Platform: Hack The Box
Season: 10
Difficulty: Medium
OS: openSUSE Leap 15.6
Date: 2026-02-10
Author: x4cc3
Pterodactyl is a Medium Linux machine running a Pterodactyl Panel (v1.11.10) game server management interface alongside a static landing site. A publicly exposed changelog.txt leaks version information including the panel version and that PHP-PEAR is installed. A PHP PEAR config-create + path traversal chain in the panel (CVE-2025-49132) yields remote code execution as wwwrun. Database credentials are recovered from environment variables and used to extract user hashes. After cracking a bcrypt hash, SSH access is gained as phileasfogg3. For root, a PAM environment poisoning vulnerability (CVE-2025-6018) is exploited to bypass login1 seat restrictions and gain an active session.
nmap -Pn -sV -sC -T4 -A 10.129.11.128
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 9.6 |
| 80/tcp | HTTP | nginx 1.21.5 (redirects to pterodactyl.htb) |
| 443/tcp | HTTPS | closed |
| 8080/tcp | HTTP | closed |
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \\
-u <http://pterodactyl.htb/FUZZ> -e .php,.txt -ic
Key findings:
index.php — landing page (MonitorLand)changelog.txt — exposed changelog with version information