InfoSec LAB

Roquefort_Web_3000

Created: 3 min read

Web

Nmap discovered a Web server on the target port 3000 The running service is Golang net/http server

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ curl -I -X OPTIONS http://$IP:3000/
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=a38ff15450ee4331; Path=/; HttpOnly
Set-Cookie: _csrf=rJgRBM5qOxWmttYVBVqZDpuzKnY6MTc0Mzc2NjcwNjAzMDA1ODk2OQ%3D%3D; Path=/; Expires=Sat, 05 Apr 2025 11:38:26 GMT; HttpOnly
X-Frame-Options: SAMEORIGIN
Date: Fri, 04 Apr 2025 11:38:26 GMT
Transfer-Encoding: chunked
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ curl -I http://$IP:3000/        
HTTP/1.1 200 OK
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=d99822d469f0d31c; Path=/; HttpOnly
Set-Cookie: _csrf=LlhZDsVd64sgsObjYCMxEjLRK6Q6MTc0Mzc2NjcwODYyMTc5MTM0NA%3D%3D; Path=/; Expires=Sat, 05 Apr 2025 11:38:28 GMT; HttpOnly
X-Frame-Options: SAMEORIGIN
Date: Fri, 04 Apr 2025 11:38:28 GMT

Webroot A Gitea instance

Registration

Creating a testing account

Authentication

Authenticated as the testing account

Creating Repository

Creating a testing repository

Git Hook

The current user is able to edit Git Hooks. This is possibly a misconfiguration. This would mean that I could define those hooks to invoke code execution on the target system

Version Information

The version information is disclosed at the footer;

  • Gitea 1.7.5
  • Go 1.12.1

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ searchsploit Gitea 1.7.5
------------------------------------ ---------------------------------
 Exploit Title                      |  Path
------------------------------------ ---------------------------------
Gitea 1.7.5 - Remote Code Execution | multiple/webapps/49383.py
------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

The target Gitea instance is vulnerable to a RCE exploit; CVE-2019-11229

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:3000/FUZZ -ic -e .html,.txt
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.206.67:3000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin                   [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 53ms]
debug                   [Status: 200, Size: 160, Words: 18, Lines: 5, Duration: 75ms]
explore                 [Status: 302, Size: 37, Words: 2, Lines: 3, Duration: 46ms]
healthcheck             [Status: 200, Size: 26, Words: 4, Lines: 2, Duration: 54ms]
issues                  [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 54ms]
notifications           [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 48ms]
:: Progress: [61434/61434] :: Job [1/1] :: 694 req/sec :: Duration: [0:01:29] :: Errors: 0 ::
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:3000/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.206.67:3000/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 9944, Words: 752, Lines: 315, Duration: 73ms]
admin                   [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 94ms]
issues                  [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 61ms]
explore                 [Status: 302, Size: 37, Words: 2, Lines: 3, Duration: 45ms]
debug                   [Status: 200, Size: 160, Words: 18, Lines: 5, Duration: 36ms]
notifications           [Status: 302, Size: 34, Words: 2, Lines: 3, Duration: 40ms]
healthcheck             [Status: 200, Size: 26, Words: 4, Lines: 2, Duration: 89ms]
:: Progress: [207630/207630] :: Job [1/1] :: 289 req/sec :: Duration: [0:05:15] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks