From nmap, there are ssh and http services opened.

Local Picture

There is a login page.

Local Picture

From robots.txt, there are many directories.

Local Picture

In /profile, it shows that Clave could be the username.

Local Picture

In /help/bookmarks.html, I got gitlab_login.js, and it contains the password.

Local Picture

Local Picture

Local Picture

Local Picture

After login, I can see two projects.

Local Picture

Project Profile is the exact directory /profile. I decided to upload a php reverse shell to this project. Access it, and I got a reverse shell as www-data.

Local Picture

Local Picture

Local Picture

Local Picture

Local Picture

Local Picture

Local Picture

We can execute sudo with git pull. From manpage of githooks, we know that post-merge is invoked by git merge, which happens when a git pull is done.

Local Picture

Local Picture

Local Picture

Copy the directory /profile to /tmp for write permission. Create a reverse shell script called post-merge in directory /hooks.

Local Picture

Local Picture

Go back to GitLab, add an arbitrary file create_for_privesc, and merge.

Local Picture

Local Picture

Now, execute sudo git pull, create_for_privesc will be downloaded, and post-merge will be executed, which gave me a reverse shell as root.

Local Picture

Local Picture