https://z3r0s6.github.io/tags/next.js/Recent content in Next.js on z3r0sHugoenSun, 24 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/reactor/Sun, 24 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/reactor/<p><strong>Difficulty:</strong> Easy | <strong>OS:</strong> Linux</p> <hr> <h2 id="logo--name-analysis---first-impressions"> Logo &amp; Name Analysis - First Impressions <a class="heading-link" href="#logo--name-analysis---first-impressions"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.</p> <h3 id="the-logo"> The Logo <a class="heading-link" href="#the-logo"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p>The machine logo shows a nuclear reactor facility - cooling towers with radiation symbols (☢), smoke/steam rising, set inside a green circle. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.</p> <p><strong>What the logo tells us immediately:</strong></p> <ul> <li>Nuclear reactor theme → the web app will be a reactor monitoring dashboard, ICS/SCADA-style interface with sensor readings, logs, and personnel panels</li> <li>Green color scheme → &quot;nominal / online&quot; status indicators - a live running service dashboard</li> <li>Radiation symbols → nuclear operations terminology ahead: coolant flow, pressure, neutron flux, core temperature - all realistic dashboard labels that give no obvious attack surface</li> </ul> <h3 id="the-name"> The Name <a class="heading-link" href="#the-name"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p>&quot;Reactor&quot; combined with the logo points toward two things at once:</p> <ul> <li><strong>React/Next.js</strong> - &quot;Reactor&quot; is almost certainly a pun on React, the JavaScript framework. HTB machine names frequently reference the intended technology this way. This immediately narrows the attack surface to a Node.js web application.</li> <li><strong>Nuclear monitoring theme</strong> - the app will look like a static read-only dashboard with no login, no forms, no visible input - pushing the attacker toward framework-level vulnerabilities rather than application logic.</li> </ul> <h3 id="the-instant-hypothesis"> The Instant Hypothesis <a class="heading-link" href="#the-instant-hypothesis"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p>Combining name + logo before even running nmap:</p> <blockquote> <p><em>&quot;This is a Next.js app themed as a nuclear reactor dashboard. The name 'Reactor' punning on React strongly suggests a Next.js vulnerability is the intended path. The dashboard will look static but the attack vector will be server-side - likely Server Actions, API routes, or RSC deserialization.&quot;</em></p> </blockquote> <p>This hypothesis was confirmed within minutes:</p> <ul> <li>Port 3000 → <code>X-Powered-By: Next.js</code> in response headers</li> <li>No login page, no visible forms → the framework itself is the attack surface, not the application logic</li> <li>Next.js Server Actions prototype pollution (CVE-2025-55182) → exact match</li> </ul> <p>This is why reading the logo matters. A good HTB player can often narrow the entire attack path to 1-2 CVEs before the nmap scan finishes.</p>