commit by the administrator user
svc@busqueda:~$ ll /var/www/app/.git
total 52K
4.0k drwxr-xr-x 8 www-data www-data 4.0k nov 27 15:51 .
4.0K -rw-r--r-- 1 root root 259 Apr 3 2023 index
4.0K drwxr-xr-x 4 www-data www-data 4.0K Apr 3 2023 ..
4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 1 2022 branches
4.0K -rw-r--r-- 1 www-data www-data 15 Dec 1 2022 COMMIT_EDITMSG
4.0K -rw-r--r-- 1 www-data www-data 294 Dec 1 2022 config
4.0K -rw-r--r-- 1 www-data www-data 73 Dec 1 2022 description
4.0K -rw-r--r-- 1 www-data www-data 21 Dec 1 2022 HEAD
4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 1 2022 hooks
4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 1 2022 info
4.0K drwxr-xr-x 3 www-data www-data 4.0K Dec 1 2022 logs
4.0K drwxr-xr-x 9 www-data www-data 4.0K Dec 1 2022 objects
4.0K drwxr-xr-x 5 www-data www-data 4.0K Dec 1 2022 refsChecking the repository directory manually reveals a few key files for enumeration
CLEARTEXT Credential
svc@busqueda:~$ cat /var/www/app/.git/COMMIT_EDITMSG
Initial commit
svc@busqueda:~$ cat /var/www/app/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/mainWhile this repository appears to be the initial commit as provided by the COMMIT_EDITMSG file, the config file reveals a CLEARTEXT credential for the gitea.searcher.htb virtual host; cody:jh1usoih2bkjaspwe92
While I will be continue to enumerate the Gitea instance using this credential, it might also have been re-used It must be checked for password reuse
GUI
It is indeed hosting a Gitea instance
The version information can be seen at the footer; 1.18.0+rc1
Authenticating with the found credential, I am presented to the profile page of the cody user
The page contains the repository for the Searchor web app
I thoroughly scanned all accessible endpoints, but discover nothing noteworthy.