Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Corp Website (TryHackMe) - CVE-2025-55182 (React2shell)

Published
2 min read
Corp Website (TryHackMe) - CVE-2025-55182 (React2shell)
J
Jebitok
Part of seriesLove at First Breach 2026 CTF

My Dearest Hacker,

Valentine's Day is fast approaching, and "Romance & Co" are gearing up for their busiest season.

Behind the scenes, however, things are going wrong. Security alerts suggest that "Romance & Co" has already been compromised. Logs are incomplete, developers defensive and Shareholders want answers now!

As a security analyst, your mission is to retrace the attacker's, uncover how the attackers exploited the vulnerabilities found on the "Romance & Co" web application and determine exactly how the breach occurred.

You can find the web application here: http://MACHINE_IP:3000

nmap -p- -sV <IP_Address>
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-14 13:23 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for <IP_Address>
Host is up (0.00017s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
3000/tcp open  ppp?

gobuster dir -u http://<IP_Address>:3000 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://<IP_Address>:3000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/             (Status: 308) [Size: 8] [--> /cgi-bin]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================

Tried checking around the site and the Next.js codebase, took a lot of time, but couldn't find much. Found a hint that we could use the Next.js CVE-2025-29927 (middleware bypass), I got a Python script from GitHub, but it didn't work.

Eventually learned that it was a Boot2Boot challenge that was based on CVE-2025-55182 (React2Shell), an RCE flaw in React Server Components.

I went ahead to use BurpSuite's Repeater

Answer the questions below

What is the user flag?

What is the root flag?


HTTP/1.1 500 Internal Server Error
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
x-nextjs-cache: HIT
x-nextjs-prerender: 1
Content-Type: text/x-component
Date: Sun, 15 Feb 2026 20:50:15 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 93

0:{"a":"$@1","f":"","b":"3WpzTMYEK9QGOeqIBQxrR"}
1:E{"digest":"THM{Pr1v_35c_47_175_f1n357}"}
#react2shell#tryhackme#ctf-writeup#cve-2025-55182#reactjs#boot2root
4 views

Love at First Breach 2026 CTF

Part 1 of 7

Love at First Breach 2026 by TryHackMe is a beginner-friendly, live red-teaming CTF designed to help you fall in love with breaking things... safely. Hosted between 13 - 16 Feb 2026.

Up next

Cupid's Matchmaker (TryHackMe) - storedXSS on form

My Dearest Hacker, Tired of soulless AI algorithms? At Cupid's Matchmaker, real humans read your personality survey and personally match you with compatible singles. Our dedicated matchmaking team rev

More from this blog

C

CyberWithSharon

432 posts