Using nmap I found 2 open ports.
nmap -p- --open -vvv -sS --min-rate 5000 -Pn 10.129.3.44 -oG allPorts.txt
nmap -p22,80 -sCV 10.129.3.44

The main page brings you a subndomain that didn't work.
Inside this web, I found a CHANGELOG.
This changelog indicates the existence of a Pterodactyl panel using a vulnerable version.

With ffuf I found the subdomain panel.
Here, I found the Pterodactyl instance indicated in the changelog.

Now, I verified that I can access the vulnerable json, comfirmating the vulnerability.
I used a script to inject the code.

Inside the .env file I found some database credentials.
Inside this database, I found some user hashes.
SELECT * FROM users;
Using john I was able to crack the phileasfogg3 password.
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using this credentials, I can log as user phileasfogg3 with ssh.

The user had (ALL) ALL privileges, but with the targetpw flag set meaning sudo would prompt for the root password, not the current user's password. This effectively rendered the broad sudo rule useless without already knowing root's credentials.
While exploring the home directory, I found an email from "headmonitor" to phileasfogg3 warning about suspicious activity related to udisksd, and instructing to report immediately if any signs of compromise were found.
This pointed directly toward udisksd as the intended escalation vector.
I checked the installed version of` udisks2:
udisksd --version
The version matched a known vulnerable release affected by a Local Privilege Escalation vulnerability in the udisks2 daemon, specifically related to how it handles mounting filesystem images, allowing an unprivileged user to get udisks2 (running as root) to mount a crafted filesystem and gain root access.
Using the exploit's local mode, I generated a malicious XFS image containing a SUID root shell (or equivalent payload embedded in the filesystem image):
This produced a crafted .img file designed to be mounted via udisks2.
Now, Using scp I transfere the image to the victim.
scp -r xfs.image phinleasfogg3@10.129.3.44:/home/phinleasfogg3
Here, I execute the exploit in target mode, to mount the crafted XFS image. Because udisksd performs the mount operation with root privileges and the image's contents (including the SUID binary embedded in it) are mounted onto the filesystem without proper privilege-dropping or sanitization, the SUID-root shell contained inside the image becomes accessible with root ownership and permissions intact once mounted.
