Pterodactyl

hackthebox

Task: HackTheBox Full Pwn machine with openSUSE Leap 15.6 and Pterodactyl Panel v1.11.10. Solution: Chain of three CVEs — LFI via pearcmd.php for RCE, PAM environment injection for polkit bypass, XFS resize race condition for SUID root shell.

rce lfi linux suid hackthebox full-pwn opensuse pterodactyl-panel pearcmd bcrypt password-cracking udisks2 polkit pam xfs race-condition dbus libblockdev cve-2025-49132 cve-2025-6018 cve-2025-6019

pearcmd_lfi_to_rcebcrypt_hash_crackingpam_environment_injectionpolkit_allow_active_bypassxfs_resize_race_conditionxfs_db_inode_patchingsuid_root_via_nosuid_bypassdbus_filesystem_resize

$ ls tags/ techniques/

rce lfi linux suid hackthebox full-pwn opensuse pterodactyl-panel pearcmd bcrypt password-cracking udisks2 polkit pam xfs race-condition dbus libblockdev cve-2025-49132 cve-2025-6018 cve-2025-6019

pearcmd_lfi_to_rcebcrypt_hash_crackingpam_environment_injectionpolkit_allow_active_bypassxfs_resize_race_conditionxfs_db_inode_patchingsuid_root_via_nosuid_bypassdbus_filesystem_resize

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Pterodactyl — HackTheBox (Season 7 Full Pwn)

Description

HackTheBox Full Pwn machine. openSUSE Leap 15.6 с Pterodactyl Panel v1.11.10. Три CVE в цепочке: LFI → RCE → polkit bypass → race condition → root.

Target: 10.129.4.204 (HTB VPN) OS: openSUSE Leap 15.6 (Kernel 6.4.0-150600.23.65-default, Btrfs) Services: SSH (22), nginx (80), PHP-FPM (9000), MariaDB (3306), Redis (6379), Postfix (25) Web: Pterodactyl Panel v1.11.10 on panel.pterodactyl.htb Flag format: 32-char hex hashes

Analysis

Hard-level machine with a chain of three 2025 CVEs. Key characteristics:

Pterodactyl Panel v1.11.10 — vulnerable to LFI via locale loading (CVE-2025-49132)
openSUSE Leap 15.6 — PAM user_readenv=1 by default allows environment variable injection (CVE-2025-6018)
libblockdev 2.26 — race condition during XFS resize creates temporary mount without nosuid (CVE-2025-6019)
targetpw in sudoers — trap: sudo (ALL) ALL is useless without root password

Hint for privesc — email from headmonitor about "Unusual udisksd activity".

Solution

Step 1: Reconnaissance

nmap -sV -sC -p- 10.129.4.204 --open -T4

Port	Service	Details
22/tcp	SSH	OpenSSH
80/tcp	nginx	Two vhosts: `pterodactyl.htb` (static), `panel.pterodactyl.htb` (Pterodactyl Panel)

Pterodactyl Panel v1.11.10 identified on panel.pterodactyl.htb.

Step 2: Initial Access — CVE-2025-49132 (Pterodactyl Panel LFI → RCE)

Pterodactyl Panel v1.11.10 has unauthenticated LFI via endpoint /locales/locale.json — parameters locale and namespace allow path traversal.

Key technique: including pearcmd.php (/usr/share/php/PEAR/pearcmd.php on openSUSE) allows using PEAR config-create to write arbitrary PHP files.

Exploit rce.py (two-stage):

#!/usr/bin/env python3
"""
CVE-2025-49132 — Pterodactyl Panel LFI via pearcmd.php
Stage 1: Write PHP payload via pearcmd config-create to /var/tmp/
Stage 2: Include the written file via LFI to execute commands
"""
import requests
import sys

TARGET = "http://panel.pterodactyl.htb"

...