webmedium

NextPath

hackthebox

Task: Next.js 13.4.5 API endpoint with regex validation and path traversal checks. Solution: bypass all three checks using array query parameter — multiline regex matches first element, Array.includes differs from String.includes, and procfs symlinks pad path length to truncate .png extension via slice(0,100).

$ ls tags/ techniques/

lfi path_traversal nextjs regex_bypass multiline_regex array_type_confusion procfs_symlink slice_truncation

regex_multiline_bypassarray_vs_string_includespath_length_padding_with_procfs_symlinkspng_extension_truncation_via_slicenextjs_query_array_parsing

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]