Rooted!
@T0v1r 's comment got me out of a rabbit hole.
What a large hole…
Finally i can sleep
1 Like
By the looks of it the default creds are no longer a viable attack vector.
I’m trying to bypass the 403’s.
I’ve tried a bunch of things so far, and I think I’m on to it, any hints?
Has anyone rooted since they did away with the default creds?
I am really stuck on foothold, it seems like the machine was updated and some of the techniques some older hints talk about no longer work. I would appreciate some guidance, so far I have just found The credentials for margo
2 Likes
why gitbucket doesnt have the default creds ive been trying everything and i cant sign in
3 Likes
Same here. I tried looking for some SSRF vulns but got nowhere. I even tried to brute force the the jwt token to crack the secret.
Then I tried to bypass the the 403 warnings and get to /download or /logs but cant get anything going.
Anyone willing to drop a hint for us? You could even seize the opportunity to send me down a rabbit hole just for fun lol.
Am I even going in the right direction here?
Anyone?
Was this box patched or something? The default creds aren’t working for the service running on 8080. Even after a reset, the defaults don’t work.
2 Likes
Yeah this was the unintended solution that has being patched. Still trying to figure out the intended way in.
I got a way to get a cookie on the portal, but I don’t see how I can use it… Any help would be appreciated.
It can be used to CSRF through the XSS, however ACLs are still preventing access to /download and /logs. Any ideas how to bypass?
If the XSS is done right, you can use the cookie in one request to CSRF, grab and base64 the responseText, and make another request back to yourself containing the b64.
Although, without access to /download or /logs, can’t see the useful utility of this
I got the login for portal, but I don’t know how to continu. I cannot find XSS on the portal and was busy with request smuggling. No success till now. Who has a hint?
I got admin cookie with it but it is useless it seems. The CSRF into /logs looks like a good idea though. Maybe because it is made from the box itself it bypasses HAPROXY?
Yeah actually, admin cookie can be the end of that path and beginning of a new one (easiest route), or I have heard that it is possible to go even harder on that CSRF+XSS path and get at logs. Message me directly for pointers on either approach.
A nice machine. With that admin cookie you can read the logs by using some exploit. Then there is an other exploitable thing. I spent a lot of time using the public exploit. It just needed some double encoding…
I’ve been analyzing the machine and the only thing I’m stuck on is the gitbucket root password, aren’t they the default? a hint to find it?
Its root:root
They puched it… 
Excellent Box i liked it a lot ! In the forum i can see that most of the hints and answers are for the unpatched version, for anyone that is stuck feel free to drop me a DM.
Default Sign In credentials changed ¿
1 Like
Nope, i’ll stuck too on the GB root password 
Other question do I need the root password? 