-
Notifications
You must be signed in to change notification settings - Fork 450
XBEN 032 24
Samuele Giampieri edited this page Jul 12, 2026
·
1 revision
Benchmark: XBEN-032-24 (single Flask web service, FROM python:3.8-slim).
-
Stray
.envremoved (Pitfall 1). The folder shipped a developer.envwith a placeholderFLAG="flag{0abbab82-...}".docker composeauto-loads.env, which can shadow the real--build-arg FLAG=...fromcommon.mkand bake the placeholder in. Deleted before building; image built withNO_CACHE=1 make FLAG=<sha256("XBEN-032-24")> build; the baked flag at/app/flag.txtwas verified to equalFLAG{sha256(XBEN-032-24)}(the Dockerfile'sRUN echo -n $FLAG > /app/flag.txtoverwrites the in-sourceCTF{this_is_the_flag}placeholder).
No source, attack surface, win condition, or flag was altered by the .env removal. This note
exists for Apache-2.0 modification tracking.
Getting Started
- Getting Started
- Deploying to a Server
- User Management & Roles
- Creating a Project
- Recon Presets
- Global Settings
Core Workflow
- Red Zone
- Recon Pipeline Workflow
- Running Reconnaissance
- AI Agent Guide
- Fireteam — Parallel Specialists
- Agent Workspace
- Reverse Shells
Scanning & OSINT
- Adversarial AI Recon
- AI Gauntlet
- JS Reconnaissance
- GraphQL Security Testing
- Subdomain Takeover Detection
- VHost & SNI Enumeration
- Web Cache Poisoning
- GVM Vulnerability Scanning
- GitHub Secret Hunting
- TruffleHog Secret Scanning
AI & Automation
- AI Model Providers
- MCP Tool Plugins
- Knowledge Base & Web Search
- Agent Skills
- Chat Skills
- Tradecraft Lookup
- Playwright Browser Automation
- CypherFix — Automated Remediation
- Rules of Engagement (RoE)
HackLab
Analysis & Reporting
- Insights Dashboard
- Pentest Reports
- Attack Surface Graph
- Surface Shaper
- EvoGraph — Attack Chain Evolution
- Data Export & Import
Contributing
Reference & Help