mcscCTF: Imperial Gate
Imperial Gate - Web Security Challenge
Challenge Overview
Category: Web
Difficulty: Hard
Skills Required: Web Security, Next.js Middleware, CVE Analysis, HTTP Headers, Docker
Long before independence, an Emperor of India concealed a sacred chamber deep within the heart of his fortress. It was said to hold ancient knowledge that could tip the scales in India's favor during the great struggle. After his death, the secrets were lost to time — until now.
Over the years, a mighty wall has risen around it — some call it the Gatekeeper, others the Firewall, the Middleware, or even the Final Barrier. No matter the name, all agree on one thing: it is strong and unbreakable…
...or... is it?
Files Provided
All challenge files can be downloaded from the GitHub Repository
Setup and Installation
To run the challenge locally using Docker:
- Build the Docker container:
docker build -t imperialgate . - Run the container:
The challenge will be available at http://localhost:9090docker run -p 9090:3000 imperialgate
Hints
Oh we just confirmed, its not a Gatekeeper, neither a Firewall, nor a Barrier. Its a Middleware. But rumor has that its not supposed to be used this way. That recently they found a crack in it.
Solution
Analysis Approach
- Observe the challenge and note the Next.js version and middleware hints
- Research CVE-2025-29927 and learn about the header-based middleware bypass
- Identify that
/willis protected by middleware and redirects to/unauthorized - Use the header
x-middleware-subrequest:middleware:middleware:middleware:middleware:middlewareto bypass the middleware - Access
/willwith the header to reveal the flag
Step-by-Step Solution
Step 1: Access the Challenge
- Go to http://challenges.mcsc.space:6969/
- Notice the "Enter the secret chamber" button redirects to
/willbut you are sent to/unauthorized
Step 2: Research the Vulnerability
- The challenge references "Middleware" and Next.js v14.0.0
- Find CVE-2025-29927 and read this article
Step 3: Bypass the Middleware
- Use a tool like Burp Suite, Postman, or browser extension to intercept the request to
/will - Add the header:
x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware - Forward the request and you will see the flag
Step 4: View the Flag
- The flag is presented as an image:
Flag
Author
Created by psychoSherlock
GitHub Repository: View Challenge on GitHub