Endpaper
A neighborhood newsroom running on a CMS they inherited from the previous editor. The server is friendlier than it should be — and one of the URLs it's chatting about is interesting.
The Scenario
Endpaper is a nonprofit hyperlocal newsroom covering four neighborhoods on the city's east side. The previous editor's tech volunteer set up the box in 2017 and "added a dashboard so we can see if the site is up." Nobody remembered to take it down.
Challenge Intel
Synopsis
Apache mod_status is exposed without auth. The recent-requests table leaks a one-shot admin build URL with a token in it.
What It Is
Apache's mod_status is enabled and /server-status is reachable unauthenticated. At container start, the entrypoint generates a random build token and fires a single internal HEAD request to /admin/build?token=<random> so it appears in the recent-requests table. The /admin/build endpoint validates the token (constant-time compare) and returns the flag. The token persists for the life of the container.
Who It's For
Players who have heard of /server-status but haven't yet read one to find a credential or token in a recent-requests row.
Skills You'll Practice
- Recognising Apache mod_status exposure
- Reading the mod_status recent-requests table for sensitive URLs
What You'll Gain
- An instinct to try /server-status (and /server-info) on every Apache target
- An appreciation for why secret URLs are not a substitute for auth