15.Gitlab-discovery-and-enumeration

1. Discovery

Web Browser:

  • Visiting the GitLab URL directly will usually display the GitLab login page, revealing its presence.

2. Enumeration

Version Enumeration:

  • The GitLab version is typically found on the /help page, but it requires authentication.

  • If registration is disabled, low-risk exploits might be attempted, but this is generally discouraged without explicit permission.

Public Projects (/explore):

  • Visit the /explore page to find public projects.

  • These projects may contain:

    • API interaction scripts.

    • Configuration files with secrets.

    • SSH private keys.

    • Source code for vulnerability analysis.

Registration (/users/sign_up):

  • Attempt to register an account.

  • If successful, gain access to potentially more internal projects.

  • Use the registration form to enumerate valid usernames and email addresses.

    • Trying to register an account with an existing email will produce the error "Email has already been taken".

    • Trying to register an account with an existing username will produce the error "Username has already been taken".

Credential Testing (OSINT):

  • If credentials are obtained from OSINT (e.g., Dehashed), attempt to log in.

Internal Projects:

  • Once logged in, check the /explore page again for internal projects that are now available.

  • Review the source code of internal projects for sensitive information.

Search Functionality:

  • Use the search function within GitLab to look for sensitive information like passwords, API keys, and usernames.

Groups and Snippets:

  • Explore the "groups" and "snippets" sections for potentially valuable information.

3. Security Considerations

Two-Factor Authentication (2FA):

  • GitLab's 2FA is disabled by default, creating a security risk.

Fail2Ban:

  • Implement Fail2Ban to block brute-force login attempts.

IP Restrictions:

  • Restrict GitLab access to specific IP addresses if it must be externally accessible.

Account Registration:

  • Restrict account registration to company email addresses and require administrative approval.

Key Takeaways

  • GitLab repositories can contain sensitive information.

  • Enumerating user accounts and email addresses is possible through the registration process.

  • Public projects and internal repositories are valuable sources of information.

  • Proper security configurations are crucial to protect GitLab instances.

Previous14.-OsticketNext16.-Attacking-gitlab

Last updated