Reactor HackTheBox Writeup - Season11
SUMMARY
This write-up covers the Reactor machine from HackTheBox Season 11. Initial reconnaissance exposed an HTTP service on port 3000 serving a Next.js 15.3 application identified through nmap and Wappalyzer fingerprinting. This version is affected by CVE-2025-66478, a critical vulnerability that allows unauthenticated Remote Code Execution against vulnerable Next.js builds. Leveraging a public exploit against the endpoint delivered an initial foothold as the node user.
With a shell on the target, enumeration of the application directory at /opt/reactor-app uncovered a SQLite database (reactor.db) containing user records and password hashes. The hashes were extracted using the locally available sqlite3 binary and cracked offline, revealing the plaintext password for the engineer user. The credentials were reused for SSH access, providing a stable foothold.
Internal enumeration as engineer revealed a second Node.js process owned by root running with the V8 Inspector enabled (--inspect) and bound to 127.0.0.1:9229. Although the inspector is restricted to localhost, the foothold inside the box made it directly reachable. By tunneling the debugger port through SSH and connecting via chrome://inspect, arbitrary JavaScript could be evaluated inside the root-owned process, leading to command execution as root and full system compromise.
PATH TO FOLLOW
- Reconnaissance
- Web Enumeration & Next.js Fingerprinting
- CVE-2025-66478 - Next.js Unauthenticated RCE
- Shell as node
- SQLite Database Discovery & Hash Extraction
- Offline Hash Cracking & Lateral Movement to engineer
- Internal Enumeration & Exposed V8 Inspector Discovery
- SSH Local Port Forwarding to the Debugger
- Privilege Escalation via Node.js
- Root Access
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED