Gavel is a Linux box hosting a PHP auction website with an exposed .git directory. I’ll recover the source code with git-dumper and exploit a novel SQL injection technique that bypasses PDO’s backtick-quoted prepared statements to dump the database. After cracking a bcrypt hash, I’ll access the admin panel and exploit PHP’s runkit extension to inject arbitrary code into auction rules, getting RCE. I’ll pivot to the next user via password reuse, then reverse engineer a custom daemon that validates submitted PHP rules against a restrictive php.ini. Since file_put_contents isn’t disabled, I’ll overwrite the php.ini to remove all restrictions, then use a second submission to get a root shell.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox machine 'Gavel', a Linux box running a PHP auction website. The attack chain involves recovering source code from an exposed .git directory using git-dumper, exploiting a novel SQL injection that bypasses PDO's backtick-quoted prepared statements, cracking a bcrypt hash to access the admin panel, and leveraging PHP's runkit extension to inject arbitrary code for RCE. Privilege escalation involves password reuse to pivot users, then reverse engineering a custom PHP rule validation daemon. By overwriting php.ini using file_put_contents (which wasn't disabled), all PHP restrictions are removed, enabling a root shell via a second submission.

HTB: Gavel