Executive Summary
The Reactor machine presents a modern web architecture running a vulnerable instance of Next.js within an Ubuntu 24.04 environment. By identifying and exploiting CVE-2025-55182 (colloquially referred to as React2Shell), unauthenticated Remote Code Execution (RCE) was achieved against the target application.
This initial foothold was leveraged to extract sensitive database files from the underlying filesystem, leading to the recovery of encrypted credentials. After performing offline hash cracking and establishing secure shell (SSH) access as a low-privileged user, local enumeration revealed a Node.js V8 Inspector listening on a local loopback interface, running under the root user context.
By engineering a custom Python exploit that automates SSH port tunneling and WebSocket communication, the debugger was manipulated to execute arbitrary JavaScript as the root user, completely compromising the system and retrieving both the user and root flags.
Attack Path Overview
Phase | Vector | Result |
|---|---|---|
Reconnaissance | Nmap service enumeration | Identified Next.js on port 3000 |
Initial Access | CVE-2025-55182 (RSC Deserialization) | Unauthenticated RCE as |
Enumeration | SQLite database exfiltration | Recovered MD5 password hashes |
Lateral Movement | Hash cracking + SSH | Access as |
Privilege Escalation | Node.js | Root shell via V8 Inspector |
Phase 1: Reconnaissance & Enumeration
Network Discovery
The assessment began with an aggressive, comprehensive network scan to identify all exposed services, operating system fingerprints, and potential entry points across the full TCP port range.
Execution
nmap -sV -sC -O -T4 --min-rate 5000 -p- 10.129.2.105
Flags Breakdown:
-sV: Probe open ports to determine service/version info-sC: Run default NSE scripts for additional enumeration-O: Enable OS detection-T4: Aggressive timing template for faster scanning--min-rate 5000: Ensure a minimum of 5000 packets per second-p-: Scan all 65535 TCP ports
Findings
Port | Protocol | Service | Version | Notes |
|---|---|---|---|---|
22/tcp | TCP | SSH | OpenSSH 9.6p1 | Standard administrative access |
3000/tcp | TCP | HTTP | Node.js / Next.js | Web application entry point |
Web Application Analysis
Navigating to http://10.129.2.105:3000 revealed the "ReactorWatch Core Monitoring System" - a web-based dashboard presumably used for monitoring industrial reactor metrics.
Technology Stack Identification
Through careful inspection of HTTP response headers and client-side assets, the following technology stack was identified:
HTTP/1.1 200 OK
X-Powered-By: Next.js
Vary: RSC
Content-Type: text/html; charset=utf-8
Key Indicators:
The
X-Powered-By: Next.jsheader confirms the framework.The
Vary: RSCheader indicates that React Server Components (RSC) are enabled and actively used in the application routing layer.Client-side JavaScript bundles referenced
_next/static/chunkspaths typical of Next.js App Router architecture.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
