HackTheBox - Previous

IppSec · Beginner ·☁️ DevOps & Cloud ·5mo ago

Key Takeaways

Exploits NextJS middleware vulnerability (CVE-2025-29927) on HackTheBox using Nmap and BurpSuite

Original Description

00:00 - Introduction 01:00 - Start of nmap 03:44 - Wappalyzer detects NextJS and shows the version, looking at CVE's 07:20 - Looking at the nextjs middleware vulnerability (CVE-2025-29927) 09:50 - Our nuclei scan didn't detect it, looking at templates, it should but needs the headless flag 12:20 - Adding the x-middleware-subrequest to our request to bypass auth 15:05 - Setting BurpSuite to add a header, so we don't have to manually add the middleware to our request 17:20 - Discovering a File Disclosure in the examples 19:20 - Building a skeleton project to find configs, grabbing package.json then using npm build 24:15 - Finding credentials in the nextauth, getting credentials and then logging in with SSH 25:45 - We can run a specific terraform command with sudo, env_reset is not enabled but we can't edit path 29:30 - Declaring source_file in our environment, which then will use it in the script. Using SymLink to read unintended files 34:15 - Doing the same thing with source_file but changing the symlink to be the file we write, to have an elevated file write vuln 37:15 - Editing the terraform config to change the terraform provider and get RCE

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

schemachange Plus Snowflake CLI

Learn to deploy Snowflake objects using schemachange and Snowflake CLI for streamlined DevOps workflows

Medium · DevOps

Day 12: Packaging & Publishing Docker Images

Learn to package and publish Docker images for a FastAPI app

Medium · DevOps

Docker Explained: From “What Even Is This” to Deploying a Full-Stack App

Learn Docker fundamentals and deploy a full-stack app with this beginner-to-advanced guide

Medium · DevOps

I Used to Pay for Cloud Servers. Then I Found a Way to Run One Free, 24/7

Learn how to run a cloud server for free, 24/7, and overcome hosting cost limitations for automation ideas

Chapters (14)

Introduction

1:00 Start of nmap

3:44 Wappalyzer detects NextJS and shows the version, looking at CVE's

7:20 Looking at the nextjs middleware vulnerability (CVE-2025-29927)

9:50 Our nuclei scan didn't detect it, looking at templates, it should but needs th

12:20 Adding the x-middleware-subrequest to our request to bypass auth

15:05 Setting BurpSuite to add a header, so we don't have to manually add the middle

17:20 Discovering a File Disclosure in the examples

19:20 Building a skeleton project to find configs, grabbing package.json then using

24:15 Finding credentials in the nextauth, getting credentials and then logging in w

25:45 We can run a specific terraform command with sudo, env_reset is not enabled bu

29:30 Declaring source_file in our environment, which then will use it in the script

34:15 Doing the same thing with source_file but changing the symlink to be the file

37:15 Editing the terraform config to change the terraform provider and get RCE

Containers on Amazon ECS with Mama J