Forum Discussion
CVE-2021-22205 (GitLab) – Offensive
Has anyone encountered an issue (or not) with this lab?
It seems fairly trivial to create the file using the remote Gitlab instance IP and then use the commands included in the linked attackerkb article to upload the image with the reverse shell and gain access.
However, when I try to upload the image using the curl command I get a response 422 Unprocessable Entity.
In the html:
<div class="container">
<h3>The change you requested was rejected.</h3>
<hr />
<p>Make sure you have access to the thing you tried to change.</p>
<p>Please contact your GitLab administrator if you think this is a mistake.</p>
<a href="javascript:history.back()" class="js-go-back go-back">Go back</a>
</div>
Furthermore in the attackerkb article it states:
Finally, it’s possible to determine if a remote GitLab instance is vulnerable based on it’s
response to a POST request. For example:
albinolobster@ubuntu:~$ echo lollol > test.jpeg
albinolobster@ubuntu:~$ curl -v -F 'file=**[@test](/contributors/test)**.jpeg' http://10.0.0.7/$(openssl rand -hex 8)
The unpatched version will respond with an HTTP 422 response and some text indicating “The change you requested was rejected.” The patched version of GitLab will respond with an HTTP 404 response and text indicating “The page could not be found…”.
When running these commands I receive a 404 Not Found response rather that 422 leading me to believe that the Gitlab version is patched and not vulnerable.
I just restarted the lab to check, I didn't encounter any problems when I tried to create and upload the file
I generated the image using the attackerkb article
5 Replies
- redreturn
Bronze II
That is bizarre, repeated exactly the same steps as before and worked straight away 🤣
- AtakanBal
Bronze III
I just restarted the lab to check, I didn't encounter any problems when I tried to create and upload the file
I generated the image using the attackerkb article - redreturn
Bronze II
Hi AtakanBal, could you see what response do you get when you run the vuln instance test code from the article?
- AtakanBal
Bronze III
😆 I think the instance test code in the article just has some weird formatting like markdown for some reason 'file=**[@test](/contributors/test)**.jpeg' 🤔
curl -v -F 'file=<FILE>' http://<IP>/$(openssl rand -hex 8)
this should get 422
- redreturn
Bronze II
I thought that might be the case, completed it all now anyway. Onwards 😁