HackTheBox - Gavel

Name: HackTheBox - Gavel
Uploaded: 2026-03-14T15:01:31Z
Channel: IppSec
Description: 00:00 - Introduction 00:30 - Start of nmap 02:00 - Discovering .git directory, using git-dumper to download source code 05:50 - Using OpenGrep to identi...

IppSec · Beginner ·🔐 Cybersecurity ·2w ago

00:00 - Introduction 00:30 - Start of nmap 02:00 - Discovering .git directory, using git-dumper to download source code 05:50 - Using OpenGrep to identify vulnerabilities and discovering an SQL Injection in the Prepared Statement 08:30 - Going over this weird SQL Injection in PHP MySQL Prepared Statements, which is an odd scenario of having control over the column name in the query 11:00 - Creating the SQL Injection Payload in the prepared statement 18:40 - We can't use a ascii quote, but can hex encode to get around the limitation 23:50 - Cracking the hash and getting admin on the application…

Watch on YouTube ↗ (saves to browser)

Chapters (15)

Introduction

0:30 Start of nmap

2:00 Discovering .git directory, using git-dumper to download source code

5:50 Using OpenGrep to identify vulnerabilities and discovering an SQL Injection in

8:30 Going over this weird SQL Injection in PHP MySQL Prepared Statements, which is

11:00 Creating the SQL Injection Payload in the prepared statement

18:40 We can't use a ascii quote, but can hex encode to get around the limitation

23:50 Cracking the hash and getting admin on the application

26:00 Looking at the admin functionality, discovering rules can contain PHP which wi

30:00 Shell on the box

33:30 Discovering the gavel-util and gaveld binary, copying them to our box

36:30 Opening the binaries up in Ghidra

41:30 Doing some dynamic analysis on our box, running gavil-util to see what it writ

44:30 Setting the environment variable RULE_PATH to change where gaveld loads the PH

50:15 Showing another way we could exploit this, using PHP to rewrite the PHP.INI re

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →