Hintru ENES ← All labs

MesaNet Portal — Rail Broadcasts

EN hard CTF challenge Stored XSSXSS botCSRFconfused deputyinnerHTML sinkheadless browsersession hijackAPI abuse

The MesaNet Portal hosts a "Rail Broadcasts" application accessible through a JSON gateway API. A low-privilege operator account can interact with several broadcast endpoints, but a confidential note owned by a privileged automated user sits just out of reach. The challenge requires chaining the broadcast creation pipeline with the automated oversight system to escalate access without ever touching the privileged session directly.

0/8
solved
👁 Step 1 👁 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
recon

Step 1 · Map the gateway API surface

Objective: Authenticate as `operator:operator` and enumerate all endpoints reachable through `/gateway`, distinguishing gateway-only routes from directly accessible ones.

Context: All API calls pass through a JSON gateway at `POST /gateway`. Each request carries an `endpoint` field and an optional `data` object. Some routes are only reachable via the gateway; others are also directly accessible by URL. Start by exploring the Rail Broadcasts app in the browser while watching traffic in Burp's HTTP history.

Progressive hints

Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.

Hint 1 — directional nudge

Browse to the Rail Broadcasts app section and watch every network request that fires. Look at the `endpoint` values in the POST bodies going to `/gateway` — how many distinct `/api/rail/...` paths do you see?

Hint 2 — technique / vuln class

There are 5 gateway-reachable `/api/rail/` endpoints and 2 that also accept direct GET requests. Build a table: endpoint path, method, and whether it goes through `/gateway` or hits the URL directly.

Hint 3 — near solution

The five gateway endpoints are `/api/rail/announcements`, `/api/rail/create`, `/api/rail/current`, `/api/rail/review`, and `/api/rail/status`. The two with direct GET access are `/api/rail/current` and `/api/rail/display`. Note that `display` returns an `X-Cache` header — that is a distractor.

Your attempt

Official solution

POST /gateway
{
  "id": "f7d4e8b2-3a1c-4f9e-8b2d-1c5e7a9f3b6d",
  "endpoint": "/api/rail/status",
  "data": {}
}

// Enumerate each endpoint in turn:
// /api/rail/announcements  → lists broadcasts
// /api/rail/create         → creates broadcast
// /api/rail/current        → returns {html, announcement, systemTime}
// /api/rail/review         → submits broadcast for bot review
// /api/rail/status         → health info
// GET /api/rail/display    → {html, skin, systemTime}, X-Cache header, 60s server cache

Validation criteria: Student sends gateway requests to at least four distinct `/api/rail/` endpoints and records which accept gateway calls vs. direct GET requests, identifying `review` as the one that queues a bot.

Recent attempts on this step

revealed 2026-04-30 10:55:53 · hints: 2 
[solution revealed]

Solution revealed