Overview

The machine starts by discovering a Next.js 15.0.3 app on port 3000 vulnerable to CVE-2025-55182 (React2Shell) allowing pre-auth RCE, gaining a shell as node to exfiltrate a SQLite database containing MD5 hashes, cracking the engineer hash to SSH in and get user, then finding a root-owned Node.js process running with --inspect on localhost port 9229, forwarding the port and connecting via Chrome DevTools to execute JS through the CDP Runtime.evaluate method to set SUID on bash and escalate to root.

Enumeration

as usual we'll start with nmap scan to see what we're dealing with