HTB: Gavel

Gavel is a Linux box hosting a PHP auction website with an exposed .git directory. I’ll recover the source code with git-dumper and exploit a novel SQL injection technique that bypasses PDO’s backtick-quoted prepared statements to dump the database. After cracking a bcrypt hash, I’ll access the admin panel and exploit PHP’s runkit extension to inject arbitrary code into auction rules, getting RCE. I’ll pivot to the next user via password reuse, then reverse engineer a custom daemon that validates submitted PHP rules against a restrictive php.ini. Since file_put_contents isn’t disabled, I’ll overwrite the php.ini to remove all restrictions, then use a second submission to get a root shell.