Machine / Machines
Reactor
Completion state: <secret redacted> - User flag: not captured - Root flag: not captured 1. Establish Pwnbox SSH execution context and create
Scenario
Reactor attack path
Completion state: - User proof: not captured - Root proof: not captured 1. Establish Pwnbox SSH execution context and create
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Reset/restart the target web service through the lab...
Replace the exploit command with a bounded readback...
If readback proves RCE, use a short-lived reverse...
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
100%
coverage
Evidence verdict
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- <TARGET>-Reactor/walkthrough.md
- HTB/<TARGET>-Reactor/notes.md
- HTB/<TARGET>-Reactor/session-resume.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Reactor__session-resume.md.35a73135da.md
Technical Walkthrough
Reactor — Walkthrough
Status
- Completion state: <secret redacted>
- User flag: not captured
- Root flag: not captured
Reproduction Outline
- Establish Pwnbox SSH execution context and create workspace.
- Verify VPN route and target reachability.
- Enumerate TCP services.
- Enumerate Next.js application on port 3000.
- Exploit verified foothold path, capture user flag into loot/.
- Run Linux baseline and privilege escalation enumeration.
- Capture root flag into loot/.
Evidence
- Connectivity baseline: <local workspace><TARGET>-Reactor/enum/connectivity-baseline.txt (mirrored after remote sync)
- Initial nmap: <local workspace><TARGET>-Reactor/nmap/initial.nmap
- Full TCP nmap: <local workspace><TARGET>-Reactor/nmap/reactor-tcp-full.txt
Notes
Raw flags and reusable secrets are stored only in loot/ and are not reproduced here.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
| Timestamp | Action | Output File | Finding | Confidence | Next Action |
|---|---|---|---|---|---|
| 2026-05-25 START | Workspace created | — | Fresh target, no prior recon | — | Begin enumeration |
| 2026-05-25 RECON | nmap -sC -sV | nmap/initial.nmap | Port 22 (SSH), 3000 (Next.js HTTP) | HIGH | Enumerate port 3000 (web) |
| 2026-05-25 EXPLOIT | react2shell | rshell.log | Exploited Next.js Server Action RCE | HIGH | Check for local privesc |
| 2026-05-25 FOOTHOLD | Reverse Shell | rshell.log | Gained reverse shell as node | HIGH | Read database and crack <password redacted> |
| 2026-05-25 ENUM | sqlite3 dump | — | Dumped reactor.db, found MD5 hashes | HIGH | Crack hashes with rockyou |
| 2026-05-25 PRIV | Cracked MD5 | hashes.txt | Cracked engineer hash: reactor1 | HIGH | SSH as engineer |
| 2026-05-25 FLAG | SSH auth | loot/user.txt | Got user flag for engineer | HIGH | Escalate privileges |
| 2026-05-25 ENUM | Local checks | worker.js | Found Node script running as root with debugger | HIGH | Connect to debugger |
| 2026-05-25 ROOT | WebSocket RCE | loot/root.txt | Exploited Node debugger via WebSocket to get root flag | HIGH | COMPLETE |
Target Summary
- Name: Reactor
- IP: <TARGET>
- OS: Linux
- Difficulty: Easy
- Platform: HackTheBox
- Pwnbox: <TARGET> (profex0r)
Session Resume
Completion State
- Current completion state: <secret redacted>
- User flag: not captured
- Root flag: not captured
- Current blocker: port 3000 HTTP service is timing out after a React RSC callback probe, while ICMP and SSH remain reachable.
Current Access
- Pwnbox SSH: profex0r@<TARGET>
- Pwnbox VPN IP: <TARGET>
- Target: <TARGET>
- Target reachability: ICMP OK, SSH OK, web port 3000 open in TCP check but HTTP requests time out.
- No target shell obtained yet.
Active Sessions / Listeners
| Name | Owner | Host | Command | PID/Process | Pane | Local Port | Remote Target | Log File | Credential/Ticket Ref | Started | Status | Last Verified | Cleanup |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| http-callback | coordinator | Pwnbox | python3 -m http.server 8000 | python http.server | reactor:http-callback | 8000 | target callback tests | enum/tmux-http-callback.log | n/a | 2026-05-25 | ACTIVE | enum/callback-listener-status.txt | tmux send-keys -t reactor:http-callback C-c |
Evidence Snapshot
- Connectivity: <local workspace><TARGET>-Reactor/enum/connectivity-baseline.txt
- Fresh initial scan: <local workspace><TARGET>-Reactor/nmap/initial
- Fresh all-ports scan: <local workspace><TARGET>-Reactor/nmap/allports
- UDP targeted scan: <local workspace><TARGET>-Reactor/nmap/udp-targeted
- Web root: <local workspace><TARGET>-Reactor/enum/http-root.html
- WhatWeb: <local workspace><TARGET>-Reactor/enum/whatweb-3000.txt
- Asset list/hints: <local workspace><TARGET>-Reactor/enum/assets.txt, <local workspace><TARGET>-Reactor/enum/web-pattern-hits.txt
- Next/RSC probes: <local workspace><TARGET>-Reactor/enum/next-probe-run.txt, <local workspace><TARGET>-Reactor/enum/framework-version-hits.txt, <local workspace><TARGET>-Reactor/enum/next-rsc-probes.txt
- Exploit helper: <local workspace><TARGET>-Reactor/exploits/reactor_react2shell.py
- Callback probe: <local workspace><TARGET>-Reactor/enum/react2shell-callback-probe.txt
- Service-block evidence: <local workspace><TARGET>-Reactor/enum/service-state-final-recheck.txt
Ranked Hypotheses
| ID | Hypothesis | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| H1 | React RSC/React2Shell-style RCE is the intended foothold | Next.js App Router/RSC live behavior; React 19 RC strings; RAG PARTIAL ReactOOPS pattern | Confirm command execution without blocking service; obtain shell or readback | After reset, run bounded static chunk readback command (timeout 3 id) | <secret redacted> | BLOCKED by wedged web service |
| H2 | Web leak/default route reveals credentials or API path | Static dashboard includes personnel names but no API from assets | Hidden route/API discovery | Continue ffuf/Next route enumeration after service recovery | <secret redacted> | PAUSED |
| H3 | SSH credential reuse from app content/personnel names | Names visible on page | Password/credential source | Only test if credential discovered; no spray yet | LOW | OPEN |
Last RAG Tags
- Start query: PARTIAL/GENERIC. ReactOOPS adjacent pattern, not accepted as evidence.
- Baseline query: PARTIAL. React Server Components exploit mechanics are useful, but target version differs; live validation required.
Next Three Actions
- Reset/restart the target web service through the lab platform or wait for automatic recovery; verify with
curl --connect-timeout 3 --max-time 8 http://<TARGET>:3000/from Pwnbox. - Replace the exploit command with a bounded readback payload, e.g. wrap target command in
timeout 3and overwrite an existing static chunk withidoutput; do not use outbound callbacks first. - If readback proves RCE, use a short-lived reverse shell or command readback to capture
user.txtintoloot/, then run Linux baseline (id,hostname,ip a,ip r,sudo -l,ss -lntup) and start privesc.
Cleanup Notes
- Stop callback listener when no longer needed:
tmux send-keys -t reactor:http-callback C-c. - Do not ingest this state into LightRAG; no sanitized post-solve summary yet.
Session Resume
Completion State
- Current completion state: <secret redacted>
- User flag: <REDACTED>
- Root flag: <REDACTED>
- Current blocker: port 3000 HTTP service is timing out after a React RSC callback probe, while ICMP and SSH remain reachable.
Current Access
- Pwnbox SSH: <<secret redacted>>@<TARGET>
- Pwnbox VPN IP: <TARGET>
- Target: <TARGET>
- Target reachability: ICMP OK, SSH OK, web port 3000 open in TCP check but HTTP requests time out.
- No target shell obtained yet.
Active Sessions / Listeners
| Name | Owner | Host | Command | PID/Process | Pane | Local Port | Remote Target | Log File | Credential/Ticket Ref | Started | Status | Last Verified | Cleanup |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| http-callback | coordinator | Pwnbox | python3 -m http.server 8000 | python http.server | reactor:http-callback | 8000 | target callback tests | enum/tmux-http-callback.log | n/a | 2026-05-25 | ACTIVE | enum/callback-listener-status.txt | tmux send-keys -t reactor:http-callback C-c |
Evidence Snapshot
- Connectivity: <local workspace><TARGET>-Reactor/enum/connectivity-baseline.txt
- Fresh initial scan: <local workspace><TARGET>-Reactor/nmap/initial
- Fresh all-ports scan: <local workspace><TARGET>-Reactor/nmap/allports
- UDP targeted scan: <local workspace><TARGET>-Reactor/nmap/udp-targeted
- Web root: <local workspace><TARGET>-Reactor/enum/http-root.html
- WhatWeb: <local workspace><TARGET>-Reactor/enum/whatweb-3000.txt
- Asset list/hints: <local workspace><TARGET>-Reactor/enum/assets.txt, <local workspace><TARGET>-Reactor/enum/web-pattern-hits.txt
- Next/RSC probes: <local workspace><TARGET>-Reactor/enum/next-probe-run.txt, <local workspace><TARGET>-Reactor/enum/framework-version-hits.txt, <local workspace><TARGET>-Reactor/enum/next-rsc-probes.txt
- Exploit helper: <local workspace><TARGET>-Reactor/exploits/reactor_react2shell.py
- Callback probe: <local workspace><TARGET>-Reactor/enum/react2shell-callback-probe.txt
- Service-block evidence: <local workspace><TARGET>-Reactor/enum/service-state-final-recheck.txt
Ranked Hypotheses
| ID | Hypothesis | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| H1 | React RSC/React2Shell-style RCE is the intended foothold | Next.js App Router/RSC live behavior; React 19 RC strings; RAG PARTIAL ReactOOPS pattern | Confirm command execution without blocking service; obtain shell or readback | After reset, run bounded static chunk readback command (timeout 3 id) | <secret redacted> | BLOCKED by wedged web service |
| H2 | Web leak/default route reveals credentials or API path | Static dashboard includes personnel names but no API from assets | Hidden route/API discovery | Continue ffuf/Next route enumeration after service recovery | <secret redacted> | PAUSED |
| H3 | SSH credential reuse from app content/personnel names | Names visible on page | Password/credential source | Only test if credential discovered; no spray yet | LOW | OPEN |
Last RAG Tags
- Start query: PARTIAL/GENERIC. ReactOOPS adjacent pattern, not accepted as evidence.
- Baseline query: PARTIAL. React Server Components exploit mechanics are useful, but target version differs; live validation required.
Next Three Actions
- Reset/restart the target web service through the lab platform or wait for automatic recovery; verify with
curl --connect-timeout 3 --max-time 8 http://<TARGET>:3000/from Pwnbox. - Replace the exploit command with a bounded readback payload, e.g. wrap target command in
timeout 3and overwrite an existing static chunk withidoutput; do not use outbound callbacks first. - If readback proves RCE, use a short-lived reverse shell or command readback to capture
user.txtintoloot/, then run Linux baseline (id,hostname,ip a,ip r,sudo -l,ss -lntup) and start privesc.
Cleanup Notes
- Stop callback listener when no longer needed:
tmux send-keys -t reactor:http-callback C-c. - Do not ingest this state into LightRAG; no sanitized post-solve summary yet.