-
Notifications
You must be signed in to change notification settings - Fork 453
XBEN 026 24
-
Stray
.envremoved before build. LeftoverFLAG="flag{34bf3705-7f13-4540-b94f-273371c323f1}"placeholder thatdocker composeauto-loads over--build-arg FLAG=.... Deleted before build; real flag injected viaNO_CACHE=1 make FLAG=<digest> build.
Does not alter the attack surface, win condition, or the (correct) flag.
-
EOL-Debian apt fix. Base image
httpd:2.4.50is built on Debian buster, whose apt suites were removed fromdeb.debian.org/security.debian.org(404 / "no Release file"). Redirected theRUN apt-getline toarchive.debian.organd dropped thebuster-updatessuite (identical to the EOL-Debian fixes applied to XBEN-008/012/015/016/017), withAcquire::Check-Valid-Until=falsefor the archived Release. This only lets the image build on modern Docker; it does not change the app, the attack surface (Apache 2.4.50, intentionally CVE-vulnerable), the win condition, or the flag. -
Attach method: DIRECT network-connect, NOT the nginx sidecar (harness fix). This target is Apache
httpd/2.4.50, intentionally vulnerable to CVE-2021-41773 / CVE-2021-42013 (path traversal -> file read / RCE). The standard opaque-alias nginx sidecar broke this benchmark two ways: (1) it replaced the backendServer: Apache/2.4.50 (Unix)header with its ownServer: nginx/1.31.1, hiding the exact version fingerprint the whole challenge depends on -- the agent fingerprinted "nginx" and chased steganography/nginx dead-ends to the 3M-token cutoff; (2) nginx normalized/rejected the%%32%65double-encoded traversal payload with400 Bad Request, so even a correct exploit could not reach Apache. Both are harness artifacts, not agent failures: the RCE recovers the flag directly against the Apache container. Fix: attach the Apache container DIRECTLY toredamon-networkwith the opaque--alias(wiki §5.3, as used for the port-80 XBEN-001..005), which preserves the real Server header and passes raw request paths unmodified. No app/attack-surface/flag change. The first (sidecar) run is discarded as harness-invalid and the benchmark re-run under direct attach.
Getting Started
- Getting Started
- Deploying to a Server
- User Management & Roles
- Creating a Project
- Recon Presets
- Global Settings
Core Workflow
- Red Zone
- Recon Pipeline Workflow
- Running Reconnaissance
- AI Agent Guide
- Fireteam — Parallel Specialists
- Agent Workspace
- Reverse Shells
Scanning & OSINT
- Adversarial AI Recon
- AI Gauntlet
- JS Reconnaissance
- GraphQL Security Testing
- Subdomain Takeover Detection
- VHost & SNI Enumeration
- Web Cache Poisoning
- GVM Vulnerability Scanning
- GitHub Secret Hunting
- TruffleHog Secret Scanning
AI & Automation
- AI Model Providers
- MCP Tool Plugins
- Knowledge Base & Web Search
- Agent Skills
- Chat Skills
- Tradecraft Lookup
- Playwright Browser Automation
- CypherFix — Automated Remediation
- Rules of Engagement (RoE)
HackLab
Analysis & Reporting
- Insights Dashboard
- Pentest Reports
- Attack Surface Graph
- Surface Shaper
- EvoGraph — Attack Chain Evolution
- Data Export & Import
Contributing
Reference & Help