Writeup DGA - CTF - Gitbad
This article describes my solution for the 150-point challenge called “Gitbad”.
La plateforme Gitlab créée par un stagiaire de DGA MI semble être ouverte à tous ! Vous devez en profiter pour retrouver des informations sensibles. Les comptes créés sur Gitlab sont validés toutes les trois secondes.
We have at our disposal a GitLab instance. It is necessary to be registered and logged in to manage our account and see more things.
Once registered, accounts are validated every three seconds, no account confirmation e-mail is sent. Once logged in, you can see that 6 repositories are present. I thought of looking through theses repositories but some of them had more than 240 commits. Doing these searches by hand was going would have taken too much time. So I used gittyleaks, a tool to search for sensitive information in a git repository.
After running this tool on all repositories, it didn’t give me anything very interesting.
Seeing the category of the challenge (web) I said to myself that there must be an exploitation at the level of the application itself. So I decided to look for the version of the GitLab instance.
The version of a GitLab instance can be found at
/help. So I get the version that is
GitLab Community Edition 8.3.0 and the
udpate asap is also displayed in red.
We can use
searchsploit to find an exploit. Having tried several exploits without success, I only show the one we are interested in.
searchsploit gitlab [...] GitLab - 'impersonate' Feature Privilege Escalation | ruby/webapps/40236.txt [...]
The id of this exploit is 40236. We can use the
-m flag to copy the information related to it.
searchsploit -m 40236 Exploit: GitLab - 'impersonate' Feature Privilege Escalation URL: https://www.exploit-db.com/exploits/40236 Path: /usr/share/exploitdb/exploits/ruby/webapps/40236.txt File Type: ASCII text, with CRLF line terminators Copied to: /home/ap/40236.txt
The person who detailed this feat really didn’t get pissed off, it’s very poorly explained. To explain very briefly, this vulnerability in the impersonation feature introduced in GitLab 8.2 would allow any signed in user to sign in as any other user (including admins).
The easiest way to exploit this vulnerability is to modify the HTML code of the modification form of our profile, it implies to be connected.
Unlike what is “explained” in the exploit file, the
authenticity_token token changes on every request, so it is not possible to exploit this vulnerability via a
To perform this feat, you need to know the administrator account ID. It can be found in the
Merge Requests tab, there is a drop-down list that displays all users and at the same time its ID which is
By browsing the
/profile route, you access a forum to modify your profile, here are the steps to do:
- locate the beginning of the HTML form,
- modify the
actionattribute of this form by
- modify the name of one of the fields (I modified the identifier of the
deletein the location field value,
- click on
Once the form is submitted, we are now an administrator. By displaying the admin area, you can see that a project you didn’t see before is now visible.
stephan/my-secret-project repository contains a commit (81b6f011) with the message
added my private key. By displaying this commit we can see the following content.
This flag is the one to validate this challenge.