Previous starts with a NextJS application for a fictional JavaScript framework. I’ll exploit the infamous NextJS middleware vulnerability to access the authenticated portion of the site. From there, I’ll find a directory traversal vulnerability in a download API that allows reading files from the server, including the NextAuth config with hard-coded credentials. Those creds work for SSH, and I’ll pivot to root by abusing a misconfigured sudo rule that runs Terraform multiple ways.

0xdf hacks stuff

A penetration testing walkthrough exploiting CVE-2025-29927, a NextJS middleware authentication bypass vulnerability, to access protected documentation. After bypassing authentication, a directory traversal flaw in the download API exposes NextAuth configuration files containing hardcoded credentials. These credentials grant SSH access as user jeremy. Privilege escalation to root is achieved by exploiting a misconfigured sudo rule that allows running Terraform with preserved environment variables, enabling three different attack paths: malicious provider configuration, arbitrary file read via symbolic links, and arbitrary file write through cron injection.

HTB: Previous