webProeasy

Lanternfall

neurogrid

Task: Next.js web app with nginx, hidden admin panel, hardcoded JWT secret in frontend JS, and command injection via SQLite .output filename parameter. Solution: Discover routes via _buildManifest.js, extract JWT secret from admin JS chunk, forge admin token, exploit OS command injection in report filename with ${IFS} whitespace bypass to read the flag.

$ ls tags/ techniques/

sqlite command_injection jwt information_disclosure nginx privilege_escalation nextjs hardcoded_secret ifs_bypass

nextjs_build_manifest_route_disclosurehardcoded_jwt_secret_in_frontend_jsjwt_forgery_privilege_escalationsqlite_output_command_injectionwhitespace_filter_bypass_with_ifsfile_exfiltration_via_admin_api

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]board_of_secrets— miptctf
[web][Pro]Lab 248 — PulseBoard — Next.js Middleware Authorization Bypass— hackadvisor
[web][Pro]Lab 113 — CloudNest— hackadvisor
[web][Pro]Lab 12 — NewsGrid — JWT Algorithm Confusion— hackadvisor
[web][Pro]Board of Secrets Revenge— miptctf