0xdfGiveback from HackTheBox is a Kubernetes box with GiveWP PHP object injection for RCE, PHP-CGI argument injection via Best-Fit characters on a legacy internal app, K8s API secret dumping, and a container escape through runc two ways.
HTB: Giveback
Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.