CVE-2021-22205 (GitLab) – Offensive

Has anyone encountered an issue (or not) with this lab?

It seems fairly trivial to create the file using the remote Gitlab instance IP and then use the commands included in the linked attackerkb article to upload the image with the reverse shell and gain access.

However, when I try to upload the image using the curl command I get a response 422 Unprocessable Entity.

In the html:

  <div class="container">
    <h3>The change you requested was rejected.</h3>
    <hr />
    <p>Make sure you have access to the thing you tried to change.</p>
    <p>Please contact your GitLab administrator if you think this is a mistake.</p>
    <a href="javascript:history.back()" class="js-go-back go-back">Go back</a>
  </div>

Furthermore in the attackerkb article it states:

Finally, it’s possible to determine if a remote GitLab instance is vulnerable based on it’s
response to a POST request. For example:

albinolobster@ubuntu:~$ echo lollol > test.jpeg
albinolobster@ubuntu:~$ curl -v -F 'file=**[@test](/contributors/test)**.jpeg' http://10.0.0.7/$(openssl rand -hex 8)

The unpatched version will respond with an HTTP 422 response and some text indicating “The change you requested was rejected.” The patched version of GitLab will respond with an HTTP 404 response and text indicating “The page could not be found…”.

When running these commands I receive a 404 Not Found response rather that 422 leading me to believe that the Gitlab version is patched and not vulnerable.