{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreieaj34ptvb3rhmg7zykiisdm2mznf4dp6eio5iupsldyu6oufue3i",
    "uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mni474egv262"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreifc5m2zwhnnikwo3n6m7z5qg2vhxsuseoa62mdpv7zmhzxcrse7qe"
    },
    "mimeType": "image/jpeg",
    "size": 66442
  },
  "description": "Box: Reactor OS: Linux Difficulty: Easy Target IP:  Attacker IP:  (tun0) 1. RECONNAISSANCE 1.1 PORT SCAN A full TCP port sweep followed by a targeted service/version scan: nmap -Pn -p- --min-rate=2000 -oN nmap-full.txt  nmap -sC -sV -p 22,3000 -oN nmap-svc.txt  Open ports: Port Service Notes 22 SSH OpenSSH — used later for the foothold and tunnel 3000 HTTP X-Powered-By: Next.js web application The web service runs on 3000...",
  "path": "/hack-the-box-htb-reactor-writeup-easy-weekly-may-23th-2026/",
  "publishedAt": "2026-05-23T17:00:00.000Z",
  "site": "https://1337sheets.com",
  "tags": [
    "Subscribe now"
  ],
  "textContent": "**Box:** Reactor\n**OS:** Linux\n**Difficulty:** Easy\n**Target IP:** `<TARGET_IP>`\n**Attacker IP:** `<ATTACKER_IP>` (`tun0`)\n\n* * *\n\n## 1. Reconnaissance\n\n### 1.1 Port Scan\n\nA full TCP port sweep followed by a targeted service/version scan:\n\n\n    nmap -Pn -p- --min-rate=2000 -oN nmap-full.txt <TARGET_IP>\n    nmap -sC -sV -p 22,3000 -oN nmap-svc.txt <TARGET_IP>\n\n\n**Open ports:**\n\nPort | Service | Notes\n---|---|---\n22 | SSH | OpenSSH — used later for the foothold and tunnel\n3000 | HTTP | `X-Powered-By: Next.js` web application\n\n> The web service runs on **3000** , not 80/443. The application is **Next.js\n> (v15.0.3)** — a React Server Components (RSC) framework, which is the key\n> detail that drives the foothold.\n\n### 1.2 Web Fingerprinting\n\n\n    curl -sI http://<TARGET_IP>:3000/\n\n\nResponse headers confirm the stack:\n\n\n    HTTP/1.1 200 OK\n    X-Powered-By: Next.js\n\n\nThe landing page is a static \"ReactorWatch — Core Monitoring System\" dashboard\nwith no visible login or links. Directory brute forcing and route hunting\nthrough the `_next` JS bundles returns nothing actionable — the entry point is\n**not** a hidden path, it is a framework-level vulnerability.\n\nIdentifying the exact framework + version (Next.js 15.0.3) is what points\ndirectly at **CVE-2025-55182**.\n\n* * *\n\n## 2. Foothold — CVE-2025-55182 (React2Shell RCE)\n\n### 2.1 Vulnerability Background\n\n**CVE-2025-55182** is a Remote Code Execution vulnerability in the React Server\nComponents / \"Flight\" serialization protocol used by frameworks such as Next.js.\nThe chain is:\n\n\n    Prototype Pollution ──▶ Flight (RSC) deserialization ──▶ RCE\n\n\nA crafted RSC payload pollutes object prototypes during server-side\ndeserialization, ultimately allowing attacker-controlled code to be evaluated in\nthe Node.js server process. Output can be recovered \"error-based\" (smuggled out\ninside the HTTP 500 response), so no outbound connection from the target is\nrequired.\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "Hack The Box - HTB Reactor Writeup - Easy - Weekly - May 23th, 2026",
  "updatedAt": "2026-06-04T17:04:37.337Z"
}