February 7, 2026

Pterodactyl Hackthebox Writeup - Season10

Adrian Reategui
Share
HackTheBox Pterodactyl machine walkthrough

SUMMARY

This write-up covers the Pterodactyl machine from HackTheBox Season 10. Web enumeration on the target exposed a changelog page that referenced the deployment of a Pterodactyl game server management panel. Virtual host fuzzing against the domain confirmed a panel subdomain hosting the Pterodactyl login interface. The panel was found to be vulnerable to CVE-2025-49132, a critical vulnerability chaining a Local File Inclusion with abuse of pearcmd,the PHP PEAR command-line tool, to achieve unauthenticated Remote Code Execution. Exploiting this delivered an initial shell as wwwrun.

With a foothold on the server, the Pterodactyl .env configuration file. The file exposed database credentials, and querying the backend database revealed bcrypt password hashes for two registered users. One hash was cracked offline, yielding credentials for phileasfogg.

Internal enumeration as phileasfogg uncovered a note left by a monitoring process that explicitly referenced udisksd. Research identified CVE-2025-6018-19, a chained exploit targeting the udisks daemon that manipulates PAM configuration through a crafted XFS filesystem image to achieve privilege escalation. After correcting the public PoC and staging the required artefacts on the target, the exploit was executed across two stages, delivering a root shell and completing the machine.

PATH TO FOLLOW

  1. Reconnaissance
  2. Web Enumeration & Changelog Discovery
  3. Subdomain Fuzzing & Panel Discovery
  4. CVE-2025-49132 - Pterodactyl RCE
  5. Shell as wwwrun
  6. .env File Extraction & Database Enumeration
  7. Hash Cracking & Lateral Movement to phileasfogg
  8. Internal Enumeration & udisksd Discovery
  9. CVE-2025-6018-19 - Privilege Escalation to Root

Let’s get to work

alt

1. Reconnaissance

A port scan against the target reveals a Linux host with an HTTP service on port 80. The web server responds under the pterodactyl.htb virtual host, which we add to /etc/hosts before proceeding.

sudo nmap -sCV -p80 -oN targeted <TARGET_IP>

PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 9.6 (protocol 2.0)
| ssh-hostkey: 
|   256 a3:74:1e:a3:ad:02:14:01:00:e6:ab:b4:18:84:16:e0 (ECDSA)
|_  256 65:c8:33:17:7a:d6:52:3d:63:c3:e4:a9:60:64:2d:cc (ED25519)
80/tcp   open   http       nginx 1.21.5
|_http-title: Did not follow redirect to http://pterodactyl.htb/
|_http-server-header: nginx/1.21.5
443/tcp  closed https
8080/tcp closed http-proxy

The single exposed service points all initial effort toward web enumeration.

2. Web Enumeration & Changelog Discovery

Browsing the main site, thorough content enumeration surfaces a changelog page.

alt

The changelog confirms not only that Pterodactyl is running somewhere in the environment, but that it was recently set up making it a prime target for version-based exploitation.

alt

3. Subdomain Fuzzing & Panel Discovery

With a named product confirmed, the logical next step is to fuzz for virtual hosts. Using ffuf with a subdomain wordlist, we discover a panel virtual host.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-11000.txt -u http://pterodactyl.htb -H "Host: FUZZ.pterodactyl.htb"

alt

After adding panel.pterodactyl.htb to /etc/hosts, navigating to it presents the Pterodactyl Panel login page.

alt

4. CVE-2025-49132

Researching the exposed Pterodactyl Panel instance leads to CVE-2025-49132. This vulnerability chains two weaknesses present in affected panel versions:

  • A Local File Inclusion that allows reading arbitrary files from the server filesystem without authentication.
  • Abuse of pearcmd (pearcmd.php),the PHP PEAR package manager’s command-line tool, which accepts GET parameters to trigger file downloads and command execution. When the LFI is pointed at pearcmd.php, crafted query parameters can be used to write a webshell or execute OS commands in the context of the web server process.

The PoC exploits both primitives in sequence: the LFI surfaces pearcmd.php, and the pearcmd execution vector is then leveraged to achieve Remote Code Execution.

alt

The exploit executes successfully, landing a reverse shell on our attacker machine as the user wwwrun

alt

With a stable shell on the target we begin internal enumeration.

5. .env File Extraction & Database Enumeration

Pterodactyl stores its entire runtime configuration including database host, name, and credentials in a .env file at the root of the installation directory. Running as wwwrun, we have direct read access to this file.

cat /var/www/pterodactyl/.env

alt

The .env file exposes the MySQL database credentials. Connecting to the local MySQL instance with those credentials, we query the users table.

mysql -u <DB_USER> -p<DB_PASS> pterodactyl -e "SELECT username, email, password FROM users;"

alt

Two user records are returned, each containing a bcrypt-hashed password.

6. Hash Cracking & Lateral Movement to phileasfogg

Both hashes are saved to a local file and submitted to john.

john -w:/usr/share/wordlists/rockyou.txt hashes

alt

One of the hashes cracks successfully, revealing the plaintext password for phileasfogg. The credentials are immediately tested for SSH reuse.

ssh phileasfogg@<TARGET_IP>

alt

The login succeeds. We recover the user flag from phileasfogg’s home directory.

7. Internal Enumeration & udisksd Discovery

Enumerating the system as phileasfogg, we find a message left by HeadMonitor. The note explicitly references udisksd, the udisks2 daemon responsible for disk management operations on Linux systems.

alt

This smells like a deliberate hint that the udisks daemon is either running with elevated privileges or is exposed to a known exploitation path. Researching available CVEs surfaces CVE-2025-6018-19.

8. CVE-2025-6018-19 - Privilege Escalation to Root

CVE-2025-6018-19 is a chained exploit targeting the udisks2 daemon. The vulnerability abuses the way udisksd processes XFS filesystem images during mount operations, allowing an attacker to plant a malicious PAM configuration that is loaded when a subsequent authentication event occurs executing arbitrary commands as root.

The public PoC at CVE-2025-6018-19 required corrections before it would run reliably on this target. With the fixed script in hand, the exploit runs in distinct stages.

Stage 1: Creating the XFS image

On the attack machine, the script is invoked to generate a crafted xfs.image containing the malicious filesystem structure required for the privilege escalation chain.

bash CVE-2025-6018-19.sh xfs.image

alt

Stage 2: Staging the artefacts on the target

Both the XFS image and the corrected exploit script are transferred to the victim machine using scp.

scp xfs.image CVE-2025-6018-19.sh phileasfogg@<TARGET_IP>:/home/phileasfogg3

alt

Stage 3: Planting the PAM payload

With both files present on the target, the first execution stage is triggered using the pam parameter. This causes udisksd to mount the XFS image and process its contents, planting the malicious PAM module into the authentication stack. Once the script completes, we exit the SSH session entirely, this is required to trigger the PAM reload on the next authentication.

bash /tmp/CVE-2025-6018-19.sh pam
exit

alt

Stage 4: Triggering root

Reconnecting to the machine via SSH and executing the script a second time with the root parameter triggers the PAM chain through udisksd, escalating privileges and delivering a root shell.

ssh phileasfogg@<TARGET_IP>
bash /tmp/CVE-2025-6018-19.sh root

alt

References

Linux CVE-2025-49132 CVE-2025-6018-19 pearcmd Pterodactyl Hackthebox Season10

Table of Contents