Initial Nmap report shows that ports 80 and 3000: └─$ nmap -T4 reactor.htb Starting Nmap 7.98 ( https://nmap.org ) at 2026-05-26 05:52 -0300 Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 88.37% done; ETC: 05:52 (0:00:00 remaining) Nmap scan report for reactor.htb (10.129.5.252) Host is up (0.12s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 3000/tcp open ppp
The website app is looks like this and seems to be a monitoring system for a reactor. The reactorwatch software seems to be internally made and I found no cve or vuln for it online:
Since 3000 is the default port used by Node applications. If we inspect the package with burp we get the following response: HTTP/1.1 304 Not Modified vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch x-nextjs-cache: HIT x-nextjs-prerender: 1 x-nextjs-stale-time: 4294967294 X-Powered-By: Next.js Cache-Control: s-maxage=31536000, ETag: "p02u6gnhufd8t" Date: Sun, 24 May 2026 23:34:18 GMT Connection: keep-alive Keep-Alive: timeout=5
"RSC" stands for React Server Components. RSC works as a server-driven rendering model for React, this means that parts of the UI are executed on the server and then sent to the browser in a serialized format. Basically some parts of the code are executed server side and then sent to the browser. Example of server components are database querys and data fetching. Then these components are redered as React "Flight" data a serialiazed description o the UI tree, via Reac Flight Protocol, that looks like JSON, that instructs the browser to assemble the UI. Sites that use RSC and React in general are vulnerable to CVE-2025-55182 or React2Shell. The exploit works by sending a malicious RSC/Flight request that the server parses as if a normal React tree structure, and this can be used for RCE. Here is a poc for it: https://github.com/msanft/CVE-2025-55182:
Next, visit revshells and get a mkfifo revshell, execute it and get shell:
Then access reactor.db with sqlite3:
Crack the hash for engineer with hashcat:
The password for engineer is reactor1. Login via ssh and get the .txt:
Check the server side open ports:
9229 is the default port for the debug console. Let's see which user is the owner of the process with ps aux:
root 1407 0.0 1.2 1067420 49280 ? Ssl 08:37 0:02 /usr/bin/node --inspect=127.0.0.1:9229 /opt/uptime-monitor/worker.js This line reveals to us that root is the owner of the process running on port 9229
Let's foward it to our localhost:
Open Burp, open the burp browser, or any chromium based browser and type chrome://inspect. This is a built in chrome debugging tool:
Note that localhost:9229 is already configured, if is hot, just add it in configure:
Set up your listener on the port of choice:
Then, just execute another mkfifo revshell like so:
And get root:
