A penetration testing walkthrough exploiting CVE-2025-29927, a NextJS middleware authentication bypass vulnerability, to access protected documentation. After bypassing authentication, a directory traversal flaw in the download API exposes NextAuth configuration files containing hardcoded credentials. These credentials grant SSH access as user jeremy. Privilege escalation to root is achieved by exploiting a misconfigured sudo rule that allows running Terraform with preserved environment variables, enabling three different attack paths: malicious provider configuration, arbitrary file read via symbolic links, and arbitrary file write through cron injection.

21m read timeFrom 0xdf.gitlab.io
Post cover image
Table of contents
Box InfoReconShell as jeremyShell as root

Sort: