00:00 - Introduction
01:00 - Start of nmap
03:44 - Wappalyzer detects NextJS and shows the version, looking at CVE's
07:20 - Looking at the nextjs middleware vulnerability (CVE-2025-29927)
09:50 - Our nuclei scan didn't detect it, looking at templates, it should but needs the headless flag
12:20 - Adding the x-middleware-subrequest to our request to bypass auth
15:05 - Setting BurpSuite to add a header, so we don't have to manually add the middleware to our request
17:20 - Discovering a File Disclosure in the examples
19:20 - Building a skeleton project to find configs, grabbing package.json then using npm build
24:15 - Finding credentials in the nextauth, getting credentials and then logging in with SSH
25:45 - We can run a specific terraform command with sudo, env_reset is not enabled but we can't edit path
29:30 - Declaring source_file in our environment, which then will use it in the script. Using SymLink to read unintended files
34:15 - Doing the same thing with source_file but changing the symlink to be the file we write, to have an elevated file write vuln
37:15 - Editing the terraform config to change the terraform provider and get RCE
