NextPath

Technical Walkthrough

Writeup

Challenge

• Name: NextPath
• Category: Web
• Difficulty: Medium
• Mode: hybrid

Summary

NextPath is a source-backed Next.js web challenge. The vulnerable API endpoint /api/team attempts to restrict image IDs to digits and prevent directory traversal, but the checks use inconsistent JavaScript coercion behavior. By sending repeated id parameters, query.id becomes an array: the regex and includes() checks can be satisfied, while query.id + ".png" converts the array into a path string. A carefully sized traversal path then abuses path.join() normalization plus slice(0, 100) to remove the forced .png suffix and read the root flag file.

Artifact Inventory

• files/a12c7389-436b-44be-aa8c-160b34857192.zip: original HTB archive.
• files/extracted/app/pages/api/team.js: vulnerable API route.
• files/extracted/app/pages/index.js: frontend references /api/team?id=1, /api/team?id=2, and /api/team?id=3.
• files/extracted/Dockerfile: confirms the app runs under /app, exposes port 1337, and copies the flag to /flag.txt.
• analysis/artifact-inventory.json: full file inventory and hashes.

Analysis

The full source audit is recorded in analysis/source-audit.md.

The vulnerable code in pages/api/team.js performs these steps:

1. Checks query.id with const ID_REGEX = /^[0-9]+$/m.
2. Blocks traversal with query.id.includes("/") || query.id.includes("..").
3. Builds path.join("team", query.id + ".png").
4. Reads filepath.slice(0, 100).

The bug is the mismatch between string and array behavior:

• Repeated query parameters in Next.js can produce an array.
• RegExp.test(query.id) coerces that array to a comma-joined string; a first value containing a numeric line satisfies the multiline regex.
• Array.prototype.includes("/") checks for an exact array element, not whether any element contains /.
• Array.prototype.includes("..") similarly checks exact elements, so an element containing ../../... is not rejected.
• query.id + ".png" coerces the array into one comma-joined string and lets path.join() normalize traversal.

The path also has to handle the forced .png suffix. The working payload uses 19 ../ segments followed by proc/thread-self/root/proc/thread-self/root/flag.txt. After path.join(), the first 100 bytes end exactly at flag.txt, so slice(0, 100) drops the appended .png. The /proc/thread-self/root/... component resolves through the running process root and reaches the flag at the container root.

The payload was validated locally against the Docker-built app before remote use. The local proof command and non-sensitive solver output are in analysis/local/local-proof-run.txt. RAG was recorded as generic/partial advisory context in analysis/rag-records.md; the exploit evidence is the source audit plus local Docker proof.

Solve

The reproducible solver is solve/solve.py.

Local validation command:

cd <local workspace>
docker build -t nextpath-local Web/NextPath/files/extracted
docker run -d --name nextpath-local-run -p <TARGET>:31337:1337 nextpath-local
/opt/homebrew/bin/python3 Web/NextPath/solve/solve.py --base-url http://<TARGET>:31337 --output loot/local-validation-flag.txt --response-output loot/local-validation-response.bin --show-url
docker rm -f nextpath-local-run

Remote solve command:

cd <local workspace>
python3 scripts/challenge_exec.py Web/NextPath -- sh -lc 'cd Web/NextPath && /opt/homebrew/bin/python3 solve/solve.py --base-url http://<TARGET>:32239 --output loot/flag-candidate.txt --response-output loot/remote-response.bin'
python3 scripts/challenge_harness.py capture-flag Web/NextPath --from loot/flag-candidate.txt

After capture, raw response bodies were removed from analysis/; the final raw flag is stored only in loot/flag.txt. The sanitized solve metadata is in analysis/solution-summary.json.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• In JavaScript web handlers, validation can break when a parameter may be either a string or an array.
• Array.includes() is not a substring check; it checks for an exact array element.
• Regex multiline anchors can validate one safe-looking line while leaving other lines uncontrolled.
• Length truncation after path normalization can remove an appended extension if the attacker controls the normalized path length.
• For source-backed web challenges, local Docker proof is high-value and reduces blind remote probing.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: NextPath
• Category: Web
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-12T07:53:20Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• pages/api/team.js is the only meaningful route and reads image files using fs.readFileSync(filepath.slice(0, 100)).
• Repeated id query parameters make query.id an array in Next.js; this bypasses the substring-style traversal checks because Array.includes() checks exact elements.
• The multiline numeric regex can be satisfied by the first array value while traversal content is carried in the second array value.
• A path using 19 traversal segments plus proc/thread-self/root/proc/thread-self/root/flag.txt aligns so the first 100 bytes end at flag.txt, dropping the forced .png.
• Local Docker proof succeeded before the remote solve; sanitized metadata is in analysis/solution-summary.json.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Web
• Challenge: NextPath
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audit the Next.js API route that reads team images from disk.
2. Identify inconsistent handling of repeated query parameters: regex validation coerces arrays to strings, while Array.includes() checks exact elements.
3. Use a repeated id payload where the first value satisfies the multiline numeric regex and the second value carries traversal content.
4. Align the normalized path to 100 bytes so slice(0, 100) removes the forced image extension.
5. Use /proc/thread-self/root/... as a symlinked path back to the process root to reach the root-level flag file.
6. Validate locally with the provided Dockerfile, then run the same bounded request against the remote instance and capture the flag.

Reusable Lessons

• Treat query parameters as union types in Node/Next.js: string, array, or absent.
• Do not combine regex validation, array coercion, path normalization, and truncation without canonicalizing the input type first.
• Array.includes("/") does not prove that no array element contains /.
• Fixed-length truncation can become a suffix-stripping primitive when the attacker controls path length.

Dead Ends

• No broad fuzzing was needed. The single source-derived route was validated locally and remotely.
• RAG did not provide NextPath-specific evidence; it was used only as generic advisory context.

Tool Quirks

• Docker build emitted Next.js/npm warnings, but the application built and ran successfully.
• Generated response bodies can contain flag-like content; remove or keep them under loot/ only before completion.

Evidence Paths

• analysis/source-audit.md
• analysis/instrumentation-plan.md
• analysis/local/local-proof-run.txt
• analysis/solution-summary.json
• analysis/rag-records.md
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches