Hacking GitLab Instances For A $5,000 Bounty (2 Examples)

NahamSec

18 Sept 202414:31

Summary

TLDRThis video script details a cybersecurity tutorial where the presenter, an ethical hacker, simulates discovering a publicly accessible GitLab instance. They explore potential vulnerabilities, leveraging the CI/CD Goat infrastructure and GitLab's API to clone repositories and search for sensitive data. The script highlights the importance of checking for misconfigurations in enterprise tools and using tools like TruffleHog to detect secrets. It also promotes an upcoming DevSecCon event and encourages viewers to engage with the content.

Takeaways

📱 Ethical hackers and bug bounty hunters can exploit misconfigurations in CI/CD tools like GitLab to find vulnerabilities.
📝 The speaker shares personal experiences with bug bounties, including one with NASA, to highlight the importance of responsible disclosure.
💻 The video uses CI/CD Goat, a Docker-based infrastructure, to demonstrate potential security issues in CI/CD pipelines.
💎 GitLab's REST API can be a target for attackers if not properly secured, allowing access to project information.
👖 Simple brute force or password-stuffing attacks on GitLab can sometimes provide unauthorized access.
🐯 The 'explore' feature on GitLab can inadvertently expose projects and sensitive information if not configured correctly.
💵 The script emphasizes the importance of reviewing code and configurations to prevent unauthorized access to internal tools and applications.
💲 Tools like TruffleHog can automate the process of finding sensitive information, such as tokens or credentials, within code repositories.
💵 The video demonstrates how to use GitLab's API to enumerate projects and clone repositories, which can be a stepping stone for further attacks.
💹 The potential to modify code in a repository and have it deployed to production environments can lead to significant security risks.
📰 The speaker encourages viewers to look for misconfigurations in self-hosted enterprise tools as potential entry points for security breaches.

Q & A

What is the main focus of the video script?
-The main focus of the video script is to demonstrate what an ethical hacker would do upon gaining access to a GitLab instance, with an emphasis on finding vulnerabilities in CI/CD pipelines.
What does the speaker suggest doing first when accessing a GitLab instance?
-The speaker suggests trying common default passwords like 'admin admin' to see if they work, and also exploring the option to register a new account to potentially gain a foothold into the application.
What is the significance of the NASA letter mentioned in the script?
-The NASA letter signifies that the speaker had previously found a vulnerability in NASA's system and was thanked for it, which serves as a real-world example of the speaker's experience in ethical hacking.
What role does the 'cicd-goat' play in the script?
-The 'cicd-goat' is used as a resource to build a test infrastructure using Docker, simulating a real-world scenario for the speaker to demonstrate their hacking process.
Why does the speaker emphasize the importance of checking the 'explore' feature in GitLab?
-The 'explore' feature can provide an overview of various projects, some of which might be publicly accessible and could contain sensitive information or credentials that can be leveraged.
What is the significance of the REST API in the context of the script?
-The REST API is significant because it allows the speaker to access and interact with GitLab programmatically, enabling them to retrieve information about projects and potentially clone repositories.
What does the speaker mean by 'poisoning the repository'?
-The speaker refers to the potential of introducing malicious code into a repository with the aim of compromising the system when the code is deployed or executed.
Why does the speaker mention the importance of checking Dockerfiles?
-Dockerfiles can provide insights into the application's structure, entry points, and dependencies, which can be useful for understanding how to potentially exploit the application.
What is the speaker's approach when they cannot access the 'explore' feature or find projects through it?
-The speaker's approach is to use GitLab's API to directly access project information, clone repositories, and search for sensitive information or vulnerabilities.
What tool does the speaker use to scan for secrets in the cloned repositories?
-The speaker uses 'truffleHog', a tool designed to scan repositories for secrets and credentials that could potentially be exploited.
What is the final goal the speaker has in mind when modifying and pushing changes to a repository?
-The final goal is to potentially gain unauthorized access to the company's infrastructure by modifying the source code in such a way that when it's redeployed, it could provide a shell back or other form of access.