Pterodactyl hosts a Minecraft community site alongside an instance of the Pterodactyl game-server management panel. I’ll exploit an unauthenticated directory traversal in the panel’s locale endpoint that gets PHP to include arbitrary files on disk, and chain it with the classic PEAR pearcmd technique to write and execute a webshell. From there I’ll read database credentials, crack a bcrypt hash, and pivot to a user who reuses that password. The box runs openSUSE, where I’ll abuse a PAM environment-variable flaw to convince Polkit I’m a local console session, then exploit a libblockdev/udisks vulnerability to mount a crafted XFS image carrying a SetUID-root shell and escalate to root. In Beyond Root, I’ll get CopyFail and DirtyFrag (two recent Linux kernel page-cache privilege-escalation exploits) working on the host.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox machine 'Pterodactyl', covering exploitation of CVE-2025-49132, an unauthenticated directory traversal in Pterodactyl Panel v1.11.10's locale endpoint. The attack chain involves chaining the LFI with the PEAR pearcmd.php technique to write and execute a webshell, extracting database credentials, cracking a bcrypt hash to pivot to a local user, then escalating to root on openSUSE via a PAM environment-variable flaw abusing Polkit and a libblockdev/udisks vulnerability to mount a crafted XFS image with a SetUID-root shell. Also covers CopyFail and DirtyFrag Linux kernel privilege escalation exploits.

HTB: Pterodactyl