HackTheBox: Pterodactyl - Writeup
Difficulty: Medium
OS: Linux (openSUSE Leap 15.6)
Release: Season 10
Table of Contents
- Reconnaissance
- Web Enumeration
- Exploitation - CVE-2025-49132
- Remote Code Execution via PEAR
- Database Enumeration
- SSH Access
- Privilege Escalation
- Root Access
- Lessons Learned
Reconnaissance
Initial Port Scan
Starting with a comprehensive port scan to identify running services:
nmap -sC -sV -oN nmap/initial [TARGET_IP]
Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 9.6 |
| 80 | HTTP | nginx 1.21.5 |
The scan reveals a Linux host running SSH and an nginx web server. The HTTP title shows "My Minecraft Server", hinting at game server management software.
Service Fingerprinting
whatweb http://[TARGET_IP]
The response indicates a redirect and reveals PHP/Laravel headers, suggesting a Laravel-based application.
Web Enumeration
Virtual Host Discovery
Accessing the IP directly shows a default page. Checking for virtual hosts by examining the redirect:
curl -I http://[TARGET_IP]
The server redirects to pterodactyl.htb. Adding this to /etc/hosts:
echo "[TARGET_IP] pterodactyl.htb" | sudo tee -a /etc/hosts
Further enumeration reveals additional subdomains:
panel.pterodactyl.htb- The Pterodactyl Panel admin interfaceplay.pterodactyl.htb- Game server access
echo "[TARGET_IP] panel.pterodactyl.htb play.pterodactyl.htb" | sudo tee -a /etc/hosts
Panel Reconnaissance
Accessing panel.pterodactyl.htb presents the Pterodactyl Panel login page. Key observations:
- Framework: Laravel (PHP)
- Cookies:
XSRF-TOKEN,pterodactyl_sessionconfirm Laravel - Version: Visible in page source/JavaScript files
Checking for publicly accessible files:
curl http://panel.pterodactyl.htb/robots.txt
curl http://panel.pterodactyl.htb/.env
The .env file returns 403, but this confirms its existence.