Cybersecurity Videos
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityVideosHackTheBox - GiveBack
Cybersecurity

HackTheBox - GiveBack

•February 21, 2026
0
IppSec
IppSec•Feb 21, 2026

Why It Matters

Unpatched web‑app components can cascade into full‑cluster compromise, making proactive patch management and secure container configurations essential for enterprises.

Key Takeaways

  • •Identify vulnerable Give WP plugin version 3.14.0 for RCE.
  • •Exploit leads to Kubernetes pod discovery and token extraction.
  • •Token enables secret reading and SSH access via password reuse.
  • •Container escape achieved through runC CVE and wrapper misconfiguration.
  • •Chisel proxy setup reveals internal CMS exposing legacy CGI scripts.

Summary

The video walks through the Hack The Box “GiveBack” challenge, showing how a seemingly ordinary WordPress site can be leveraged to gain full control of a Kubernetes‑hosted environment.

The presenter first discovers that the site runs an outdated Give plugin (v3.14.0) with a remote‑code‑execution flaw. Using a public exploit, he obtains a shell inside the container, finds a second pod with a PHP vulnerability, and extracts the Kubernetes service‑account token, which grants read access to cluster secrets.

He highlights a classic deny‑list mistake in the wrapper binary that forwards execution to runC, allowing a runC CVE to escape the container. After escaping, he uses chisel to establish a SOCKS proxy and navigates an internal CMS still exposing legacy CGI scripts, illustrating the depth of the breach.

The chain underscores the business risk of unpatched WordPress plugins, the dangers of relying on deny‑list security models, and the critical need for proper secret handling in container orchestration platforms.

Original Description

00:00 - Introduction
01:00 - Start of nmap
03:20 - Adding the API Key to our WPScan
08:00 - Discovering a POC for the GiveWP plugin and getting a shell
12:00 - Looking at the WP Database, not getting much information
18:00 - Discovering an HTTP endpoint in the environment variable, setting up chisel to look at it
22:00 - Looking at the custom web page, it is vulnerable to a PGP CGI Vulnerability
30:00 - Shell on the second pod
31:00 - Discovering a Kubernetes (k8s) token, copying it back to our box and setting up kubectl to examine Kubernetes and dumping secrets
39:50 - Showing we didn't need KubeCTL we could have used curl, showing hacktricks age that has some nice tips on setting this up to easily query the k8s api
44:50 - With a password from k8s, we can login to the box and execute a runc wrapper with sudo. It is running version 1.1.11 which is vulnerable to an sandbox escape.
52:15 - Showing an alternative way to exploit this binary through exploiting the wrapper with a simple path traversal in mounts
0

Comments

Want to join the conversation?

Loading comments...