InfoSec LAB

Ready_Web

Created: 2 min read

Web

Nmap discovered a web server on the target port 5080 The service running is nginx

while the robots.txt file is confirmed to be present, i see gitlab in the title of the web server

Webroot I got immediately re-directed to a sign-in page at /users/sign_in it is indeed a gitlab instance

GitLab is a web-based Git repository manager that provides source code management, continuous integration/continuous delivery (CI/CD) pipeline, and project management features. It offers a complete DevOps platform with built-in security and governance controls for collaborating on software development projects. GitLab can be self-hosted or used as a cloud-based service.

the default credentials don’t seem to work

it is also a common practice to check /explore for for potential credentials. No luck here as there is nothing

sign-up

While attempting to create a testing account, I found something interesting. The GitLab instance checks for existing usernames. I may be able to enumerate users this way

Nevertheless, I changed the username to tester, and it seems to be available now

Clicking into the Register button leads to a page with 404

Authenticated

Navigating to the web root reveals that I am now authenticated

Project

Heading over to /explore/projects reveals a single repository; dude / ready-channel

The dude / ready-channel repository appears to be an internal web server. Considering the IP address of it, it could be a Docker container

While I do not see anything major with those files/directories, I will check for the version information

Version

The thing with the GitLab is that the signed-in users are able to enumerate the currently running instance of the application. /help reveals the version information GitLab Community Edition 11.4.7

Vulnerability

While there are a total of 369 CVEs that are affecting GitLab Community 11.4.7, I found out that only a handful of them has exploits publicly available.

┌──(kali㉿kali)-[~/archive/htb/labs/ready]
└─$ searchsploit GitLab 11.4.7
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
GitLab 11.4.7 - RCE (Authenticated) (2)                      | ruby/webapps/49334.py
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)    | ruby/webapps/49257.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Exploit-DB has one for instance, which seems to chains [[Ready_CVE-2018-19571#CVE-2018-19571|CVE-2018-19571]], [[Ready_CVE-2018-19585#CVE-2018-19585|CVE-2018-19585]], and [[Ready_CVE-2020-10977#CVE-2020-10977|CVE-2020-10977]]

Moving on to the Exploitation phase

Interactive Graph View

Backlinks