Giveback

Platform: Hack The Box

Season: 9

Difficulty: Medium

OS: Linux (Kubernetes)

Date: 2025-11-02

Author: x4cc3

Executive Summary

Giveback is a Medium Linux machine running WordPress with a GiveWP plugin. After exploiting CVE-2012-1823 (PHP-CGI RCE inside the WordPress pod), a Kubernetes service account token is found at /run/secrets/. The K8s API is queried to dump Kubernetes Secrets containing SSH credentials for three users. SSH as babywyrm reveals a SUID wrapper (/opt/debug) around runc. Creating an OCI container config with host bind mount allows reading the root flag.

Recon

Port Service
22/tcp SSH
80/tcp HTTP — WordPress 6.8.1 (GiveWP)

Giveback landing page

Giveback landing page

GiveWP plugin version detection

GiveWP plugin version detection

CVE research screenshot 1

CVE research screenshot 1

Metasploit attempt

Metasploit attempt

Valuable information from metasploit

Valuable information from metasploit

Wrong CVE corrected

Wrong CVE corrected

Exploitation

CVE-2012-1823 — PHP-CGI RCE