diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaa b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaa
new file mode 100644
index 000000000..9f7473dfd
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaa differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partab b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partab
new file mode 100644
index 000000000..710f570a6
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partab differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partac b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partac
new file mode 100644
index 000000000..6128313fe
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partac differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partad b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partad
new file mode 100644
index 000000000..3f67ddfbd
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partad differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partae b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partae
new file mode 100644
index 000000000..2fc02b130
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partae differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaf b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaf
new file mode 100644
index 000000000..61defe063
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaf differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partag b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partag
new file mode 100644
index 000000000..23d5d09fc
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partag differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partah b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partah
new file mode 100644
index 000000000..e61ce27cd
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partah differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partai b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partai
new file mode 100644
index 000000000..9ac849512
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partai differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaj b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaj
new file mode 100644
index 000000000..a6a40192d
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaj differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partak b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partak
new file mode 100644
index 000000000..4c6d3ab77
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partak differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partal b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partal
new file mode 100644
index 000000000..9301879a4
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partal differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partam b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partam
new file mode 100644
index 000000000..909171dda
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partam differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partan b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partan
new file mode 100644
index 000000000..b7ce0a5da
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partan differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partao b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partao
new file mode 100644
index 000000000..2661ed5ff
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partao differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partap b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partap
new file mode 100644
index 000000000..f923ca3c7
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partap differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaq b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaq
new file mode 100644
index 000000000..2c804484b
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partaq differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partar b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partar
new file mode 100644
index 000000000..009e4fc65
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlab_13102/files/gitlab-ce_13.10.2-ce.0_amd64.deb.partar differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/functions/cpandbuild.pp b/modules/vulnerabilities/unix/webapp/gitlab_13102/functions/cpandbuild.pp
new file mode 100644
index 000000000..8b0ee803f
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlab_13102/functions/cpandbuild.pp
@@ -0,0 +1,13 @@
+function gitlab_13102::cpandbuild(Array $collection, String $filename) {
+ $collection.each |String $item| {
+ file { "/tmp/${item}":
+ ensure => file,
+ source => "puppet:///modules/gitlab_13102/${item}",
+ }
+ }
+ exec { "rebuild-${filename}":
+ cwd => '/tmp/',
+ command => "/bin/cat ${filename}.parta* > ${filename}",
+ creates => "/tmp/${filename}",
+ }
+}
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/gitlab_13102.pp b/modules/vulnerabilities/unix/webapp/gitlab_13102/gitlab_13102.pp
new file mode 100644
index 000000000..2fd35ca50
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlab_13102/gitlab_13102.pp
@@ -0,0 +1,4 @@
+contain gitlab_13102::install
+contain gitlab_13102::configure
+Class['gitlab_13102::install']
+-> Class['gitlab_13102::configure']
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/configure.pp b/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/configure.pp
new file mode 100644
index 000000000..1b0c1d0af
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/configure.pp
@@ -0,0 +1,145 @@
+class gitlab_13102::configure {
+
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+
+ # First leaked string is the gitlab root password
+ $strings_to_leak = $secgen_parameters['strings_to_leak']
+ $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+ $difficulty = $secgen_parameters['difficulty']
+ $leaked_filenames = $secgen_parameters['leaked_filenames']
+
+ # Could amend in future to take port as parameter but threw error 502 in testing so leaving as default (80) for now
+
+ Exec { path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'] }
+
+ exec { 'set_gitlab_password':
+ command => "echo \"gitlab_rails['initial_root_password'] = '${strings_to_leak[0]}'\" >> /etc/gitlab/gitlab.rb",
+ }
+ ->
+ exec { 'set_gitlab_store_password':
+ command => "echo \"gitlab_rails['store_initial_root_password'] = true\" >> /etc/gitlab/gitlab.rb",
+ }
+ ->
+ exec { 'disable_monitoring': # Avoids race condition where monitoring services don't start before gitlab-ctl reconfigure completes
+ command => "echo \"prometheus_monitoring['enable'] = false\" >> /etc/gitlab/gitlab.rb && echo \"alertmanager['enable'] = false\" >> /etc/gitlab/gitlab.rb && echo \"grafana['enable'] = false\" >> /etc/gitlab/gitlab.rb",
+ }
+ ->
+ exec { 'reconfigure_gitlab':
+ command => '/usr/bin/gitlab-ctl reconfigure > /dev/null 2>&1', # Prevents output flooding the console
+ require => Exec['install_gitlab'],
+ timeout => 1800,
+ tries => 3,
+ try_sleep => 30,
+ }
+
+ # Leak credentials via git user's home directory
+ exec { 'create_git_home':
+ command => 'mkdir -p /home/git',
+ creates => '/home/git',
+ }
+ ->
+ exec { 'set_git_home_ownership':
+ command => 'chown git:git /home/git',
+ require => Exec['create_git_home'],
+ }
+ ->
+ # Pre leak to robots.txt
+ file_line { 'pre-leak-robots-txt':
+ path => '/opt/gitlab/embedded/service/gitlab-rails/public/robots.txt',
+ line => "# ${strings_to_pre_leak[0]}",
+ }
+
+ # Leak sensitive info via git repo
+ file { '/home/git/.credentials':
+ ensure => file,
+ content => "root:${strings_to_leak[0]}",
+ owner => 'git',
+ group => 'git',
+ mode => '0600',
+ require => Exec['set_git_home_ownership'],
+ }
+
+ if $difficulty[0] == 'hard' {
+ exec { 'create_project_dir':
+ command => 'mkdir -p /tmp/dev-notes',
+ creates => '/tmp/dev-notes',
+ require => Exec['reconfigure_gitlab'],
+ }
+ ->
+ exec { 'init_project':
+ command => 'git init',
+ cwd => '/tmp/dev-notes',
+ creates => '/tmp/dev-notes/.git',
+ }
+ ->
+ exec { 'git_config_email':
+ command => 'git config user.email "root@example.com"',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ # Could be amended in future to use organisation information for realistic scenario
+ exec { 'git_config_name':
+ command => 'git config user.name "Developer J"',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'create_env_file':
+ command => "echo -e 'DB_HOST=localhost\\nDB_PORT=5432\\nDB_USER=root\\nDB_PASSWORD=${strings_to_leak[1]}\\nAPI_KEY=abc123xyz' > .env",
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'create_python_script':
+ command => "echo -e '#!/usr/bin/env python3\\nimport os\\nfrom dotenv import load_dotenv\\n\\nload_dotenv()\\n\\ndb_host = os.getenv(\"DB_HOST\")\\ndb_user = os.getenv(\"DB_USER\")\\ndb_password = os.getenv(\"DB_PASSWORD\")\\n\\nprint(f\"Connecting to {db_host} as {db_user}\")' > app.py",
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_add_important':
+ command => 'git add .env app.py',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_commit_initial':
+ command => 'git commit -m "Initial commit"',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'remove_env_file':
+ command => 'git rm .env',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'create_gitignore':
+ command => 'echo ".env" > .gitignore',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_add_gitignore':
+ command => 'git add .gitignore',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_commit_update':
+ command => 'git commit -m "Removed .env file and added to .gitignore"',
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_add_remote':
+ command => "git remote add origin http://root:${strings_to_leak[0]}@localhost/root/dev-notes.git",
+ cwd => '/tmp/dev-notes',
+ }
+ ->
+ exec { 'git_push_master':
+ command => 'git push -u origin master',
+ cwd => '/tmp/dev-notes',
+ }
+ } else {
+ file { "/home/git/${leaked_filenames[0]}":
+ ensure => file,
+ content => "${strings_to_leak[1]}",
+ owner => 'git',
+ group => 'git',
+ mode => '0600',
+ require => Exec['set_git_home_ownership'],
+ }
+ }
+}
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/install.pp b/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/install.pp
new file mode 100644
index 000000000..e8356bcae
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlab_13102/manifests/install.pp
@@ -0,0 +1,35 @@
+class gitlab_13102::install {
+ Exec { path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin']}
+
+ $longgitlab = 'gitlab-ce_13.10.2-ce.0_amd64.deb'
+ $gitlabpart = ["${longgitlab}.partaa",
+ "${longgitlab}.partab",
+ "${longgitlab}.partac",
+ "${longgitlab}.partad",
+ "${longgitlab}.partae",
+ "${longgitlab}.partaf",
+ "${longgitlab}.partag",
+ "${longgitlab}.partah",
+ "${longgitlab}.partai",
+ "${longgitlab}.partaj",
+ "${longgitlab}.partak",
+ "${longgitlab}.partal",
+ "${longgitlab}.partam",
+ "${longgitlab}.partan",
+ "${longgitlab}.partao",
+ "${longgitlab}.partap",
+ "${longgitlab}.partaq",
+ "${longgitlab}.partar",]
+
+ $pkgtobuild = [[$gitlabpart, $longgitlab]]
+ $pkgtobuild.each |Array $pkg| {
+ gitlab_13102::cpandbuild($pkg[0], $pkg[1])
+ }
+ exec { 'install_gitlab':
+ command => "dpkg -i /tmp/${longgitlab}",
+ require => Exec["rebuild-${longgitlab}"],
+ timeout => 1800,
+ }
+
+
+}
diff --git a/modules/vulnerabilities/unix/webapp/gitlab_13102/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/gitlab_13102/secgen_metadata.xml
new file mode 100644
index 000000000..54cf59f75
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlab_13102/secgen_metadata.xml
@@ -0,0 +1,74 @@
+
+
+
+ Gitlist 13.10.2 RCE
+ Alix Hiscock
+ MIT
+
+ GitLab CE/EE versions 11.9 through 13.10.2 are vulnerable to an exploit where an unauthenticated attacker is able
+ to upload a malicious DjVu image file that exploits ExifTool's metadata parsing, resulting in remote code execution
+ with full system privileges.
+
+
+ webapp
+ user_rwx
+ remote
+ linux
+ low
+
+ port
+ strings_to_leak
+ images_to_leak
+ leaked_filenames
+ strings_to_pre_leak
+ pre_leaked_filenames
+ difficulty
+
+
+
+
+ wordlist
+
+
+ 8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ easy
+
+
+ CVE-2021-22205
+
+ 9.8
+ AV:N/AC:L/Au:N/C:P/I:P/A:P
+
+
+ exploit/multi/http/gitlab_exif_rce
+ Visit the webapp in a browser at: ip:80
+
+ Look in a common location for web crawlers to visit...
+ Investigate the gitlab repository...
+
+
+
+ webapp
+
+
+
diff --git a/scenarios/ctf/git_dejavu.xml b/scenarios/ctf/git_dejavu.xml
new file mode 100644
index 000000000..df5c632da
--- /dev/null
+++ b/scenarios/ctf/git_dejavu.xml
@@ -0,0 +1,168 @@
+
+
+
+
+ Git dejavu
+ Alix Hiscock
+ Hack the web_server from kali.
+
+
+ ctf
+ attack-ctf
+ pwn-ctf
+ medium
+
+
+ user authentication
+
+
+ EXPLOITATION
+ EXPLOITATION FRAMEWORKS
+
+
+ CVEs and CWEs
+
+
+ PENETRATION TESTING - SOFTWARE TOOLS
+ PENETRATION TESTING - ACTIVE PENETRATION
+
+
+ access control
+ Elevated privileges
+ Vulnerabilities and attacks on access control misconfigurations
+
+
+ Access controls and operating systems
+ Linux security model
+ Attacks against SUDO
+
+
+
+ kill chains
+
+
+
+ attack_vm
+
+
+
+
+
+ 172.16.0.2
+
+ 172.16.0.3
+
+
+
+
+ {"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}
+
+
+
+
+
+ {"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}
+
+
+ false
+
+
+
+
+
+ IP_addresses
+
+
+
+
+
+
+
+ spoiler_admin_pass
+
+
+
+
+
+ web_server
+
+
+
+
+
+ mythical_creatures
+
+
+
+
+
+
+
+ wordlist
+
+
+ 8
+
+
+
+
+
+
+
+
+ username
+
+
+ password
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ wordlist
+
+
+ 8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IP_addresses
+
+
+
+
+ spoiler_admin_pass
+
+
+
+
+
\ No newline at end of file
diff --git a/scenarios/ctf/git_dejavu_adv.xml b/scenarios/ctf/git_dejavu_adv.xml
new file mode 100644
index 000000000..3d55386dc
--- /dev/null
+++ b/scenarios/ctf/git_dejavu_adv.xml
@@ -0,0 +1,172 @@
+
+
+
+
+ Git dejavu Advanced
+ Alix Hiscock
+ Hack the web_server from kali.
+
+
+ ctf
+ attack-ctf
+ pwn-ctf
+ hard
+
+
+ user authentication
+
+
+ EXPLOITATION
+ EXPLOITATION FRAMEWORKS
+
+
+ CVEs and CWEs
+
+
+ PENETRATION TESTING - SOFTWARE TOOLS
+ PENETRATION TESTING - ACTIVE PENETRATION
+
+
+ access control
+ Elevated privileges
+ Vulnerabilities and attacks on access control misconfigurations
+
+
+ Access controls and operating systems
+ Linux security model
+ Attacks against SUDO
+
+
+
+ kill chains
+
+
+
+ attack_vm
+
+
+
+
+
+ 172.16.0.2
+
+ 172.16.0.3
+
+
+
+
+ {"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}
+
+
+
+
+
+ {"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}
+
+
+ false
+
+
+
+
+
+ IP_addresses
+
+
+
+
+
+
+
+ spoiler_admin_pass
+
+
+
+
+
+ web_server
+
+
+
+
+
+ mythical_creatures
+
+
+
+
+
+
+
+ wordlist
+
+
+ 8
+
+
+
+
+
+
+
+
+ username
+
+
+ password
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ wordlist
+
+
+ 8
+
+
+
+
+
+
+
+
+ hard
+
+
+
+
+
+
+
+
+
+
+
+ IP_addresses
+
+
+
+
+ spoiler_admin_pass
+
+
+
+
+
\ No newline at end of file