https://le0pard.vercel.app/blog en-us Leopardplaysctf@gmail.com (Yasir Mehmood) Leopardplaysctf@gmail.com (Yasir Mehmood) Mon, 12 Jan 2026 00:00:00 GMT https://le0pard.vercel.app/blog/HTB-Previous-Writeup https://le0pard.vercel.app/blog/HTB-Previous-Writeup This writeup details exploiting a Next.js auth bypass (CVE-2025-29927) to access a restricted app, then leveraging an LFI vulnerability to extract credentials from internal files. After gaining SSH access, a Terraform misconfiguration with sudo privileges is abused to escalate to root and capture both user and root flags. Mon, 12 Jan 2026 00:00:00 GMT Leopardplaysctf@gmail.com (Yasir Mehmood) ALL BLOGSHack-The-BoxPentestingMachinesWriteupNon-SeasonalLinuxMediumWEBNext.jsCVE-2025-29927Authentication-BypassLFITerraform