pterodactyl
Pterodactyl — HackTheBox Writeup Pterodactyl is a Linux box built around a real-world attack chain: an unauthenticated LFI vulnerability in the Pterodactyl Panel game server management software leads to RCE, credential extraction, and ultimately root through a pair of freshly-disclosed SUSE-specific udisks2 privilege escalation CVEs. It’s a satisfying box because every step has a meaningful “why” behind it — nothing is arbitrary. Overview The box hosts a Minecraft server homepage alongside a Pterodactyl Panel installation. Enumeration surfaces a misconfigured phpinfo.php that reveals the exact PHP configuration needed for a PEAR-based RCE chain. After exploiting CVE-2025-49132 (unauthenticated LFI in the panel) to pivot to RCE, we dump database credentials, crack a user’s bcrypt hash, and SSH in. From there, a two-CVE chain targeting udisks2 on OpenSUSE — PAM environment injection to trick Polkit, followed by a SUID binary race on a temporary mount — hands us root. ...