[{"content":"In this blog post, I have explained how I created my blog website using Hugo-PaperMod and Vercel for free.\nAs I work in cybersecurity industry, I always read so many blogs of great security researchers and follow their RSS feeds which has helped me a lot to expand my knowledge in the field.\nI always wanted to write my own blogs but never knew where to start. A friend who himself writes blogs suggested that I should use Hugo-PaperMod theme to build my blog website.\nSo, I started building my blog website using Hugo-PaperMod. But instead of going through the installation guide and documentation of Hugo-PaperMod, I thought why not just ask the author of Hugo-PaperMod on how to set it up directly😁. Yes, I had that privilege as he is a friend of mine and he is the one who motivated me to write blogs and helped setup this website. I asked a lot of stupid questions to him while building this website. He writes some fantastic blogs you can check it out here.\nThe real motivation behind this particular blog is to help someone who wants to start their own blog website but has no idea how to start.\nLet\u0026rsquo;s get started now.\nHugo-PaperMod Setup Step 1: Install Hugo\nStep 2: Create a new Hugo site using below command.\nhugo new site MyFreshWebsite --format yaml # replace MyFreshWebsite with name of your website Step 3 - Run git init command inside the folder of your website name.\nStep 4 - Inside the folder of your Hugo site MyFreshWebsite, run below command.\ngit submodule add --depth=1 https://github.com/adityatelange/hugo-PaperMod.git themes/PaperMod git submodule update --init --recursive # needed when you reclone your repo (submodules may not get cloned automatically) Step 5 - Run git submodule update --remote --merge command inside the folder of your Hugo site MyFreshWebsite.\nStep 6 - In hugo.yaml file add theme: PaperMod.\nYou can use my sample hugo.yaml file.\nStep 7 - Inside a content directory, add a folder name posts and inside the posts folder you can add your blog posts in markdown format. Sample Page.md file.(Note - This directory structure is only valid if you are using my sample hugo.yaml file.)\nStep 8 - Run hugo server command inside the website folder to spin up the website on your localhost:1313\nYou can find all of these in the Hugo-PaperMod installation guide.\nHosting the website on Vercel Vercel is a cloud platform designed for developers to build, deploy and scale web applications with ease.\nStep 1 - Create vercel.json file in your website folder and add below json to it.\n{ \u0026#34;version\u0026#34;: 2, \u0026#34;build\u0026#34;: { \u0026#34;env\u0026#34;: { \u0026#34;HUGO_VERSION\u0026#34;: \u0026#34;0.150.0\u0026#34; } }, \u0026#34;github\u0026#34;: { \u0026#34;silent\u0026#34;: true } } This is required because Vercel by default use different Hugo version than what is required to setup our website.\nStep 2 - Create Github repository for your website and push the code to your github repository.\ngit remote add origin https://github.com/\u0026lt;username\u0026gt;/\u0026lt;repo\u0026gt;.git git add . git commit -m \u0026#34;MyFreshWebsite\u0026#34; git push origin main Step 2 - Login into Vercel and click on Add New -\u0026gt; Project.\nStep 3 - Add your Github repository and give permission to Vercel to access your blog github repository.\nStep 4 - After giving permission and clicking on import, you will get on below screen. Select Application Preset as Hugo and click on Deploy.\nStep 5 - Your website is now deployed and live. Now, you can go to the domain section and change the domain of your website as you want.\nStep 6 - Change the baseURL in your hugo.yaml file and push the changes to your github repository. This is important or else you will not able to navigate in your website.\nYour Blog website is now ready and live🎊!!\nFinal Thoughts There are many customizations you can make with your Hugo-PaperMod website. Play with it and choose what best suits you and your website.\nYou can use Giscus to add comments section in your blogs. Code to integrate Giscus with the Hugo-PaperMod is here. Create and paste the code in the layouts\\partials\\comments.html file.\nMaybe in future I will buy my own domain but currently I am using Vercel\u0026rsquo;s domain.\nMy plan is to write blogs for the things I am learning, which will keep me motivated and will also help someone with similar interests.\nHappy Blogging😊!\n","permalink":"https://premlingayat.vercel.app/posts/blog-setup/","summary":"\u003cp\u003eIn this blog post, I have explained how I created my blog website using \u003ca href=\"https://github.com/adityatelange/hugo-PaperMod/\"\u003eHugo-PaperMod\u003c/a\u003e and \u003ca href=\"https://vercel.com/\"\u003eVercel\u003c/a\u003e for free.\u003c/p\u003e\n\u003cp\u003eAs I work in cybersecurity industry, I always read so many blogs of great security researchers and follow their RSS feeds which has helped me a lot to expand my knowledge in the field.\u003c/p\u003e\n\u003cp\u003eI always wanted to write my own blogs but never knew where to start. A friend who himself writes blogs suggested that I should use Hugo-PaperMod theme to build my blog website.\u003c/p\u003e","title":"How I Built My Blog Website using Hugo-PaperMod and Vercel?"},{"content":"Introduction React2Shell is a vulnerability in React Server Components which gives an attacker unauthenticated remote code execution on a remote server. This vulnerability has CVSS score of 10.0 πŸ’€. If you are curious like me and wants to know what happens on the backend code which cause this remote code execution this blog is for you. Before diving in to code let\u0026rsquo;s start with some basics.\nWhat are React Server Components? React Server Components (RSC) are a feature in React which is used in React frameworks like Next.js. They are used to segregate client-side and server-side rendered components. Static or non-interactive part of the website is rendered on the server side and sent it to the user in the HTTP response. Interactive elements like button or links are only rendered on client side. It is used to make website respond faster for users.\nWithout React Server Components(RSC) : Server would send full HTML OR JSON Client would re-render everything More JS is executed on the client side Heavy JS is downloaded on the client side browser With React Server Components(RSC) : Server sends client component structure Client merges it with existing UI Only interactive JS is executed on the client side Decreases the size of JS bundle on the client side browser React uses flight protocol to send and receive RSC data from server to the client.\nFlight Protocol Flight protocol is a special protocol used by React to send React Server Components data from the server to the client or browser. It has a JSON like format but not exactly JSON.\nServer side rendered HTML is sent from the server to the client browser and the hydration process starts at the client side using react runtime to make the UI interactive.\nHydration is the process of attaching client-side JavaScript logic with the static HTML that was initially rendered on the server.\nStructure of flight payload : 1:I[\u0026#34;app/components/Counter.js\u0026#34;,\u0026#34;default\u0026#34;] 2:[\u0026#34;$\u0026#34;,\u0026#34;div\u0026#34;,null,{ \u0026#34;children\u0026#34;:[ [\u0026#34;$\u0026#34;,\u0026#34;h1\u0026#34;,null,\u0026#34;Dashboard\u0026#34;], [\u0026#34;$\u0026#34;,\u0026#34;$L1\u0026#34;] ] }] How React Server Components works? Let\u0026rsquo;s start with an example -\napp/ β”œβ”€β”€ page.js (Server Component) β”œβ”€β”€ components/ β”‚ β”œβ”€β”€ Posts.js (Server Component) β”‚ └── Like.js (Client Component) \u0026lsquo;page.js\u0026rsquo; and \u0026lsquo;Posts.js\u0026rsquo; is executed on the server side and generates a HTML shell.\nServer creates below RSC payload and send it to the client.\n1:I[\u0026#34;app/components/Like.js\u0026#34;,\u0026#34;default\u0026#34;] 2:[\u0026#34;$\u0026#34;,\u0026#34;div\u0026#34;,null,{ \u0026#34;children\u0026#34;:[ [\u0026#34;$\u0026#34;,\u0026#34;h3\u0026#34;,null,\u0026#34;Post title\u0026#34;], [\u0026#34;$\u0026#34;,\u0026#34;$L1\u0026#34;] ] }] I β†’ import client component $L1 β†’ reference to Like.js client component Server Rendered HTML shell and RSC payload is received on the client browser from the server.\nBrowser parsed the RSC payload using React runtime and make the HTML interactive and ready to use.\nLab Setup and debugging I have used below command to setup a react2shell lab on my local computer. Recommended to use it in an isolated network or in VM through which it is only accessible locally.\nnpm create next-app@16.0.6 react2shell Start the server and attach the debugger using below command.\nset NODE_OPTIONS=--inspect \u0026amp;\u0026amp; npm run dev Attach Chrome: Open chrome://inspect in your browser and click Open dedicated DevTools for Node.\nNote - Even though we are using chrome browser to debug the code and set the breakpoints, remeber that it is a server side code we are debugging.\nI have crafted below HTTP request from my BurpSuite to send payload to the react server.\nWe are sending two chunks in the request :- \u0026lsquo;0\u0026rsquo; and \u0026lsquo;1\u0026rsquo;.\nPayload Chunk :-\n0: { status: \u0026#34;resolved_model\u0026#34;, reason: 0, then: \u0026#34;$1:then\u0026#34;, value: \u0026#34;{\u0026#34;then\u0026#34;:\u0026#34;$B1337\u0026#34;}\u0026#34;, _response: { _prefix: \u0026#34;var res=process.mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;whoami\u0026#39;).toString(\u0026#39;base64\u0026#39;);throw Object.assign(new Error(\u0026#39;x\u0026#39;),{digest: res});\u0026#34;, _formData: { get: \u0026#34;$1:then:constructor\u0026#34; } } }, 1: \u0026#34;$@0\u0026#34;, } \u0026ldquo;$@0\u0026rdquo; means chunk \u0026lsquo;1\u0026rsquo; is pointing to chunk \u0026lsquo;0\u0026rsquo;.\nThe vulnerability lies in the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages of React.\nI have set some breakpoints in the react-server-dom-webpack package which we will inspect and see how our payload get processed on the server.\nWhen I send http request from my burpsuite with the payload mentioned above it gets sent to this function \u0026lsquo;initializeModelChunk\u0026rsquo;.\n\u0026lsquo;initializeModelChunk\u0026rsquo; function is called for every chunk we send in the request.\n\u0026lsquo;rawModel\u0026rsquo; is the JSON parsed version of our payload we passed.\nThen it passes the parsed JSON chunk to \u0026lsquo;reviveModel\u0026rsquo; function.\n\u0026lsquo;reviveModel\u0026rsquo; function reconstructs the chunk and checks key and value of each of property in the chunk one by one.\nIt checks if the value is string and then pass the value to \u0026lsquo;parseModelString\u0026rsquo; function.\n\u0026lsquo;parseModelString\u0026rsquo; function checks if the value starts with \u0026lsquo;$\u0026rsquo; and then it checks the value after \u0026lsquo;$\u0026rsquo; symbol which is a chunk number, in our case it is \u0026lsquo;1\u0026rsquo;. It waits for the chunk \u0026lsquo;1\u0026rsquo; to be parsed and keep the value as null till the chunk is parsed by React.\nIf the value does not start with \u0026lsquo;$\u0026rsquo; then it simply returns its value.\nAs mentioned above, it sets the vlaue of \u0026rsquo;then\u0026rsquo; and \u0026lsquo;get\u0026rsquo; to null and is waiting for the chunk \u0026lsquo;1\u0026rsquo;.\nReact should not allow internal objects like \u0026rsquo;then\u0026rsquo;, \u0026lsquo;value\u0026rsquo;, \u0026lsquo;_response\u0026rsquo;, \u0026lsquo;proto\u0026rsquo; or \u0026lsquo;prototype\u0026rsquo; to be used from the user input. This is where the vulnerability creeps in.\nIn JavaScript, there is a concept called \u0026lsquo;duck typing\u0026rsquo;. It means if an object \u0026lsquo;quacks like a duck\u0026rsquo; or \u0026lsquo;walks like a duck\u0026rsquo; then it is a duckπŸ¦†. So, it means if the object has \u0026rsquo;then\u0026rsquo; property then it is a \u0026lsquo;Promise\u0026rsquo;.\nA Promise in JavaScript is an object that represents the result of an asynchronous operation i.e something that will complete in the future not immediately.\nNow, \u0026lsquo;initializeModelChunk\u0026rsquo; function is called for the chunk \u0026lsquo;1\u0026rsquo;.\nChunk \u0026lsquo;1\u0026rsquo; is parsed wich has \u0026lsquo;$@0\u0026rsquo; value. It means it is self referencing to chunk \u0026lsquo;0\u0026rsquo;.\n\u0026lsquo;wakeChunk\u0026rsquo; function invoke \u0026lsquo;resolveListeners\u0026rsquo; which are \u0026lsquo;$1\u0026rsquo; value in the chunk \u0026lsquo;0\u0026rsquo; and are waiting for chunk \u0026lsquo;1\u0026rsquo; to initialize so that they can access chunk \u0026lsquo;1\u0026rsquo; properties.\nAs mentioned above, it waits for the chunk β€˜1’ to be parsed and keep the value as null till the chunk is parsed by React. So the vlaue of ’then’ and β€˜get’ was set to null and was waiting for the chunk β€˜1’.\nthen: \u0026quot;$1:then\u0026quot; from chunk \u0026lsquo;0\u0026rsquo; is invoked and it\u0026rsquo;s value is accessed from chunk \u0026lsquo;1\u0026rsquo;. It means go the chunk \u0026lsquo;1\u0026rsquo; and access its \u0026rsquo;then\u0026rsquo; property.\nthen in the parentObject i.e in chunk \u0026lsquo;0\u0026rsquo; has became a function now which was set to null initially.\nget: \u0026quot;$1:then:constructor\u0026quot; from chunk \u0026lsquo;0\u0026rsquo; is invoked and it\u0026rsquo;s value is accessed from chunk \u0026lsquo;1\u0026rsquo;. It means go the chunk \u0026lsquo;1\u0026rsquo; and access its \u0026rsquo;then\u0026rsquo; property which becomes a function and then access .then function\u0026rsquo;s \u0026lsquo;constructor\u0026rsquo; property which gives us eval like function.\nThis is what causes remote code execution.\n\u0026#34;$1\u0026#34; β†’ resolve chunk 1 \u0026#34;$1:then\u0026#34; β†’ resolve chunk 1, then access .then \u0026#34;$1:then:constructor\u0026#34; β†’ resolve chunk 1, access .then, access .constructor get in the parentObject i.e in chunk \u0026lsquo;0\u0026rsquo; has became a eval like function now which was set to null initially.\nthen property makes the object thenable and then it checks if the status of the chunk is resolved_model and that is why we passsed then: \u0026quot;$1:then\u0026quot; and the status value of the chunk \u0026lsquo;0\u0026rsquo; as resolved_model otherwise our payload will not work.\nNow, \u0026lsquo;initializeModelChunk\u0026rsquo; function is called again but this time the chunk it is parsing is controlled by us based on the values we passed.\nvalue: \u0026quot;{\u0026quot;then\u0026quot;:\u0026quot;$B1337\u0026quot;}\u0026quot; is parsed and then due to then property React will treat it as thenable.\nB from $B1337 has a special case in which it calls the response._formData.get which we have seen earlier has become eval like function and then it passess prefix value to it from the _response.\nReact treats then as a promise and in JavaScript then chains are automatically executed by the runtime which causes our code to get executed.\nWe send the malicious RSC payload via Burp Suite and receive a 500 Internal Server Error in the response. However, the response body contains a digest property whose value is the base64-encoded output of the command executed on the server confirming successful Remote Code Execution.\nRemediation React shouldn\u0026rsquo;t allow user input to include this internal React properties like status, then, _response,etc.\nReact fixed this vulnerability using hasOwnProperty, which checks if a property belongs directly to an object or is inherited from its prototype chain. Without this check, the RSC reference resolver blindly walked up the prototype chain allowing attackers to reach Function via $1:then:constructor, where .constructor is not an own property of .then but an inherited one from Function.prototype.\nPatched Versions: React: 19.0.1, 19.1.2, 19.2.1\nNext.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\nReferences Inside React2Shell - Explained https://x.com/rauchg/status/1997362942929440937 React Critical Vulnerability (CVSS 10.0) + LIVE Attack Demo React Server Components vs Client Components ","permalink":"https://premlingayat.vercel.app/posts/debugging-react2shell/","summary":"\u003ch2 id=\"introduction\"\u003eIntroduction\u003c/h2\u003e\n\u003cp\u003eReact2Shell is a vulnerability in React Server Components which gives an attacker unauthenticated remote code execution on a remote server. This vulnerability has CVSS score of 10.0 πŸ’€. If you are curious like me and wants to know what happens on the backend code which cause this remote code execution this blog is for you. Before diving in to code let\u0026rsquo;s start with some basics.\u003c/p\u003e\n\u003ch2 id=\"what-are-react-server-components\"\u003eWhat are React Server Components?\u003c/h2\u003e\n\u003cp\u003eReact Server Components (RSC) are a feature in React which is used in React frameworks like Next.js. They are used to segregate client-side and server-side rendered components. Static or non-interactive part of the website is rendered on the server side and sent it to the user in the HTTP response. Interactive elements like button or links are only rendered on client side. It is used to make website respond faster for users.\u003c/p\u003e","title":"Debugging React2Shell (CVE-2025-55182)"},{"content":"Hello, I\u0026rsquo;m Prem Lingayat I have 4+ years of experience in cybersecurity(Offensive). I specialize in web, mobile, API, and Thick Client penetration testing. I have an experience working with clients in BFSI and many other sectors. I have found critical vulnerabilities during my client engagements and have helped them throughout the remediation process.\nSkills: Web Application Pentesting. Mobile Application Pentesting (Android,iOS). Thick Client Security Testing (Windows). Internal Network Pentesting. Active Directory and AD-CS. API Security (REST, SOAP). OAuth, SAML and SSO Authentication. External Attack Surface Management. Red Teaming \u0026amp; Threat Modeling. Risk Identification and Mitigation Planning. Strong Understanding of OWASP Top 10 Python Scripting Certifications: CRTP: Certified Red Team Professional (Altered Security) PT1 (TryHackMe) CEH: Certified Ethical Hacker (EC-Council) Security+ (CompTIA) AZ-900 (Microsoft) SC-900 (Microsoft) Socials: LinkedIn Twitter GitHub Contact: πŸ“§ premlingayat33@outlook.com\n","permalink":"https://premlingayat.vercel.app/about/","summary":"\u003ch1 id=\"hello-im-prem-lingayat\"\u003eHello, I\u0026rsquo;m Prem Lingayat\u003c/h1\u003e\n\u003cp\u003eI have 4+ years of experience in cybersecurity(Offensive). I specialize in web, mobile, API, and Thick Client penetration testing. I have an experience working with clients in BFSI and many other sectors. I have found critical vulnerabilities during my client engagements and have helped them throughout the remediation process.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"skills\"\u003eSkills:\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eWeb Application Pentesting.\u003c/li\u003e\n\u003cli\u003eMobile Application Pentesting (Android,iOS).\u003c/li\u003e\n\u003cli\u003eThick Client Security Testing (Windows).\u003c/li\u003e\n\u003cli\u003eInternal Network Pentesting.\u003c/li\u003e\n\u003cli\u003eActive Directory and AD-CS.\u003c/li\u003e\n\u003cli\u003eAPI Security (REST, SOAP).\u003c/li\u003e\n\u003cli\u003eOAuth, SAML and SSO Authentication.\u003c/li\u003e\n\u003cli\u003eExternal Attack Surface Management.\u003c/li\u003e\n\u003cli\u003eRed Teaming \u0026amp; Threat Modeling.\u003c/li\u003e\n\u003cli\u003eRisk Identification and Mitigation Planning.\u003c/li\u003e\n\u003cli\u003eStrong Understanding of OWASP Top 10\u003c/li\u003e\n\u003cli\u003ePython Scripting\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"certifications\"\u003eCertifications:\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eCRTP: Certified Red Team Professional (Altered Security)\u003c/li\u003e\n\u003cli\u003ePT1 (TryHackMe)\u003c/li\u003e\n\u003cli\u003eCEH: Certified Ethical Hacker (EC-Council)\u003c/li\u003e\n\u003cli\u003eSecurity+ (CompTIA)\u003c/li\u003e\n\u003cli\u003eAZ-900 (Microsoft)\u003c/li\u003e\n\u003cli\u003eSC-900 (Microsoft)\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"socials\"\u003eSocials:\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://linkedin.com/in/premlingayat\"\u003eLinkedIn\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://x.com/PremLingayat\"\u003eTwitter\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/premlingayat\"\u003eGitHub\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"contact\"\u003eContact:\u003c/h2\u003e\n\u003cp\u003eπŸ“§ \u003ca href=\"mailto:premlingayat33@outlook.com\"\u003epremlingayat33@outlook.com\u003c/a\u003e\u003c/p\u003e","title":"About"}]