Machine Synopsis

`Pterodactyl` is a medium-difficulty Linux machine that runs Pterodactyl Panel on the `panel` virtual host. The Panel is vulnerable to [CVE-2025-49132](https://nvd.nist.gov/vuln/detail/CVE-2025-49132), an unauthenticated Remote Code Execution vulnerability in the `locales/locale.json` endpoint. This endpoint accepts user-controlled `locale` and `namespace` parameters and uses them to dynamically `require` the resulting PHP file. The attacker can chain this with PHP’s bundled `pearcmd.php` to write an arbitrary PHP file and gain command execution as the `wwwrun` user. The same bug also leaks the Panel’s database credentials from `config/database.php`. Although a public PoC exists, it requires a small tweak to match the target’s `PEAR` installation path for successful exploitation. The leaked database credentials are reused against the local MariaDB instance to dump the `users` table, exposing a bcrypt hash for `phileasfogg3`. The hash is cracked offline with John the Ripper, and the recovered password is reused for SSH access. For privilege escalation, the attacker abuses the chained OpenSUSE 15 LPE published by Qualys ([CVE-2025-6018](https://nvd.nist.gov/vuln/detail/CVE-2025-6018) and CVE-2025-6019). By forging `XDG_SEAT` and `XDG_VTNR` environment variable overrides within `.pam_environment`, the attacker gains `allow_active` polkit rights. These privileges allow triggering a `udisks` XFS resize on an attacker-controlled image, resulting in a root-owned SUID bash binary being written to the disk.