Older versions of Gitea are susceptible to various vulnerabilities, including through Git hooks. If you can gain administrative access to a repository, you can often execute commands on the underlying server. The Attack Path
If /var/run/docker.sock is accessible, you can use it to spawn a new container that mounts the host's root filesystem. 👑 Phase 4: Privilege Escalation to Root
Always keep Gitea and other web services patched to the latest version.
Gitea is the primary vector for gaining a foothold on this machine. Identifying the Vulnerability
Ensure that configuration files for security tools like Fail2Ban are only writable by the root user.
Enumeration inside the container reveals that it has access to specific files or the Docker socket.
Purposely fail several SSH login attempts to trigger Fail2Ban. When Fail2Ban executes the modified action script to "ban" you, it executes your malicious command as the root user. 🛡️ Key Takeaways & Mitigation
Once you have a shell, you will likely find yourself inside a . Escaping the Container
If you'd like to dive deeper into any of these steps, I can provide: The used for initial discovery. A Python script to automate the Gitea hook exploit. The Fail2Ban configuration details for the root exploit.
