# Corp Website (TryHackMe) - CVE-2025-55182 (React2shell) > My Dearest Hacker, > > Valentine's Day is fast approaching, and "Romance & Co" are gearing up for their busiest season. > > Behind the scenes, however, things are going wrong. Security alerts suggest that "Romance & Co" has already been compromised. Logs are incomplete, developers defensive and Shareholders want answers now! > > As a security analyst, your mission is to retrace the attacker's, uncover how the attackers exploited the vulnerabilities found on the "Romance & Co" web application and determine exactly how the breach occurred. > > You can find the web application here: `http://MACHINE_IP:3000` ```bash nmap -p- -sV Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-14 13:23 GMT mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for Host is up (0.00017s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) 3000/tcp open ppp? ``` ```bash gobuster dir -u http://:3000 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://:3000 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /cgi-bin/ (Status: 308) [Size: 8] [--> /cgi-bin] Progress: 18456 / 18460 (99.98%) =============================================================== Finished =============================================================== ``` Tried checking around the site and the Next.js codebase, took a lot of time, but couldn't find much. Found a hint that we could use the Next.js CVE-2025-29927 (middleware bypass), I got a [Python script from GitHub,](https://github.com/pixilated730/NextJS-Exploit-/) but it didn't work. Eventually learned that it was a Boot2Boot challenge that was based on CVE-2025-55182 (React2Shell), an RCE flaw in React Server Components. I went ahead to use BurpSuite's Repeater ## Answer the questions below What is the user flag? ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/015e83f6-7162-4921-9112-b682a652610a.png align="center") ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/e113d6e9-ce9d-4af4-8bb1-0bbf5c43a28c.png align="center") What is the root flag? ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/8c4cb459-f982-424a-ba77-9f1409a3fa74.png align="center") ```javascript HTTP/1.1 500 Internal Server Error Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding Cache-Control: no-cache, no-store, max-age=0, must-revalidate x-nextjs-cache: HIT x-nextjs-prerender: 1 Content-Type: text/x-component Date: Sun, 15 Feb 2026 20:50:15 GMT Connection: keep-alive Keep-Alive: timeout=5 Content-Length: 93 0:{"a":"$@1","f":"","b":"3WpzTMYEK9QGOeqIBQxrR"} 1:E{"digest":"THM{Pr1v_35c_47_175_f1n357}"} ``` ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/8236f50e-b9e2-4e3e-8dfd-b6e6ed1fb94f.png align="center")