External Publication
Visit Post

Hack The Box - HTB Reactor Writeup - Easy - Weekly - May 23th, 2026

1337 Sheets May 23, 2026
Source

Box: Reactor OS: Linux Difficulty: Easy Target IP: <TARGET_IP> Attacker IP: <ATTACKER_IP> (tun0)


1. Reconnaissance

1.1 Port Scan

A full TCP port sweep followed by a targeted service/version scan:

nmap -Pn -p- --min-rate=2000 -oN nmap-full.txt <TARGET_IP>
nmap -sC -sV -p 22,3000 -oN nmap-svc.txt <TARGET_IP>

Open ports:

Port Service Notes
22 SSH OpenSSH — used later for the foothold and tunnel
3000 HTTP X-Powered-By: Next.js web application

The web service runs on 3000 , not 80/443. The application is Next.js (v15.0.3) — a React Server Components (RSC) framework, which is the key detail that drives the foothold.

1.2 Web Fingerprinting

curl -sI http://<TARGET_IP>:3000/

Response headers confirm the stack:

HTTP/1.1 200 OK
X-Powered-By: Next.js

The landing page is a static "ReactorWatch — Core Monitoring System" dashboard with no visible login or links. Directory brute forcing and route hunting through the _next JS bundles returns nothing actionable — the entry point is not a hidden path, it is a framework-level vulnerability.

Identifying the exact framework + version (Next.js 15.0.3) is what points directly at CVE-2025-55182.


2. Foothold — CVE-2025-55182 (React2Shell RCE)

2.1 Vulnerability Background

CVE-2025-55182 is a Remote Code Execution vulnerability in the React Server Components / "Flight" serialization protocol used by frameworks such as Next.js. The chain is:

Prototype Pollution ──▶ Flight (RSC) deserialization ──▶ RCE

A crafted RSC payload pollutes object prototypes during server-side deserialization, ultimately allowing attacker-controlled code to be evaluated in the Node.js server process. Output can be recovered "error-based" (smuggled out inside the HTTP 500 response), so no outbound connection from the target is required.

This post is for subscribers only

Become a member to get access to all content

Subscribe now

Discussion in the ATmosphere

Loading comments...