Gitlab

Get Gitlab Version: The only way to footprint the GitLab version number in use is by browsing to the /help page when logged in.

1. These Git repositories may just hold publicly available code such as scripts to interact with an API.

2. We may also find scripts or configuration files that were accidentally committed containing cleartext secrets such as passwords.

3. We may also come across SSH private keys.

4. We can attempt to use the search function to search for users, passwords, etc.

5. Applications such as GitLab allow for public repositories (that require no authentication) It is also worth perusing any public repositories for sensitive data.

   • Internal repositories (available to authenticated users)

   • private repositories (restricted to specific users).

6. If the application allows, register an account and look to see if any interesting internal repositories are accessible.

Most companies will only allow a user with a company email address to register and require an administrator to authorize the account

We do not recommend launching various exploits at an application

Enumerating

1. The first thing we should try is browsing to /explore and see if there are any public projects that may contain something interesting

2. Search inside the projects and look around, you could find interesting things such as production code that we can find a bug in after a code review, hard-coded credentials, a script or configuration file containing credentials, or other secrets such as an SSH private key or API key.

3. Explore each of the pages linked in the top left groups, snippets, and help.

4. We should check and see if we can register an account and access additional projects.

5. Use the registration form /users/sign_up to enumerate valid users, doing that we could attempt to guess weak passwords or possibly re-use credentials that we find from a password dump using a tool such as Dehashed

User enumeraton

As with any type of password spraying attack, we should be mindful of account lockout and other kinds of interruptions. GitLab's defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes.

https://github.com/dpgg101/GitLabUserEnum/blob/main/gitlab_userenum.py

https://www.exploit-db.com/exploits/49821

Intrusionz3r0@htb[/htb]$ ./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

Exploits

GitLab Community Edition (CE) 13.10.3 - User Enumeration

GitLab 12.9.0 - Arbitrary File Read

GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)

GitLab Community Edition (CE) 13.10.3 - User Enumeration

Gitlab 13.9.3 - Remote Code Execution (Authenticated)

Gitlab 13.10.2 - Remote Code Execution (Authenticated)

Interesting blogs

https://tillsongalloway.com/finding-sensitive-information-on-github/index.html