Gitlab LFI and Cookie Deserialization

git, deserial, foothold, rce, lfi

Overview #

Attacker can get secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml and use that to generate a shell payload that can be converted into an RCE via cookie deserailization attack.

Requirements and Environment Setup #

Versions Affected #

Troubleshooting #

References #