0425: HackDonalds
Writeup for the Intigriti April 2024 challenge π₯
Last updated
Writeup for the Intigriti April 2024 challenge π₯
Last updated
NextJS Middleware Auth Bypass, CVE-2025-29927, XXE
Find the FLAG and win Intigriti swag! π
Bastien (BAS10) made most of this challenge. I (CryptoCat) just made the UI cough ChatGPT cough and fixed a few bugs/unintended solutions. It's a lot easier than the typical Intigriti monthly challenge - thankfully, as it came only a week after the crazy chain by 0x999 in the . Therefore, this one was run more informally, without all the usual prizes, promo, domain name etc.
The challenge did not come with source code, so we must follow a black box approach.
The website doesn't appear to have a lot of functionality; there's a homepage and a food menu.
There's also an admin section which, as hackers, should be interesting to us.
We might try some basic SQLi, default/common password etc. However, it will get us nowhere. Digging into the client-side code is also fairly unproductive - since it's a NextJS application, the code is hard to read and most of the important stuff is on the server-side.
Back to the advisory:
CVE-2025-29927 affects all Next.js versions from 11.1.4 up to 15.1.7 and allows middleware bypass via a specially crafted x-middleware-subrequest
header.
Vulnerability confirmed β
Middleware in Next.js is commonly used for:
Authentication / Authorization
Rewrites / Redirects
Adding security headers (CSP, etc.)
This vulnerability allows attackers to bypass middleware protections entirely, leading to:
Authorization bypass
Content Security Policy (CSP) bypass
DoS via Cache Poisoning (CPDoS)
An auth bypass would be perfect for us! Maybe it can get us into the admin panel without knowing the password?
Let's request the /admin
page while including the following HTTP header.
Easy! Now we just need to include this header on each request to maintain our access π
We can only click on the Ice Cream Machines
option, which allows us to view the settings of various machines (notoriously buggy/broken at HackDonalds π)
So, what do we have here? An XML config input that can be parsed.
Any CTF player or bug bounty hunter should know what to check for here; XXE π
XXE (XML External Entity) is a vulnerability that occurs when an XML parser processes external entities defined in XML documents. If not properly configured, it can be exploited to:
Read local files (file:///etc/passwd
)
Perform SSRF (e.g., hitting internal services)
DoS via "billion laughs" attack
Exfiltrate data via out-of-band channels (OAST, DNS, etc.)
If we replace the parsed input with a payload to read /etc/passwd
We successfully retrieve the file contents!
Where is the flag though? In a real world scenario, we might look for common files of interest (plenty of wordlists online). Since we know this is a NextJS app, why don't we ask ChatGPT what the common location is and what interesting files it might have?
Nice, so we can try enumerating all of these files starting with the /app/
directory πΌ
There we have our flag: INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s}
π©
Some players retrieved the same file from /proc/self/cwd/package.json
or simply package.json
+
Wait, NextJS? Wasn't there some discovered for it recently π€ Let's check the version with Wappalyzer π