Hack The Box - HTB Reactor Writeup - Easy - Weekly - May 23th, 2026
Box: Reactor
OS: Linux
Difficulty: Easy
Target IP: <TARGET_IP>
Attacker IP: <ATTACKER_IP> (tun0)
1. Reconnaissance
1.1 Port Scan
A full TCP port sweep followed by a targeted service/version scan:
nmap -Pn -p- --min-rate=2000 -oN nmap-full.txt <TARGET_IP>
nmap -sC -sV -p 22,3000 -oN nmap-svc.txt <TARGET_IP>
Open ports:
| Port | Service | Notes |
|---|---|---|
| 22 | SSH | OpenSSH — used later for the foothold and tunnel |
| 3000 | HTTP | X-Powered-By: Next.js web application |
The web service runs on 3000, not 80/443. The application is Next.js
(v15.0.3) — a React Server Components (RSC) framework, which is the key
detail that drives the foothold.
1.2 Web Fingerprinting
curl -sI http://<TARGET_IP>:3000/
Response headers confirm the stack:
HTTP/1.1 200 OK
X-Powered-By: Next.js
The landing page is a static "ReactorWatch — Core Monitoring System" dashboard
with no visible login or links. Directory brute forcing and route hunting
through the _next JS bundles returns nothing actionable — the entry point is
not a hidden path, it is a framework-level vulnerability.
Identifying the exact framework + version (Next.js 15.0.3) is what points
directly at CVE-2025-55182.
2. Foothold — CVE-2025-55182 (React2Shell RCE)
2.1 Vulnerability Background
CVE-2025-55182 is a Remote Code Execution vulnerability in the React Server
Components / "Flight" serialization protocol used by frameworks such as Next.js.
The chain is:
Prototype Pollution ──▶ Flight (RSC) deserialization ──▶ RCE
A crafted RSC payload pollutes object prototypes during server-side
deserialization, ultimately allowing attacker-controlled code to be evaluated in
the Node.js server process. Output can be recovered "error-based" (smuggled out
inside the HTTP 500 response), so no outbound connection from the target is
required.