This writeup covers my approach to solving the Intigriti “HackDonalds” challenge. The challenge involved finding a flag on the hackdonalds.intigriti.io website, which ultimately required exploiting two distinct vulnerabilities:
Upon visiting the website, I was able to see the Home page with a fast food parody site called “HackDonalds” with some security-themed Menu items like “SQLi Sundae” and “RCE Shake.”
HackDonalds Homepage
The site had several accessible pages:
Examining the HTTP headers of the site’s responses showed:
X-Powered-By: Next.js
This revealed that the site was built using the Next.js framework, which would become relevant later in the exploit chain.
