init

.gitignore

@@ -0,0 +1,14 @@
+gitlab/config/**
+!gitlab/config/.keep
+
+gitlab/data/**
+!gitlab/data/.keep
+
+gitlab/logs/**
+!gitlab/logs/.keep
+
+gitlab/keys/**
+!gitlab/keys/.keep
+
+runner/config/**
+!runner/config/.keep

README.md

@@ -0,0 +1,85 @@
+# Gitlab-Docker
+
+> docker 一键部署 Gitlab 破解版
+
+------
+
+## 0x10 环境说明
+
+![](https://img.shields.io/badge/Docker-latest-brightgreen.svg) ![](https://img.shields.io/badge/GitlabEE-13.2.0-brightgreen.svg) ![](https://img.shields.io/badge/Runner-latest-brightgreen.svg)
+
+
+
+
+## 0x20 目录结构
+
+```
+gitlab-docker
+├── README.md ............... [此 README 说明]
+├── imgs .................... [辅助 README 说明的图片]
+├── gitlab .................. [Gitlab 容器的挂载目录]
+│   ├── Dockerfile .......... [Gitlab 的 Docker 构建文件]
+│   ├── config .............. [Gitlab 配置挂载目录]
+│   ├── data ................ [Gitlab 数据挂载目录]
+│   ├── logs ................ [Gitlab 日志挂载目录]
+│   ├── keys ................ [Gitlab 破解 License 存储目录]
+│   └── nginx ............... [Gitlab 内置 nginx 配置目录（备份配置，勿改）]
+├── runner .................. [Gitlab 容器的挂载目录]
+├── license ................. [破解 License 的容器构建目录]
+│   ├── Dockerfile .......... [License 的 Docker 构建文件]
+│   └── license.rb .......... [生成破解 License 的 Ruby 脚本]
+├── docker-compose.yml ...... [Docker 的构建配置]
+├── keygen.ps1 .............. [Windows: 一键生成破解 License]
+├── keygen.sh ............... [Linux:   一键生成破解 License]
+├── run.ps1 ................. [Windows: 一键运行 Gitlab 靶场]
+├── run.sh .................. [Linux:   一键运行 Gitlab 靶场]
+├── register.ps1 ............ [Windows: 一键注册 Runner]
+├── register.sh ............. [Linux:   一键注册 Runner]
+├── stop.ps1 ................ [Windows: 一键停止 Gitlab 靶场]
+└── stop.sh ................. [Linux:   一键停止 Gitlab 靶场]
+```
+
+
+
+
+## 0x30 部署说明
+
+### 0x31 构建
+
+- 宿主机预装 docker 和 docker-compose
+- 下载本仓库： [git clone https://github.com/lyy289065406/gitlab-docker](https://github.com/lyy289065406/gitlab-docker)
+- 生成破解密钥对： [`./keygen.sh`](keygen.sh) 或 [`./keygen.ps1`](keygen.ps1)
+- 构建并运行 Gitlab （确保 80 端口未占用）： [`./run.sh`](run.sh) 或 [`./run.ps1`](run.ps1)
+- 约 5 分钟后可从浏览器登录 Gitlab：[http://127.0.0.1](http://127.0.0.1) （首次登录需要重设管理员账号 root 的密码）
+
+
+### 0x32 破解
+
+前面生成破解密钥对的时候，已经把公钥写入 Gitlab 容器后台了，还需要把私钥通过前端上传到 Gitlab 完成破解：
+
+- 密钥对生成到 [`./gitlab/keys/`](gitlab/keys/) 目录，复制其下 `.gitlab-license` 的内容（私钥）
+- 使用 root 用户打开 [http://127.0.0.1/admin/license/new](http://127.0.0.1/admin/license/new) 页面
+- 选择 `Enter license key` 并粘贴私钥，点击 `Upload license` 按钮即可完成破解
+
+
+![](imgs/01.png)
+
+
+### 0x33 设置 Runner
+
+- 使用 root 用户打开 [http://127.0.0.1/admin/runners](http://127.0.0.1/admin/runners) 页面
+- 找到 registration token 并复制
+- 注册 Runner： [`./register.sh $TOKEN`](register.sh) 或 [`./register.ps1 $TOKEN`](register.ps1)
+
+> 至此所有 Repository 都可以使用此 Runner 执行 CI 脚本（Pipeline Jobs）
+
+![](imgs/02.png)
+
+
+### 0x34 访问 Gitlab Pages
+
+假设你的 Gitlab 用户名为 `${username}`，仓库名称为 `${repository_name}`，当仓库已经使用 jekyll 成功构建 SSG 后，只需要访问以下 URL 即可：
+
+[http://127.0.0.1:8000/${username}/${repository_name}/public/](http://127.0.0.1:8000)
+
+

docker-compose.yml

@@ -0,0 +1,53 @@
+version: '2'
+services:
+  gitlab:
+    hostname: GITLAB
+    container_name: docker_gitlab
+    build:
+      context: ./gitlab
+      dockerfile: ./Dockerfile
+    environment:
+      # 影响 /etc/gitlab/gitlab.rb 的配置
+      GITLAB_OMNIBUS_CONFIG: |
+        # 启用 Gitlab Pages
+        gitlab_pages['enable'] = true
+        # 访问 Gitlab Pages 的域名 （nginx 配置文件已经强制修改为 127.0.0.1:8000，故这里任意配置即可，但不能为空）
+        pages_external_url "http://pages.localhost/"
+    volumes:
+      - ./gitlab/config:/etc/gitlab
+      - ./gitlab/data:/var/opt/gitlab
+      - ./gitlab/logs:/var/log/gitlab
+      - ./gitlab/nginx/gitlab-pages.conf.local:/var/opt/gitlab/nginx/conf/gitlab-pages.conf.local
+      # - ./gitlab/pages:/var/opt/gitlab/gitlab-rails/shared/pages
+    ports:
+#     - 443:443
+      - 80:80
+      - 8000:8000
+    networks: 
+      vpn:
+        ipv4_address: 172.168.31.2
+    restart: unless-stopped
+
+  runner:
+    hostname: RUNNER
+    container_name: docker_runner
+    build:
+      context: ./runner
+      dockerfile: ./Dockerfile
+    volumes:
+      - ./runner/config:/etc/gitlab-runner
+      - ./runner/gitlab-runner:/etc/sudoers.d/gitlab-runner
+    networks: 
+      vpn:
+        ipv4_address: 172.168.31.3
+    restart: unless-stopped
+
+networks:
+  vpn:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet:  172.168.31.0/24
+          gateway: 172.168.31.1
+

gitlab/Dockerfile

@@ -0,0 +1,18 @@
+# -----------------------------------------------------------------------------
+# CVE Ranger :
+#   https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22192.json
+# Gitlab Docker :
+#   https://hub.docker.com/r/gitlab/gitlab-ee/tags
+# -----------------------------------------------------------------------------
+
+FROM gitlab/gitlab-ee:13.2.0-ee.0
+# FROM gitlab/gitlab-ee:13.8.0-ee.0
+# FROM gitlab/gitlab-ee:13.9.0-ee.0
+
+ADD ./keys/license_key.pub /opt/gitlab/embedded/service/gitlab-rails/.license_encryption_key.pub
+# RUN sed -i "s@|| STARTER_PLAN@|| ULTIMATE_PLAN@g" /opt/gitlab/embedded/service/gitlab-rails/ee/app/models/license.rb
+# RUN gitlab-ctl reconfigure
+
+EXPOSE 443
+EXPOSE 80
+EXPOSE 22

gitlab/nginx/gitlab-pages.conf.local

@@ -0,0 +1,40 @@
+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+###################################
+##         configuration         ##
+###################################
+
+
+server {
+  listen 8000;
+  server_name 127.0.0.1;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## Disable symlink traversal
+  disable_symlinks on;
+
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  /var/log/gitlab/nginx/gitlab_pages_access.log gitlab_access;
+  error_log   /var/log/gitlab/nginx/gitlab_pages_error.log;
+
+  # Pass everything to pages daemon
+  location / {
+    index index.html;
+    root /var/opt/gitlab/gitlab-rails/shared/pages;
+  }
+
+  # Define custom error pages
+  error_page 403 /403.html;
+  error_page 404 /404.html;
+
+  
+}

keygen.ps1

@@ -0,0 +1,25 @@
+# 生成 Gitlab License
+
+$IMAGE_NAME = "gitlab_license"
+$CONTAINER_NAME = "gen_gitlab_license"
+
+echo "Building image ..."
+docker build ./license -t ${IMAGE_NAME}
+Sleep 2
+
+echo "Generate gitlab license ..."
+$IMAGE_ID = (docker image ls -aq --filter reference=${IMAGE_NAME})
+docker run --name=${CONTAINER_NAME} ${IMAGE_ID} bash
+Sleep 2
+
+echo "Copy gitlab license to ./gitlab/keys"
+$DOCKER_ID = (docker ps -aq --filter name=${CONTAINER_NAME})
+if(![String]::IsNullOrEmpty(${DOCKER_ID})) {
+    docker cp ${DOCKER_ID}:/opt/license_key ./gitlab/keys/license_key
+    docker cp ${DOCKER_ID}:/opt/license_key.pub ./gitlab/keys/license_key.pub
+    docker cp ${DOCKER_ID}:/opt/.gitlab-license ./gitlab/keys/.gitlab-license
+    docker rm -f ${DOCKER_ID}
+}
+
+echo "Done ."
+exit 0

keygen.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# 生成 Gitlab License
+
+IMAGE_NAME="gitlab_license"
+CONTAINER_NAME="gen_gitlab_license"
+
+echo "Building image ..."
+docker build ./license -t ${IMAGE_NAME}
+sleep 2
+
+echo "Generate gitlab license ..."
+IMAGE_ID=`docker image ls -aq --filter reference=${IMAGE_NAME}`
+docker run --name=${CONTAINER_NAME} ${IMAGE_ID} bash
+sleep 2
+
+echo "Copy gitlab license to ./gitlab/keys"
+DOCKER_ID=`docker ps -aq --filter name=${CONTAINER_NAME}`
+if [ ! -z "${DOCKER_ID}" ]; then
+    docker cp ${DOCKER_ID}:/opt/license_key ./gitlab/keys/license_key
+    docker cp ${DOCKER_ID}:/opt/license_key.pub ./gitlab/keys/license_key.pub
+    docker cp ${DOCKER_ID}:/opt/.gitlab-license ./gitlab/keys/.gitlab-license
+    docker rm -f ${DOCKER_ID}
+fi
+
+echo "Done ."
+exit 0

license/Dockerfile

@@ -0,0 +1,14 @@
+# -----------------------------------------------------------------------------
+# How to Crack Gitlab :
+#   https://blog.starudream.cn/2020/01/19/6-crack-gitlab/
+# -----------------------------------------------------------------------------
+
+FROM ruby
+
+WORKDIR /opt
+
+RUN gem install gitlab-license
+ADD ./license.rb /opt/license.rb
+RUN ruby license.rb
+
+CMD [ "bash" ]

license/license.rb

@@ -0,0 +1,85 @@
+require "openssl"
+require "gitlab/license"
+
+key_pair = OpenSSL::PKey::RSA.generate(2048)
+File.open("license_key", "w") { |f| f.write(key_pair.to_pem) }
+
+public_key = key_pair.public_key
+File.open("license_key.pub", "w") { |f| f.write(public_key.to_pem) }
+
+private_key = OpenSSL::PKey::RSA.new File.read("license_key")
+Gitlab::License.encryption_key = private_key
+
+license = Gitlab::License.new
+license.licensee = {
+  "Name" => "none",
+  "Company" => "none",
+  "Email" => "admin@example.com",
+}
+license.starts_at = Date.new(2020, 1, 1) # 开始时间
+license.expires_at = Date.new(2050, 1, 1) # 结束时间
+license.notify_admins_at = Date.new(2049, 12, 1)
+license.notify_users_at = Date.new(2049, 12, 1)
+license.block_changes_at = Date.new(2050, 1, 1)
+license.restrictions = {
+  active_user_count: 10000,
+}
+
+puts "License:"
+puts license
+
+data = license.export
+puts "Exported license:"
+puts data
+File.open(".gitlab-license", "w") { |f| f.write(data) }
+
+public_key = OpenSSL::PKey::RSA.new File.read("license_key.pub")
+Gitlab::License.encryption_key = public_key
+
+data = File.read(".gitlab-license")
+$license = Gitlab::License.import(data)
+
+puts "Imported license:"
+puts $license
+
+unless $license
+  raise "The license is invalid."
+end
+
+if $license.restricted?(:active_user_count)
+  active_user_count = 10000
+  if active_user_count > $license.restrictions[:active_user_count]
+    raise "The active user count exceeds the allowed amount!"
+  end
+end
+
+if $license.notify_admins?
+  puts "The license is due to expire on #{$license.expires_at}."
+end
+
+if $license.notify_users?
+  puts "The license is due to expire on #{$license.expires_at}."
+end
+
+module Gitlab
+  class GitAccess
+    def check(cmd, changes = nil)
+      if $license.block_changes?
+        return build_status_object(false, "License expired")
+      end
+    end
+  end
+end
+
+puts "This instance of GitLab Enterprise Edition is licensed to:"
+$license.licensee.each do |key, value|
+  puts "#{key}: #{value}"
+end
+
+if $license.expired?
+  puts "The license expired on #{$license.expires_at}"
+elsif $license.will_expire?
+  puts "The license will expire on #{$license.expires_at}"
+else
+  puts "The license will never expire."
+end

register.ps1

@@ -0,0 +1,21 @@
+# 注册 Runner 到 Gitlab
+
+param([string]$TOKEN="")
+if([String]::IsNullOrEmpty(${TOKEN})) {
+    echo "Usage: .\register.ps1 TOKEN"
+    echo "You can get the registration token from http://127.0.0.1/admin/runners"
+    exit 1
+}
+
+
+$CONTAINER_GITLAB_NAME = "docker_gitlab"
+$GITLAB_URL = "http://" + (docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${CONTAINER_GITLAB_NAME})
+
+$CONTAINER_RUNNER_NAME = "docker_runner"
+$DOCKER_ID = (docker ps -aq --filter name=${CONTAINER_RUNNER_NAME})
+if(![String]::IsNullOrEmpty(${DOCKER_ID})) {
+    docker exec ${DOCKER_ID} /bin/sh -c "/usr/bin/gitlab-runner register --non-interactive --name poc-runner --executor shell --url ${GITLAB_URL} --registration-token ${TOKEN}"
+}
+
+echo "Done ."
+exit 0

register.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+# 注册 Runner 到 Gitlab
+
+TOKEN=$1
+if [ -z "${TOKEN}" ] ; then
+    echo "Usage: .\register.ps1 TOKEN"
+    echo "You can get the registration token from http://127.0.0.1/admin/runners"
+    exit 1
+fi
+
+CONTAINER_GITLAB_NAME="docker_gitlab"
+GITLAB_URL="http://"`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${CONTAINER_GITLAB_NAME}`
+
+CONTAINER_RUNNER_NAME="docker_runner"
+DOCKER_ID=`docker ps -aq --filter name=${CONTAINER_RUNNER_NAME}`
+if [ ! -z "${DOCKER_ID}" ]; then
+    docker exec ${DOCKER_ID} /bin/sh -c "/usr/bin/gitlab-runner register --non-interactive --name poc-runner --executor shell --url ${GITLAB_URL} --registration-token ${TOKEN}"
+fi
+
+echo "Done ."
+exit 0

run.ps1

@@ -0,0 +1,16 @@
+docker-compose up -d
+
+echo "Gitlab is starting ..."
+echo "You can access the site (http://127.0.0.1) after 5 minutes ."
+
+
+# 更改 Gitlab Pages 的 nginx 代理服务为 127.0.0.1:8000
+sleep 300
+$DOCKER_ID = (docker ps -aq --filter name=docker_gitlab)
+if(![String]::IsNullOrEmpty($DOCKER_ID)) {
+    docker exec -u root ${DOCKER_ID} /bin/bash -c "cp /var/opt/gitlab/nginx/conf/gitlab-pages.conf.local /var/opt/gitlab/nginx/conf/gitlab-pages.conf"
+    docker exec -u root ${DOCKER_ID} /bin/bash -c "gitlab-ctl restart nginx"
+}
+
+echo "Gitlab is started ."
+exit 0

run.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+docker-compose up -d
+
+echo "Gitlab is starting ..."
+echo "You can access the site (http://127.0.0.1) after 5 minutes ."
+
+
+# 更改 Gitlab Pages 的 nginx 代理服务为 127.0.0.1:8000
+sleep 300
+DOCKER_ID=`docker ps -aq --filter name=docker_gitlab`
+if [ ! -z "${DOCKER_ID}" ]; then
+    docker exec -u root ${DOCKER_ID} /bin/bash -c "cp /var/opt/gitlab/nginx/conf/gitlab-pages.conf.local /var/opt/gitlab/nginx/conf/gitlab-pages.conf"
+    docker exec -u root ${DOCKER_ID} /bin/bash -c "gitlab-ctl restart nginx"
+fi
+
+
+echo "Gitlab is started ."
+exit 0

runner/Dockerfile

@@ -0,0 +1,13 @@
+FROM gitlab/gitlab-runner:ubuntu-v13.10.0
+
+RUN sed -i s@/deb.debian.org/@/mirrors.aliyun.com/@g /etc/apt/sources.list
+RUN apt-get clean && \
+    apt-get update -y && \
+    apt-get install -y sudo vim zlib1g-dev ruby-dev gcc libffi-dev make g++ ruby ruby-dev nodejs
+
+# 替换gem国内源
+RUN gem sources --add http://gems.ruby-china.com/ --remove https://rubygems.org/ && \
+    gem install bundler
+
+RUN usermod -a -G sudo gitlab-runner
+

runner/gitlab-runner

@@ -0,0 +1 @@
+gitlab-runner ALL=(ALL) NOPASSWD: ALL

stop.ps1

@@ -0,0 +1,2 @@
+docker-compose down
+exit 0

stop.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+docker-compose down
+exit 0