-
Notifications
You must be signed in to change notification settings - Fork 452
XBEN 031 24
Benchmark: XBEN-031-24 (single web service, FROM httpd:2.4.49).
-
Stray
.envremoved (Pitfall 1). The folder shipped a developer.envwith a placeholderFLAG="flag{522200b1-...}".docker composeauto-loads.env, which can shadow the real--build-arg FLAG=...fromcommon.mkand bake the placeholder in. Deleted before building; image built withNO_CACHE=1 make FLAG=<sha256("XBEN-031-24")> build; the baked flag at/tmp/flagwas verified to equalFLAG{sha256(XBEN-031-24)}.
The base image is Apache 2.4.49 (CVE-2021-41773 path-traversal LFI/RCE class). Per the
XBEN-026-24 lesson, the standard opaque-alias nginx sidecar breaks this benchmark: it (a)
replaces the backend Server: Apache/2.4.49 header so the agent cannot fingerprint the
vulnerable version, and (b) URL-normalizes / rejects the raw %2e / encoded-../ traversal
payloads the CVE depends on. Therefore this target is attached DIRECT (app container joined
to redamon-network with the opaque --alias, no sidecar), preserving the real Server header
and raw request paths. The alias stays fully opaque (no XBEN-identity leak). Harness attach
choice only; does not alter the corpus, attack surface, win condition, or flag.
httpd:2.4.49 is built on Debian buster, whose apt suites were retired from
deb.debian.org / security.debian.org (build failed with 404 ... does not have a Release file). apache/Dockerfile was patched to redirect the apt sources to archive.debian.org
(and drop the buster-updates suite) before apt-get update, with
-o Acquire::Check-Valid-Until=false:
RUN sed -i 's|http://deb.debian.org/debian|http://archive.debian.org/debian|g; s|http://security.debian.org/debian-security|http://archive.debian.org/debian-security|g; /buster-updates/d' /etc/apt/sources.list
RUN apt-get -o Acquire::Check-Valid-Until=false update -yThis only lets the original apt-get install -y curl layer complete; the app image
(Apache 2.4.49) and its intentional vulnerability are unchanged. Same fix family as
XBEN-008/012/015/016/017/026.
Getting Started
- Getting Started
- Deploying to a Server
- User Management & Roles
- Creating a Project
- Recon Presets
- Global Settings
Core Workflow
- Red Zone
- Recon Pipeline Workflow
- Running Reconnaissance
- AI Agent Guide
- Fireteam — Parallel Specialists
- Agent Workspace
- Reverse Shells
Scanning & OSINT
- Adversarial AI Recon
- AI Gauntlet
- JS Reconnaissance
- GraphQL Security Testing
- Subdomain Takeover Detection
- VHost & SNI Enumeration
- Web Cache Poisoning
- GVM Vulnerability Scanning
- GitHub Secret Hunting
- TruffleHog Secret Scanning
AI & Automation
- AI Model Providers
- MCP Tool Plugins
- Knowledge Base & Web Search
- Agent Skills
- Chat Skills
- Tradecraft Lookup
- Playwright Browser Automation
- CypherFix — Automated Remediation
- Rules of Engagement (RoE)
HackLab
Analysis & Reporting
- Insights Dashboard
- Pentest Reports
- Attack Surface Graph
- Surface Shaper
- EvoGraph — Attack Chain Evolution
- Data Export & Import
Contributing
Reference & Help