Browsing to `http://panel.pterodactyl.htb` reveals a **Pterodactyl Panel** instance (game server management), version prior to v1.11.11.
pterodactyl.htbsudo nmap -p- pterodactyl.htb --min-rate 5000 -vvvv
| Port | State | Service | Version |
|---|---|---|---|
| 22/tcp | Open | SSH | OpenSSH |
| 80/tcp | Open | HTTP | Pterodactyl Panel (<v1.11.11) |
| 443/tcp | Closed | HTTPS | - |
| 8080/tcp | Closed | HTTP-Proxy | - |
Browsing to http://panel.pterodactyl.htb reveals a Pterodactyl Panel instance (game server management), version prior to v1.11.11.
Critical finding: The /locales/locale.json endpoint accepts user-controlled locale and namespace query parameters, indicating a potential Local File Inclusion (LFI) vulnerability (CVE-2025-49132).
Contact me on Discord or LinkedIn for the password.
Contact on DiscordHackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.