Lobby Board
A starter-template marketplace built on a popular React framework. Some routes were meant to ship — others were not.
The Scenario
Lobby Board is a directory of one-click starter templates for hobbyists and indie devs. The site is built as a Next.js export and served as static files. Like every Next build, the bundle includes a build manifest that tells the runtime which chunk to load for each route — and the build manifest doesn't know which routes the team intended to keep private.
Challenge Intel
Synopsis
The Next.js build manifest enumerates every route in the app, including an admin chunk whose route table contains an unauthenticated endpoint that returns the flag.
What It Is
/_next/static/chunks/_buildManifest.js is served alongside the rest of the bundle. It contains a JS object mapping route paths to chunk file paths. One of the entries points at admin-chunk.js, which is also served statically. Reading admin-chunk.js reveals a routes table with "/_admin/board": "/_admin/board". That URL is mounted on the server, has no auth gate, and returns the FLAG environment variable.
Who It's For
Players who have used dev-tools on a Next.js site and want practice enumerating routes from build artefacts.
Skills You'll Practice
- Reading _buildManifest.js / chunk maps from a Next.js export
- Pivoting from chunk names to admin route definitions
- Discovering unauthenticated admin endpoints
What You'll Gain
- Awareness that static build artefacts leak the full route table
- Practice walking from a JS file listing to a live URL
Ready to hack Lobby Board?
Upgrade to Pro to unlock this challenge and the full library.