MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Analyze the 'Submit for Oversight Review' feature to understand how to redirect the automated bot to visit an arbitrary rail endpoint.
Context: The Rail Broadcasts page has a 'Submit for Oversight Review' button. Intercepting this request reveals a POST to /gateway with a JSON body specifying an 'id', 'endpoint', and a 'data' object containing a 'view' field. The 'view' field currently points to 'current' (the default broadcast). You need to understand how to change this to point the bot at the poisoned /api/rail/display page instead.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Intercept the 'Submit for Oversight Review' button click in Burp Suite and examine the full request body carefully.
The POST body sent to /gateway contains a 'view' field inside 'data' that specifies which rail endpoint the bot will visit. Think about what value you need to put there to make the bot load the poisoned page.
The intercepted POST body looks like: {"id":"f7d4e8b2-3a1c-4f9e-8b2d-1c5e7a9f3b6d","endpoint":"/api/rail/review","data":{"view":"current"}}. Change "view":"current" to "view":"display" to redirect the bot to the poisoned /api/rail/display endpoint.
Enjoying Hintru? Buy me a coffee ☕ ☕