Suyog Jung Karki ⚡️
Reactor

Reactor


New
writeup HTB reactor

Reactor — Hack The Box Writeup

Summary

Reactor is a Linux machine that demonstrates how a modern JavaScript framework vulnerability can be combined with a classic debugging misconfiguration to achieve full system compromise. The attack chain begins with an unauthenticated Next.js Server Actions exploit, transitions into credential harvesting via a local SQLite database, and culminates in root access through abuse of the Node.js V8 Inspector Protocol.

Recon

Initial enumeration is performed to identify exposed services.

┌──(kali㉿attacker)-[~/htb/reactor]
└─$ nmap -sC -sV <target-ip>

The scan reveals SSH and a single HTTP service. With a web application exposed, the focus shifts toward deeper web analysis.

Web Enumeration

Accessing the web application reveals a custom dashboard built using Next.js. Inspection of network traffic and page source indicates the use of React Server Components (RSC) and Server Actions.

Special attention is given to serialized payloads such as __next_f, which confirm the use of the React Flight Protocol.

Application Analysis

Further fingerprinting identifies a specific Next.js version vulnerable to a framework-level issue involving improper deserialization and prototype pollution within Server Actions.

Instead of interacting purely through the UI, the focus shifts toward how the backend processes crafted requests.

Initial Access

The vulnerability lies in how Server Action requests are handled. By manipulating request structure, it becomes possible to influence server-side execution.

A malicious request is crafted by modifying the Next-Action header and carefully structuring the React Flight payload.

This allows access to internal object resolution chains, ultimately reaching functionality equivalent to:

  • Dynamic module loading
  • Execution of arbitrary JavaScript on the server

A listener is prepared locally.

┌──(kali㉿attacker)-[~/htb]
└─$ nc -lvnp <port>

Triggering the exploit results in a reverse shell.

Foothold

The obtained shell runs under a low-privileged service account.

Basic enumeration reveals the application directory structure and configuration files. From here, the focus shifts toward identifying sensitive data stored locally.

Lateral Movement

Within the application directory, a SQLite database is discovered.

┌──(www-data㉿reactor)-[/app]
└─$ ls

The database contains user credential data.

By querying relevant tables, username and password hash pairs are extracted. These hashes are then cracked offline using common wordlists.

Recovered credentials allow SSH access to the system.

┌──(kali㉿attacker)-[~]
└─$ ssh <user>@<target-ip>

This provides a stable shell as a legitimate system user, enabling retrieval of the user flag.

Privilege Escalation

Local enumeration reveals a critical misconfiguration.

┌──(user㉿reactor)-[~]
└─$ ps aux | grep node

A Node.js process is observed running with the --inspect flag as root, exposing the V8 Inspector Protocol on a localhost-bound port.

Since the service is not externally accessible, port forwarding is used.

┌──(kali㉿attacker)-[~]
└─$ ssh -L 9229:127.0.0.1:9229 <user>@<target-ip>

This forwards the debugger interface to the attacker machine.

Using a Chromium-based browser, the debugger is accessed via:

chrome://inspect

After attaching to the process:

  • Execution is resumed from the paused state
  • Arbitrary JavaScript is executed within the root context
  • Native Node.js modules are leveraged to perform privileged actions

This ultimately allows access to sensitive files owned by root.

Root

Once code execution as root is achieved, the final flag is retrieved.

┌──(user㉿reactor)-[~]
└─$ cat /home/<user>/user.txt

┌──(root㉿reactor)-[/root]
└─$ cat /root/root.txt

Attack Chain

  • Recon
    • Nmap → identify 22, 80
  • Web Enumeration
    • Analyze Next.js application
    • Identify Server Actions & RSC
  • Initial Access
    • Craft malicious Server Action request
    • Achieve RCE (unauthenticated)
  • Foothold
    • Reverse shell as service account
    • Enumerate application files
  • Lateral Movement
    • Extract SQLite database
    • Crack credentials
    • SSH access as user
  • Privilege Escalation
    • Identify Node --inspect (root)
    • Port forward debugger
    • Attach via DevTools
    • Execute code → root
  • Post-Exploitation
    • Retrieve flags

Key Takeaways

  • Modern frameworks like Next.js can introduce critical vulnerabilities when internal mechanisms such as Server Actions are exposed improperly.
  • Debugging features such as the Node.js --inspect flag should never be enabled in production, especially for privileged processes.
  • The principle of least privilege is essential. Running application components as root significantly increases risk.
  • Credential handling must follow best practices. Weak hashing and local storage of sensitive data can easily lead to lateral movement.

Final Thoughts

Reactor highlights the evolving attack surface of modern web applications. It combines cutting-edge framework exploitation with a classic misconfiguration to form a clean and effective attack chain.

Understanding both application-layer behavior and runtime internals is key to successfully navigating such machines.

Happy hacking, and always respect active box policies! 🔒

© 2026 Suyog Jung Karki