HackTheBox - Pterodactyl

01:05 - Start of nmap
04:00 - Using ffuf to find the panel subdomain, which shows pterodactyl.htb
06:30 - Discovering the version of pterodactyl running by looking at the GitHub Releases and looking for the js bundle name
10:00 - Searching CVE's finding the Pterodactyl CVE-2025-49132 POC, and running an exploit script
17:00 - Finding PHP PEAR directory which allows our exploit to run
19:05 - Looking at the source code, and running through the exploit manually
36:00 - Shell on the box dump the database, crack a cred to get an account
43:40 - Looking at CVE-2025-6018 which lets us impersonate a physical logged in user in policy kit
46:25 - Exploiting CVE-2025-6019 which is a CVE in UDISKS, when it does the resize it mounts a partition without the NOSUID flag
52:55 - Starting a script to execute bash in our malicious mount, then telling udisks to resize it and getting a shell

Видео HackTheBox - Pterodactyl канала IppSec