Welcome to {globalVars.TITLE}

*This is a walkthrough: straight from my mind step-by-step to the discord channel. Straight from discord to here:*

\-----

Should be easy (50 points, 146 Solves), is a web app written in next.js.

\-----

It's not like I understand much yet, but there is a `pages/api/hello.js` which
references a `globalVars.SECRET`:

```javascript  
import globalVars from '../../utils/globalVars'

export default function handler(req, res) {  
// res.status(200).json({ name: globalVars.FLAG })  
res.status(200).json({ name: globalVars.SECRET })  
}  
```

\----

http://my-first-web.balsnctf.com:3000/api/hello leads to a youtube video.
Probably a rickroll

```json  
{  
"name": "here is my secret: https://www.youtube.com/watch?v=jIQ6UV2onyI"  
}  
```

\-----

Nope. It's 10 hours of Nyan Cat instead. 1080p.  
has 3'327'333 views so it is not a video with a flag hidden inside.

So it looks like we want globalVars.FLAG, not globalVars.SECRET

\-----

in `index.js` there is something accessing another globalVar:  
```html  
<h1 className={styles.title}>  
Welcome to {globalVars.TITLE}  
</h1>  
```  
so I figure we can access `globalVars.FLAG` in a similar way if we find a way
to inject something somewhere.  
I don't see where though.

\-----

`next.js` version seems up to date.

The `_app.js` looks pretty much like the default thing to do, as per
[https://nextjs.org/docs/advanced-features/custom-app](
https://nextjs.org/docs/advanced-features/custom-app).

\-----

*A Team Member chimes in:*

> Reminds me of  
> ![a challenge from a different ctf that used next.js too. It simply sent the
> secret along.](https://i.imgur.com/8bnvEIc.png)

lol wtf

but idk whether the flag is even in the pageProps. it is an imported global
var

*I started looking at the client-side source now, instead of the server-side files.*

\-----

**flagged ✔**

I had a look at the Network tab and opened all the javascript files it loaded
dynamically to look what they do. Some were minified, so I just searched for a
part of the secret youtube link and did find it in http://my-first-
web.balsnctf.com:3000/_next/static/chunks/pages/index-1491e2aa877a3c04.js \-
right next to all the other global variables

```javascript  
{default:function(){return l}});var
d=c(5893),e=c(9008),f=c.n(e),g=c(5675),h=c.n(g),i=c(214),j=c.n(i),k={TITLE:"My
First App!",SECRET:"here is my secret:
https://www.youtube.com/watch?v=jIQ6UV2onyI",FLAG:"BALSN{hybrid_frontend_and_api}"};function
l()  
```[https://rwandi-ctf.github.io/UofTCTF2024/my-first-app/](https://rwandi-
ctf.github.io/UofTCTF2024/my-first-app/)

Original writeup (https://rwandi-ctf.github.io/).