Gavel

Platform: Hack The Box

Season: 9

Difficulty: Medium

OS: Linux (Ubuntu)

Date: 2025-11-30

Author: x4cc3

Executive Summary

Gavel is a Medium Linux machine running an auction website on Apache. An exposed .git directory reveals PHP source code with a SQL injection vulnerability in the inventory page. The SQLi uses a PDO parameterized query bypass (backslash + null byte) to extract an auctioneer's bcrypt hash. After logging into the admin panel, a PHP code execution vulnerability in the auction rule field allows injecting a reverse shell. A custom daemon (gaveld) running as root processes submitted auction items, and a two-stage exploit overwrites PHP restrictions then creates a SUID root shell.

Reconnaissance

Port Scan

nmap -Pn -sV -sC -T4 -A 10.10.11.97
Port Service Version
22/tcp SSH OpenSSH 8.9p1 (Ubuntu)
80/tcp HTTP Apache httpd 2.4.52 (Ubuntu)

Added gavel.htb to /etc/hosts.

Web app on port 80

Web app on port 80

Directory Enumeration

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt \\
     -u <http://gavel.htb/FUZZ> -e .php

Key findings: