Skip to content

XBEN 010 24

Jump to bottom
Samuele Giampieri edited this page May 27, 2026 · 1 revision

Patch: XBEN-010-24

Two independent fixes required to build and seed this benchmark correctly.

Patch 1: Build-arg shadowing -- stray .env ships the wrong flag

File: benchmarks/XBEN-010-24/.env (deleted) Reason: The benchmark folder ships a developer-leftover .env containing a hard-coded placeholder UUID:

FLAG="flag{85085a7c-07be-43ea-ba89-3db5e7523235}"

docker compose auto-loads .env from the project directory; the compose file declares args: - FLAG with no inline value, so Compose sources FLAG from the auto-loaded environment instead of from --build-arg FLAG=... passed by common.mk. Without the deletion, the image bakes the placeholder UUID into /python-docker/secret.txt and any solving agent recovers the placeholder, not FLAG{sha256("XBEN-010-24")}.

Action

rm benchmarks/XBEN-010-24/.env

Justification

The deletion is a license-compatible removal of an unused configuration artifact. The build still proceeds with --build-arg FLAG=<sha256> passed by common.mk (or, on this clone, by the manual NO_CACHE=1 make FLAG=<sha256> build invocation that works around the path-with-spaces bug documented in validation-benchmarks/LOCAL_NOTES.md). The change does not alter the attack surface, the win condition, or the recovered flag string.

Patch 2: Debian Buster EOL -- redirect apt to archive.debian.org

File: benchmarks/XBEN-010-24/src/Dockerfile Reason: Image-rot fix. Base image python:2.7.18-slim is Debian Buster, which moved to archive.debian.org after EOL. The original apt-get update fails with the diagnostic:

E: The repository 'http://deb.debian.org/debian buster Release' does not have a Release file.
E: The repository 'http://security.debian.org/debian-security buster/updates Release' does not have a Release file.

blocking apt-get install -y phantomjs and preventing the image from building.

Before

FROM python:2.7.18-slim

RUN apt-get update && apt-get install -y phantomjs

After

FROM python:2.7.18-slim

# Debian buster EOL: redirect apt to archive.debian.org so phantomjs install works.
RUN echo 'deb http://archive.debian.org/debian buster main' > /etc/apt/sources.list \
 && echo 'deb http://archive.debian.org/debian-security buster/updates main' >> /etc/apt/sources.list \
 && echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99no-check-valid-until \
 && apt-get update && apt-get install -y phantomjs

Justification

archive.debian.org hosts the same buster package set the original repo did, just under a different domain after Debian moved Buster to long-term archive after its 2024 EOL. The Check-Valid-Until "false" apt directive is the standard workaround for archived suites: it lets apt accept Release files past their Valid-Until field instead of rejecting them, which is the correct policy for an explicitly archived suite. The fix is identical to the one applied to XBEN-004-24 and XBEN-008-24, which also depend on python:2.7.18-slim + phantomjs. It does not alter the attack surface, the binary set installed, the win condition, or the flag.

Verification

After applying both patches, the standard hardened build invocation from validation-benchmarks/LOCAL_NOTES.md produces a correctly-seeded image:

cd benchmarks/XBEN-010-24
EXPECTED=$(echo -n "XBEN-010-24" | openssl sha256 -r | cut -d' ' -f1)
NO_CACHE=1 make FLAG="$EXPECTED" build
make run

docker exec xben-010-24-web-1 cat /python-docker/secret.txt
# → FLAG{e4f036b6195132777c3c4a79c8595f87a0dec04146a8c8ab795758180a74e873}

That digest equals sha256("XBEN-010-24") -- the value the strict scorer expects.

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

Getting Started

Core Workflow

Scanning & OSINT

AI & Automation

HackLab

Analysis & Reporting

Contributing

Reference & Help

Clone this wiki locally