Cybersecurity

HackTheBox - Pterodactyl

IppSec
IppSecMay 16, 2026

Why It Matters

Understanding how seemingly minor bugs like LFI and outdated libraries combine to grant full system compromise helps security teams prioritize patching and improve detection of multi‑vector attacks.

Key Takeaways

  • Identify Pterodactyl panel version 1.11.10 via change log.
  • Exploit local file inclusion to retrieve database and Redis credentials.
  • PHP‑Pair directory discovery enables remote code execution on the host.
  • Outdated PAM and UDISK libraries allow privilege escalation via USB.
  • Customizing PHP gadget chain scripts can bypass default exploit limits.

Summary

The video walks through the Hack The Box "Pterodactyl" machine, a deliberately vulnerable game‑server management platform. The presenter starts with basic network enumeration, discovers the Pterodactyl panel at version 1.11.10, and maps the limited open ports (SSH 22, HTTP 80).

Key insights include a local file inclusion (LFI) flaw that leaks the full Laravel configuration, exposing database and Redis credentials. By locating the PHP‑Pair binary, the attacker gains remote code execution, while separate outdated PAM and UDISK libraries enable a USB‑based privilege‑escalation chain.

The exploit script demonstrates how the LFI discloses config files, and the presenter shows the patch diff that removed unsafe loader calls. He also experiments with PHP gadget‑chain tools, noting that the default script stops at RCE‑10, but extending it to higher chains could unlock further exploits.

Overall, the walkthrough highlights the value of precise version fingerprinting, chaining multiple low‑level vulnerabilities, and reviewing patch commits to craft reliable exploits—skills essential for red‑team operations and defensive hardening.

Original Description

01:05 - Start of nmap
04:00 - Using ffuf to find the panel subdomain, which shows pterodactyl.htb
06:30 - Discovering the version of pterodactyl running by looking at the GitHub Releases and looking for the js bundle name
10:00 - Searching CVE's finding the Pterodactyl CVE-2025-49132 POC, and running an exploit script
17:00 - Finding PHP PEAR directory which allows our exploit to run
19:05 - Looking at the source code, and running through the exploit manually
36:00 - Shell on the box dump the database, crack a cred to get an account
43:40 - Looking at CVE-2025-6018 which lets us impersonate a physical logged in user in policy kit
46:25 - Exploiting CVE-2025-6019 which is a CVE in UDISKS, when it does the resize it mounts a partition without the NOSUID flag
52:55 - Starting a script to execute bash in our malicious mount, then telling udisks to resize it and getting a shell

Comments

Want to join the conversation?

Loading comments...