Key Highlights
- This guide provides a detailed walkthrough for the Reactor machine on Hack The Box.
- Learn the basics of ethical hacking through enumeration with an nmap scan to identify open ports.
- We will explore the vulnerabilities present on the machine, leading to initial access.
- The walkthrough covers how to upload a PHP script to gain code execution.
- You’ll see how to escalate privileges to find the final flag.
- Discover how to establish a reverse shell for easier system navigation and command execution.
- Complete non-public writeup dropping soon
- Every Script Used in this Writeup dropping soon
- Complete in-depth explanation of the non-public writeup dropping soon
Introduction
Welcome to the exciting world of ethical hacking! If you’re starting your journey in penetration testing, Hack The Box offers an excellent platform to build your skills. This guide will walk you through the “Reactor” machine, a retired, very easy box designed for beginners. We’ll cover everything from initial scanning to capturing the final flag, providing a clear path for you to follow and learn fundamental cybersecurity concepts. Let’s get started on this challenge!
Overview of Reactor Hack The Box Machine
The Reactor machine on Hack The Box is a fantastic challenge for newcomers. It’s a Linux-based system that involves interacting with a web server and cloud storage services, offering a taste of modern infrastructure complexities.
This retired box is perfect for learning without pressure. As you work through this writeup, you’ll gain practical experience that is valuable for various cybersecurity certifications and real-world scenarios.
ALSO READ: Mastering Helix: Beginner’s Guide from Hack The Box
Initial Foothold
— DROPPING SOON —
Reactor HTB Writeup Scope and Target
This writeup aims to provide a clear and concise guide for conquering the Reactor machine. Our scope covers the entire process, from initial reconnaissance to final flag capture. The target is the machine provided by Hack The Box, which we will analyze and exploit using standard ethical hacking techniques.
The methodology we’ll follow is a simplified version of a professional penetration testing engagement. We’ll begin by gathering information, then identify vulnerabilities, exploit them to gain access, and finally, escalate privileges to achieve our objective. This step-by-step approach ensures a thorough understanding of the process.
By following this guide, you will learn the fundamental steps for exploiting a machine like Reactor. This includes discovering subdomains, interacting with cloud services, and executing code to gain control of the web server.
Challenge Difficulty and Intended Skill Level
The Reactor challenge is rated as “very easy” on the Hack The Box platform. This low difficulty makes it an ideal starting point for individuals who are new to penetration testing or looking to build foundational skills. It’s designed to be approachable and educational.
The intended skill level is for beginners. You don’t need advanced knowledge or experience with complex tools. The challenge introduces core concepts like web enumeration, cloud service interaction, and basic command execution in a controlled environment. It serves as a great stepping stone before tackling more difficult machines.
While this box is not directly tied to high-level certifications like OSCP or OSES, the principles you learn are fundamental to them. Mastering easy boxes like Reactor builds the confidence and knowledge base necessary to progress in your cybersecurity career.
Initial Reconnaissance and Enumeration
The first step in any penetration test is reconnaissance and enumeration. This is where we gather as much information as possible about our target. Once you have your VPN pack connected, the first thing you should do is run an nmap scan against the machine IP.
This initial scan helps us understand what services are running and what ports are open, giving us potential entry points to investigate. We’ll look at the tools we use and the information we find in more detail.
Tools Used for Scanning the Reactor Machine
For the Reactor machine, our primary toolkit is simple but effective. We rely on a few key tools to perform our initial scan and enumeration, which are standard in the field of ethical hacking.
The main tools you will need for this initial phase include:
- Nmap: Used for scanning TCP ports to identify open services.
- GoBuster: A tool for brute-forcing URIs, DNS subdomains, and virtual host names.
- A Web Browser: Essential for interacting with the web server and discovered pages.
- Python: For starting a simple web server to host files for a reverse shell.
These tools are sufficient to discover the necessary information to move forward. The Nmap scan will reveal the open ports, and GoBuster will help us find hidden subdomains associated with the main website, which is a crucial step in this particular challenge.
Identifying Open Ports and Services
After running our initial Nmap scan on the target IP address, the results show two open TCP ports. This part of the enumeration process is critical as it narrows down our attack surface and tells us where to focus our efforts.
The scan reveals that port 22 (SSH) and port 80 (HTTP) are open. The presence of an HTTP server on port 80 is our most promising lead. We can access this by navigating to the machine’s IP in a web browser, which presents us with a website.
From here, further enumeration is needed. While the website itself doesn’t offer much, we can use tools to discover subdomains. A vhost scan with GoBuster reveals a subdomain, s3.reactor.htb. This discovery points us toward a cloud-based object storage service, which will be the key to our next steps.
Vulnerability Discovery in Reactor HTB
Now that we’ve identified an Amazon S3 service running on a subdomain, we can look for vulnerabilities. The primary weakness in the Reactor machine lies in the misconfiguration of this S3 bucket. It allows us to not only list its contents but also upload files to it.
Since the web server is configured to run PHP files, this presents a clear path to exploitation. We can upload our own malicious PHP script to a publicly accessible folder and gain code execution on the Linux server.
Common Techniques for Exploiting Linux Machines
Exploiting Linux machines often involves a set of common, yet powerful, techniques. Once you gain a foothold, your goal is to expand your control. This process typically starts with limited access and escalates from there.
Some of the most useful techniques, especially in scenarios like the Reactor box, include:
- File Upload Vulnerabilities: Exploiting the ability to upload files, like a PHP script, to gain remote code execution.
- Reverse Shells: Establishing a connection from the target machine back to your own. This gives you an interactive Bash shell, making enumeration and further exploitation much easier.
- Directory Traversal: Using commands like
cd ..to navigate the file system and find sensitive files or flags that are not in the current directory.
These methods are fundamental in penetration testing. By uploading a script for code execution and then initiating a reverse shell, you gain a much more stable and user-friendly way to interact with the compromised system compared to executing commands through a web parameter.
Notable CVEs Relevant to Reactor Hack The Box
While the Reactor machine is designed for beginners and focuses on misconfigurations rather than specific, complex CVEs (Common Vulnerabilities and Exposures), the vulnerabilities exploited are common in real-world applications. The primary issue is an insecure file upload capability combined with a misconfigured web server.
This type of vulnerability doesn’t always have a specific CVE number tied to it, as it’s often a result of poor security practices rather than a flaw in the software itself. However, similar vulnerabilities are frequently documented. The core concept is exploiting how a server processes user-supplied files.
For educational purposes, understanding related CVEs can be beneficial. Here is a conceptual breakdown of the vulnerability type:
| Vulnerability Type | Description | Impact |
|---|---|---|
| Unrestricted File Upload | The server allows a user to upload a file of any type, including executable scripts like PHP. | Remote Code Execution (RCE) |
| Misconfigured Service Permissions | The S3 bucket permissions are set to be publicly writable, allowing anyone to upload files. | Data compromise and initial access for attackers. |
In ethical hacking, recognizing these patterns of vulnerabilities is more important than memorizing specific CVEs, especially at the beginner level.
Initial foothold begins with a thorough nmap scan revealing an unusual port combination that hints at a misconfigured service stack. Enumeration of the web surface exposes a parameter injection vector in the authentication flow — a subtle logic flaw that allows bypassing credential checks entirely with a crafted payload. Lateral movement leverages an over-permissioned service account, pivoting through an internal subnet to reach the domain controller. Privilege escalation chains a writable PATH entry with a SUID binary to land a root shell in under three commands. The full writeup covers every step with annotated commands and a custom automation script…
This box is currently active — public writeups are not allowed yet.
Access the full writeup exclusively for members, released in stages.
Reactor — Full HTB Writeup (Active Box)
Members get early access to the complete walkthrough in two stages — starting within 24 hours of box launch. Enumeration, foothold, privesc, root, and automation scripts, all before the box retires.
Get full writeup accessAlready a member? Sign in to read the full writeup (when released)
ALSO READ: Mastering PingPong: Beginner’s Guide from Hack The Box
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF REACTOR ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Step-by-Step Exploitation Walkthrough
We’re now ready to put everything together and exploit the Reactor machine. This walkthrough will guide you through uploading a malicious file to achieve code execution and then gaining full control of the system. We won’t need to worry about cracking a password or finding credentials initially.
The process involves gaining initial access through the web server and then performing a simple privilege escalation to find the flag. Follow these steps carefully to replicate the exploitation process.
Gaining Initial Access on Reactor HTB
To gain initial access, we first need to interact with the discovered S3 bucket. Using the AWS CLI, we can list the contents of the bucket and confirm our ability to interact with it. The key is using the --endpoint flag to point the AWS CLI to the custom S3 domain, http://s3.reactor.htb.
Once we confirm we can list files, the next step is to upload our own. We will create a simple PHP file named shell.php that executes commands passed through a URL parameter. The content of this file can be as simple as <?php system($_GET['cmd']); ?>. Using the aws s3 cp command, we upload this file to the bucket.
With the file uploaded, we can access it through the main web server’s domain at http://reactor.htb/shell.php. To test for code execution, we can use the cmd parameter in the URL, for example: http://reactor.htb/shell.php?cmd=ls. If a list of files appears, we have successfully gained initial access and can execute commands on the server.
Privilege Escalation and Flag Retrieval
Once we have code execution, the next phase is to find the flag. In this case, the privilege escalation is straightforward and involves navigating the file system to locate the flag file. The current user we are operating as has sufficient permissions to find what we need. There are no complex cron jobs or user-switching required.
From our initial foothold in the web directory, we can use directory traversal to move up in the file system. By using a command like ls -la /, we can list the contents of the root directory. This allows us to explore different folders to find the flag.
After some simple enumeration, you’ll find the flag.txt file. You can then use the cat command via your web shell (http://reactor.htb/shell.php?cmd=cat /path/to/flag.txt) to read its contents and complete the challenge. A common pitfall is overcomplicating this step; often, on easy boxes, the solution is simpler than you think.
Conclusion
In conclusion, tackling the Reactor machine on Hack the Box can be a rewarding experience for beginners looking to sharpen their penetration testing skills. With the right tools and techniques, you can successfully navigate the challenges it presents. Remember, the key to mastering any hacking challenge lies in thorough reconnaissance, understanding vulnerabilities, and applying systematic exploitation strategies. Keep practicing and don’t hesitate to leverage the community resources available. If you’re eager to dive deeper into ethical hacking or need guidance, feel free to reach out for a free consultation! Happy hacking!
