MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Discover all available endpoints under the /api/rail/ path by fuzzing the application.
Context: You are authenticated to the MesaNet Access Panel (Clearance L3). A 'Rail Broadcasts' tab is visible in the dashboard. Intercept the traffic in Burp Suite and take note of the session cookie (connect.sid) — you will need it for authenticated fuzzing.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
The Rail Broadcasts page makes API calls. Try to find what other endpoints exist at the same base path.
Use a directory/endpoint fuzzing tool against the /api/rail/ path, passing your authenticated session cookie as a header so the server treats requests as logged in.
Run ffuf against https://<lab-host>/api/rail/FUZZ using the common.txt wordlist, supplying the Cookie, Referer, and browser-like headers observed in Burp. Look for responses with status 200.
Enjoying Hintru? Buy me a coffee ☕ ☕