#2025 - 11 - 30
DIff medium Linux
Nmap enumeration
htb/machine/Gavel
$ nmap -Pn -sV -sC -T4 -A 10.10.11.97
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-30 12:53 +0800
Nmap scan report for 10.10.11.97
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 1f:de:9d:84:bf:a1:64:be:1f:36:4f:ac:3c:52:15:92 (ECDSA)
|_ 256 70:a5:1a:53:df:d1:d0:73:3e:9d:90:ad:c1:aa:b4:19 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to <http://gavel.htb/>
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: gavel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 43.97 seconds
htb/machine/Gavel took 43s
$
The web app on the port 80
ffuf enumeration
Gavel/gavel_source/gavel_source via 🐍 v3.13.7 (v)
❯ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt \\
-u <http://gavel.htb/FUZZ> -e .php \\
-o ffuf_gavel.json -of json
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : <http://gavel.htb/FUZZ>
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php
:: Output file : ffuf_gavel.json
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [40/9500] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
[INFO] ------ PAUSING ------
entering interactive mode
type "help" for a list of commands, or ENTER to resume.
>
[INFO] ------ RESUMING -----
.git [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 1302ms]
.git/HEAD [Status: 200, Size: 23, Words: 2, Lines: 2, Duration: 408ms]
.git/config [Status: 200, Size: 136, Words: 13, Lines: 9, Duration: 408ms]
.git/logs/.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 919ms]
.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.hta.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.htaccess.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.htpasswd.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 737ms]
.git/logs/ [Status: 200, Size: 1128, Words: 77, Lines: 18, Duration: 4195ms]
.git/index [Status: 200, Size: 224718, Words: 313, Lines: 355, Duration: 3990ms]
admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 319ms]
admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 319ms]
assets [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 298ms]
:: Progress: [3992/9500] :: Job [1/1] :: 87 req/sec :: Duration: [0:00:58] :: Errors: 0 ::
Well would you look at that. Exposed .git directory.
Lets use gitdumper to dump the git into our own machine
After some analysis both me and my friend chatGPT we found SQLI in the inventory.php
Key points for bypassing PDO:
\\? — backslash before the question mark breaks parameter detection, since PDO scans for ? placeholders before MySQL syntax parsing and doesn't recognize the escaped version
%00 — null byte causes string truncation at the C level in the MySQL driver, effectively "cutting off" the rest of the query
The response returns credentials for user auctioneer, the password is of course in bcrypt hash form, but that's just a matter of technique.
image