01:05 - Start of nmap 04:00 - Using ffuf to find the panel subdomain, which shows pterodactyl.htb 06:30 - Discovering the version of pterodactyl running by looking at the GitHub Releases and looking for the js bundle name 10:00 - Searching CVE's finding the Pterodactyl CVE-2025-49132 POC, and running an exploit script 17:00 - Finding PHP PEAR directory which allows our exploit to run 19:05 - Looking at the source code, and running through the exploit manually 36:00 - Shell on the box dump the database, crack a cred to get an account 43:40 - Looking at CVE-2025-6018 which lets us impersonate a physical logged in user in policy kit 46:25 - Exploiting CVE-2025-6019 which is a CVE in UDISKS, when it does the resize it mounts a partition without the NOSUID flag 52:55 - Starting a script to execute bash in our malicious mount, then telling udisks to resize it and getting a shell
Trust cues for videos
Clips curated by TrustOps carry the Curated label. External embeds link out to the original publishers.