Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox machine 'Giveback', covering exploitation of CVE-2024-5932, an unauthenticated PHP object injection to RCE vulnerability in the GiveWP WordPress plugin. After gaining a shell in a Kubernetes pod, the attacker enumerates the cluster environment, discovers a legacy internal PHP-CGI application, pivots to another pod by exploiting a PHP-CGI vulnerability, extracts Kubernetes secrets via the API, and ultimately escalates to root on the host by abusing a custom runc wrapper.

HTB: Giveback