Corp Website (TryHackMe) - CVE-2025-55182 (React2shell)

My Dearest Hacker,

Valentine's Day is fast approaching, and "Romance & Co" are gearing up for their busiest season.

Behind the scenes, however, things are going wrong. Security alerts suggest that "Romance & Co" has already been compromised. Logs are incomplete, developers defensive and Shareholders want answers now!

As a security analyst, your mission is to retrace the attacker's, uncover how the attackers exploited the vulnerabilities found on the "Romance & Co" web application and determine exactly how the breach occurred.

You can find the web application here: http://MACHINE_IP:3000

nmap -p- -sV <IP_Address>
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-14 13:23 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for <IP_Address>
Host is up (0.00017s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
3000/tcp open  ppp?

gobuster dir -u http://<IP_Address>:3000 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://<IP_Address>:3000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/             (Status: 308) [Size: 8] [--> /cgi-bin]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================

Tried checking around the site and the Next.js codebase, took a lot of time, but couldn't find much. Found a hint that we could use the Next.js CVE-2025-29927 (middleware bypass), I got a Python script from GitHub, but it didn't work.

Eventually learned that it was a Boot2Boot challenge that was based on CVE-2025-55182 (React2Shell), an RCE flaw in React Server Components.

I went ahead to use BurpSuite's Repeater

Answer the questions below

What is the user flag?

What is the root flag?

HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
x-nextjs-cache: HIT
x-nextjs-prerender: 1
Content-Type: text/x-component
Date: Sun, 15 Feb 2026 20:50:15 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 93

0:{"a":"$@1","f":"","b":"3WpzTMYEK9QGOeqIBQxrR"}
1:E{"digest":"THM{Pr1v_35c_47_175_f1n357}"}