HackTheBox - Pterodactyl

IppSec · Beginner ·📰 AI News & Updates ·1mo ago

Skills: Network Security90%

Key Takeaways

Exploits Pterodactyl using nmap, ffuf, and CVE-2025-49132

Original Description

01:05 - Start of nmap 04:00 - Using ffuf to find the panel subdomain, which shows pterodactyl.htb 06:30 - Discovering the version of pterodactyl running by looking at the GitHub Releases and looking for the js bundle name 10:00 - Searching CVE's finding the Pterodactyl CVE-2025-49132 POC, and running an exploit script 17:00 - Finding PHP PEAR directory which allows our exploit to run 19:05 - Looking at the source code, and running through the exploit manually 36:00 - Shell on the box dump the database, crack a cred to get an account 43:40 - Looking at CVE-2025-6018 which lets us impersonate a physical logged in user in policy kit 46:25 - Exploiting CVE-2025-6019 which is a CVE in UDISKS, when it does the resize it mounts a partition without the NOSUID flag 52:55 - Starting a script to execute bash in our malicious mount, then telling udisks to resize it and getting a shell

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

When AI Asks for More Electricity Than a Country Can Imagine

AI's increasing power consumption is causing concerns, learn why it matters for data centers and energy supply

You Are Not Behind. The World Is.

You're not behind, the world is still adapting to AI, and it's okay to take your time to learn and grow

Career choice with the advent of AI - pure Computer Science or learn software with a background of core engineering area

Learn how to choose between a Computer Science and Engineering career path or combining programming with a core engineering background in the age of AI

The AI Hype Cycle: Calm Before the Next Breakthrough?

Understand the AI hype cycle to anticipate the next breakthrough and make informed decisions

Medium · Programming

Chapters (10)

1:05 Start of nmap

4:00 Using ffuf to find the panel subdomain, which shows pterodactyl.htb

6:30 Discovering the version of pterodactyl running by looking at the GitHub Releas

10:00 Searching CVE's finding the Pterodactyl CVE-2025-49132 POC, and running an exp

17:00 Finding PHP PEAR directory which allows our exploit to run

19:05 Looking at the source code, and running through the exploit manually

36:00 Shell on the box dump the database, crack a cred to get an account

43:40 Looking at CVE-2025-6018 which lets us impersonate a physical logged in user i

46:25 Exploiting CVE-2025-6019 which is a CVE in UDISKS, when it does the resize it

52:55 Starting a script to execute bash in our malicious mount, then telling udisks

Motorist saved by human chain | 9 News Australia

9 News Australia