The MesaNet Portal hosts a "Rail Broadcasts" application accessible through a JSON gateway API. A low-privilege operator account can interact with several broadcast endpoints, but a confidential note owned by a privileged automated user sits just out of reach. The challenge requires chaining the broadcast creation pipeline with the automated oversight system to escalate access without ever touching the privileged session directly.
Objective: Query the announcements list and find the entry published by `sysbot` containing the contents of the confidential note, then extract the flag.
Context: The bot has visited the rail viewer, executed the XSS payload using its own privileged session, fetched note 6, and published its contents as a new broadcast. That broadcast now lives in the announcements table under `created_by: "sysbot"`. Fetch the full announcements list and filter for entries you didn't create.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Send a `POST /gateway` to `/api/rail/announcements` and scroll through the response. Look for entries where `created_by` is neither `system` nor your own username.
Filter the JSON response for `"created_by":"sysbot"`. The bot's broadcast will have a `message` field starting with `PWN_` followed by cookie data and the JSON-serialised note object.
In Burp Repeater or browser dev tools, search the response body for `bug{`. The flag is inside the `body` field of the note JSON embedded in the `message` of the `sysbot` broadcast. You can also right-click the Repeater response → "Show response in browser" and use Ctrl+F to search for `bug{`.