HackTheBox-Laboratory

• Name:Laboratory
• OS:Linux

0x02 漏洞利用

LFI

1. 新建两个project（a和b）

2. project a中提交一个issuse

内容为:![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

3. 将这个issuse移动到b项目中。

4. 点击链接。

RCE

It’s possible to turn this into an RCE as the cookies_serializer is set to :hybrid by default.

The can be done by first grabbing the secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml using the arbitrary file read and then use the experimentation_subject_id cookie with a Marshalled payload.

A payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console

(最好自己复制下来，然后粘贴)