Machine Synopsis

ReaperTwo is an Insane Windows machine that involves both browser and kernel exploitation. The attack chain begins with enumeration of exposed services and access to an SMB share containing development artifacts. A vulnerable web application leveraging the V8 JavaScript engine allows for arbitrary JavaScript execution, which is escalated to remote code execution through a type confusion vulnerability in Harmony Set methods, combined with WebAssembly-based shellcode execution. After gaining an initial foothold as a low-privileged user, privilege escalation is achieved by exploiting a vulnerable kernel driver that exposes a function pointer execution primitive. The exploit bypasses modern protections such as kASLR, DEP, and SMEP by leaking kernel addresses via MSRs, performing a stack pivot, and constructing a ROP chain to modify Page Table Entries (PTEs). Finally, custom kernel shellcode is executed to steal a SYSTEM token, resulting in full system compromise.