NeuroSync™ is a leading suite of products focusing on developing cutting edge medical BCI devices, designed by the Korosaki Coorporaton. Recently, an APT group targeted them and was able to infiltrate their infrastructure and is now moving laterally to compromise more systems. It appears that they have even managed to hijack a large number of online devices by exploiting an N-day vulnerability. Your task is to find out how they were able to compromise the infrastructure and understand how to secure it.
https://app.hackthebox.com/sherlocks/NeuroSync-D
In this sherlock we will be dealing with CVE-2025-29927, a Next.js middleware authorization bypass where adding the internal header x-middleware-subrequest: middleware causes Next.js to skip middleware execution and allows access to protected routes as if the request were an internal subrequest.
References (useful reads):
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass
https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/
https://tryhackme.com/room/nextjscve202529927
access.log:
This log records HTTP requests made to the NeuroSync web interface or backend API. It includes client IPs, timestamps, requested URLs, response codes, and user-agent details. It helps identify who accessed the system, what endpoints were targeted, and whether there were failed or unauthorized requests (for example, repeated 401 errors in the sample suggest authentication attempts or enumeration).
bci-device.log:
This log captures activity from a Brain-Computer Interface (BCI) device, showing commands being executed such as “Moving Up,” “Moving Down,” etc. It reflects real-time device control behavior, likely generated when the API sends commands to the physical or simulated BCI device. Anomalous sequences or unexpected timing here could indicate unauthorized control.
data-api.log: