Detailed, reproducible playbook-style walkthrough. Commands and payloads are given verbatim where safe - sensitive values and flags are redacted and shown as placeholders. Replace ATTACKER_IP and ports where noted.
Target Overview
Host: giveback.htb / 10.10.11.94 (internal lab) Attacker: 10.10.14.81 (replace with your IP)
High-Level Attack Chain Used:
WordPress GiveWP PHP object injection → initial code execution (CVE-2024-5932)
Leverage internal CMS / php-cgi parameter injection to get root shell (CVE-2024-4577)
Use mounted Kubernetes service account token to enumerate secrets
Decode credentials → SSH to user babywyrm
Abuse sudo /opt/debug (runc wrapper) and craft an OCI bundle to read /root/root.txt
0 - Preparation on Attacker
Environment Setup
Add a convenient hosts entry (optional):
echo "10.10.11.94 giveback.htb" | sudo tee -a /etc/hosts
Why this matters: While you can work directly with the IP address, using the hostname makes commands more readable and matches the certificate/virtual host configuration that WordPress may require.
Open multiple terminal panes and keep listeners ready. Replace ATTACKER_IP below with your machine IP (e.g. 10.10.14.81).
Pro tip: Use tmux or screen to manage multiple shells simultaneously. You'll need at least three terminal windows: one for listeners, one for executing exploits, and one for notes/monitoring.
1 - Recon (Quick Commands)
Network Service Discovery
Nmap to discover services (example):
nmap -sV -A 10.10.11.94 -oA nmap/giveback
What to look for:
Port 80/443 (HTTP/HTTPS) running WordPress
Any unusual high-numbered ports that might indicate internal services
Version numbers of web servers (Apache, nginx) that might have known vulnerabilities
Response timing that suggests firewalls or IDS/IPS systems
