GitLab

General

In GitLab the 2FA is disabled by default. It has the following three types of repositories:

Repository	Access
Public	Available to everyone (no authentication required)
Internal	Available to all authenticated users
Private	Restricted to specific users

Footprinting

The below examples has been taken from the Gitlab section of the Attacking Common Applications HTB's module.

For finding the version we can register an account and browse to /help (Figure 1).

Figure 1: Footprinting GitLab as authenticated users.

Manual Enumeration

We can browse to /explore both as unauthenticated (Figure 2) and authenticated users (Figure 3).

Figure 2: Exploring project as an unauthenticated user.

Figure 3: Exploring project as an authenticated user.

Check for registration errors (Figure 4):

Figure 4: Enumerating usernames via registration errors.

User Enumeration

Python3

GitHub - dpgg101/GitLabUserEnum: GitLab User EnumerationGitHub

Usage

# download script
wget https://raw.githubusercontent.com/dpgg101/GitLabUserEnum/main/gitlab_userenum.py
# usage
./gitlab_userenum.py --url URL --wordlist WORDLIST

Bash

GitLab Community Edition (CE) 13.10.3 - User EnumerationExploit Database

Usage

./gitlab_userenum.sh --url URL --userlist WORDLIST