About me

Gitlab Attacks

  • It is open-source and originally written in Ruby, but the current technology stack includes Go, Ruby on Rails, and Vue.js

  • a GitLab instance can be set up to allow anyone to register and then log in.

Foot printing & Discovery

  • The only way to footprint the GitLab version number in use is by browsing to the /help page when logged in.

    • If the GitLab instance allows us to register an account, we can log in and browse to this page to confirm the version.

Enumeration

  • The first thing we should try is browsing to /explore and see if there are any public projects that may contain something interesting.

  • If we try to register with an email that has already been taken, we will get the error

    • 1 error prohibited this user from being saved: Email has already been taken.

    • As of the time of writing, this username enumeration technique works with the latest version of GitLab.

    • Even if the Sign-up enabled checkbox is cleared within the settings page under Sign-up restrictions,

      • we can still browse to the /users/sign_up page and enumerate users but will not be able to register a user.

Attacking GitLab

Username enumerations

  • failtoban exist only works for 13.10.3

./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist users.txt
PreviousPRTG Network Monitor AttacksNextTomcat CGI Attacks

Last updated