Gitlab
Credentials #
root:<random token set during installation>
Finding version #
- Log in > help
Interesting Files and Directories #
# contains private key
/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
# contains root password
# gitlab_rails['initial_root_password'] = '<my_strong_password>'
/etc/gitlab/gitlab.rb
cat /etc/gitlab/gitlab.rb | grep git_data_dirs
# - Contains repositories from other users
# - Looks like only contains bare repos, no actual files
/var/opt/gitlab/git-data/repositories
# You can find clues here about private or hidden repos
grep -r securedocker /var/log/gitlab 2> /dev/null
Commands #
# gitlab console - can be used for management such as password
# resets
# https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html
gitlab-rails console
# Mirroring an exposed .git directory and recreating the files
wget --mirror -I .git 10.10.10.70/.git
git checkout -- .
Other Enumeration Methods #
- Check public projects
- Check users
- Check activities
- Look for private projects
Signup #
- There might be whitelisted domains on emails you can use
- Try to use the domain of the box