Hintru ENES ← All labs

MesaNet Portal — Rail Broadcasts

EN hard CTF challenge Stored XSSXSS botCSRFconfused deputyinnerHTML sinkheadless browsersession hijackAPI abuse

The MesaNet Portal hosts a "Rail Broadcasts" application accessible through a JSON gateway API. A low-privilege operator account can interact with several broadcast endpoints, but a confidential note owned by a privileged automated user sits just out of reach. The challenge requires chaining the broadcast creation pipeline with the automated oversight system to escalate access without ever touching the privileged session directly.

0/8
solved
👁 Step 1 👁 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
enumeration

Step 2 · Locate the locked confidential note

Objective: Using the gateway, probe the `/api/notes/get` endpoint with sequential note IDs to find the one note your session cannot read.

Context: The portal also exposes a notes API through the gateway. Your `operator` session has clearance L3. Try fetching notes by integer ID — start from 1 and increment. Pay close attention to the difference between error messages: some IDs will say the note doesn't exist, while one specific ID gives a different error.

Progressive hints

Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.

Hint 1 — directional nudge

Try sending `POST /gateway` with `endpoint: "/api/notes/get"` and `data: {"id": 1}`. Then increment the ID. The wording of error responses changes at a specific ID — that difference is meaningful.

Hint 2 — technique / vuln class

One note ID returns `"Insufficient permissions to read this note"` instead of `"Note not found"`. That phrasing means the note EXISTS but your clearance level is too low. Every other ID either succeeds or says it wasn't found.

Hint 3 — near solution

Note ID `6` is the one that returns the permissions error. All other IDs (5, 7, 8, etc.) either return content or "Note not found". Note 6 has `classification: confidential` and belongs to a user other than you.

Your attempt

Official solution

POST /gateway
{
  "id": "a7f3c4e9-8b2d-4a6f-9c1e-5d8a3b7f2c4e",
  "endpoint": "/api/notes/get",
  "data": { "id": 6 }
}
// Response: { "error": "Insufficient permissions to read this note" }

// For comparison, id 5 or 7 returns either data or "Note not found"

Validation criteria: Student identifies note ID 6 as the confidential, permission-gated target and records that it belongs to a user other than `operator`.

Recent attempts on this step

revealed 2026-04-30 12:57:14 · hints: 0 
[solution revealed]

Solution revealed