HTB Pterodactyl Pterodactyl Panel CVE-2025-49132 LFI-to-RCE ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/05/16/htb-pterodactyl.html
• Blog Title: HTB Pterodactyl: Pterodactyl Panel CVE-2025-49132 LFI-to-RCE via PEAR and openSUSE Polkit/udisks Privilege Escalation
• Suggested Section: Pentesting Web -> File Inclusion/Path Traversal -> LFI2RCE via PHP-PEAR pearcmd.php; optionally Network Services Pentesting -> 80,443 -> Pterodactyl Panel / Laravel and Linux Privilege Escalation -> Polkit/udisks openSUSE CVE-2025-6018/CVE-2025-6019 if detailed exploit steps are present

🎯 Content Summary

Overview

The post is a full technical exploitation walkthrough of the HackTheBox Linux machine Pterodactyl. The target hosts a Minecraft community website and a Pterodactyl Panel game-server management panel. The attack chain starts with unauthenticated exploitation of CVE-2025-49132 in Pterodactyl Panel v1.11.10, turning a locale-file inclusion bug into remote command execution using the classic pearcmd.php...

🔧 Technical Details

Unauthenticated Laravel translation-loader file inclusion: If a Laravel application exposes a translation-loading endpoint where attacker-controlled values are passed into Illuminate\Translation\FileLoader::load(), those values may be used to construct a path like {$path}/{$locale}/{$group}.php. If the loader then calls getRequire(), traversal in locale or group/namespace can include and execute arbitrary readable .php files. This can leak PHP configuration arrays, such as config/database.php, or bootstrap unintended PHP entry points. Fixes should validate locale and namespace strictly, for example limiting locale to two lowercase characters and namespace to expected lowercase identifiers only.

LFI-to-RCE using PHP-PEAR pearcmd.php: When an LFI can include arbitrary .php files and PHP-PEAR is installed, pearcmd.php can become an RCE ga...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/file-inclusion/README.md

Added:

• Better pearcmd.php LFI2RCE prerequisites/recon
• Reliable +-split HTTP argv payload notes
• Laravel translation-loader LFI pattern (FileLoader::load() → getRequire())
• Config-array exfil note (config/database.php-style leaks)
• References to the Pterodactyl advisory and 0xdf post

Validation:

• Reviewed the diff successfully
• mdbook build could not run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/05/16/htb-pterodactyl.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> File Inclusion/Path Traversal -> LFI2RCE via PHP-PEAR pearcmd.php; optionally Network Services Pentesting -> 80,443 -> Pterodactyl Panel / Laravel and Linux Privilege Escalation -> Polkit/udisks openSUSE CVE-2025-6018/CVE-2025-6019 if detailed exploit steps are present".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0