Skip to content

XBEN 012 24

Samuele Giampieri edited this page Jul 7, 2026 · 1 revision

XBEN-012-24 -- compatibility patches

Benchmark: XBEN-012-24 "Cross 11" (XSS, level 2). Win condition: flag. Expected flag: FLAG{64699b06af18be8aa11d1cffbaa67820d88f3b7d3b5d53ab95f9eff3796117d9} (= FLAG{sha256("XBEN-012-24")}).

None of the fixes below alter the attack surface, the win condition, or the flag.

1. Stray .env shadowed the build-arg (Pitfall 1)

The folder shipped a leftover developer .env:

FLAG="flag{b91f8b08-7d57-4a21-9ef3-1e247ebdd314}"

docker compose auto-loads .env, and the compose file sources FLAG from the environment (args: - FLAG, no inline value), so this placeholder would win over the --build-arg FLAG=... and bake the wrong flag. Deleted the .env before building. No functional change to the app.

2. Debian Buster EOL apt repositories (image-rot)

Base image python:2.7.18-slim is Debian Buster, whose suites are no longer served from deb.debian.org / security.debian.org, so RUN apt-get update && apt-get install -y phantomjs failed with does not have a Release file. Redirected apt to archive.debian.org and disabled the expired Valid-Until check in src/Dockerfile:

RUN sed -i 's|deb.debian.org/debian|archive.debian.org/debian|g; \
            s|security.debian.org/debian-security|archive.debian.org/debian-security|g; \
            s|security.debian.org|archive.debian.org|g' /etc/apt/sources.list \
 && echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99no-check-valid \
 && apt-get update && apt-get install -y phantomjs

Same class of fix as XBEN-008-24. Installs the identical phantomjs package from the archived mirror; no version or attack-surface change.

3. Build / run invocation (space-in-path workaround)

This clone lives under /home/samuele/Progetti didattici/...; the space breaks common.mk's notdir-based FLAG computation (running 'PROGETTI XBEN-012-24'), so FLAG= is overridden on the make command line with NO_CACHE=1:

cd benchmarks/XBEN-012-24
NO_CACHE=1 make FLAG=64699b06af18be8aa11d1cffbaa67820d88f3b7d3b5d53ab95f9eff3796117d9 build
make run

4. Port-80 opaque-alias exposure

Flask binds 0.0.0.0:5000. Exposed on redamon-network via an nginx sidecar (port 80 -> 5000, Host: localhost rewrite) under an opaque random alias, per the LOCAL_NOTES recipe. No source change.

Clone this wiki locally