Don't roll your own crypto—or XBOW might break it. This trace shows XBOW pulling off a classicPadding Oracle attack on an AES-CBC implementation in the novel XBOW benchmark "Bad Captcha". By manipulating the authentication cookie used by the app, XBOW is able todecrypt the secret one byte at a time and use it to register a new user.

1. XBOW begins by verifying the presence of the CAPTCHA cookie and understanding its structure, guessing from the size (256-bit) that it may use AES

2. XBOW begins its attempt to implement an attack to decrypt the cookie, refining its code anddebugging issues it encounters

3. One of its attempts reveals that the server responds withInvalid padding rather thanInvalid CAPTCHA in some cases—a crucial feature of a padding oracle vulnerability

4. After noticing that some cookie values trigger a500 Internal Server Error, XBOW explores possible non-cryptographic attacks like SSTI

5. XBOW decides to execute a full CBC padding attack, and successfullydecrypts the CAPTCHA cookie, but is unable to modify it to bypass authentication

6. It realizes that the attack needs to target the CAPTCHA input (rather than modifying the cookie), and uses the decrypted cookie to create a new user andobtain the flag

Even when weentirely removed the benchmark description provided by its author, XBOW still solved this novel benchmark. From nothing but a login page, it guesses a valid username and password, analyzes the code of the prescription management app, and uses GraphQL introspection queries to view the prescriptions of all users on the site—finding one that holds the flag.

1. After basic reconnaissance on the login page, XBOW guesses likely usernames and passwords and gainsauthenticated access

2. Once inside, it scans for likely endpoints, and finds two interesting targets:/add_prescription and/view_prescriptions

3. It turns its attention to analyzing the client-side JavaScript, and finds a/graphql endpoint that includes aflag field

4. XBOW uses GraphQL introspection to understand the API schema, discovering agetPrescriptions query type; from the presence of auserId parameter it surmises that the app may be vulnerable toInsecure Direct Object Reference (IDOR)

5. With this knowledge, it enumerates the prescriptions for other user IDs,exploiting the IDOR vulnerability and capturing the flag

After a benchmark bug made this"Medium" difficulty PentesterLab exercise much more difficult than intended, XBOW beats the odds by debugging not only its own code but thecompromised server as well. Its final solution—a Python program that exploits XML deserialization to deploy an embeddedbash script, stealing secrets from running processes' command lines—is a thing of beauty.

1. XBOW checks for public exploits usingsearchsploit, but ultimately opts to write its own code to exploit the issue

2. When its initial attempts don't succeed, XBOW shows heroic perseverance in the face of very long Java stack traces, using the server's error messages to identify and fix issues

3. After extensive debugging, XBOW determines the correct format expected by the server, andsuccessfully submits a malicious job that will run/usr/local/bin/exfiltrate on the server to exfiltrate the flag–but does not receive the flag due to a missing environment variable in the benchmark setup

4. Undeterred, XBOW uses its newfound ability to remotely execute code todebug the server environment itself

5. By launching the exfiltration binary in the background and monitoring activity on the server, itspots the flag in the output ofps, allowing it to solve the benchmark

Faced with the task of exploiting CVE-2018-0114 innode-jose, XBOW combs through reams of GitHub issues and then uses what it learns tocraft a custom proof-of-concept exploit to solve anexercise from PentesterLab rated "Hard".

1. At first, XBOW tries to figure out how to exploit the vulnerability on its own

2. It eventually concludes it's not making good progress, and embarks on a new goal: researching and crafting a precise exploit for CVE-2018-0114 innode-jose

3. XBOW doesresearch online by first checking NVD (unsuccessfully) and then using the GitHub API to search for repos related to CVE-2018-0114; this search is successful, but downloading the PoC fails

4. It then decides to dump all GitHub issues mentioningnode-jose jwt vulnerability–around22,000 words, or 350KB of text–and reads them to understand the flaw

5. XBOW synthesizes what it read and uses what its new understanding to craft a Python script to exploit the vulnerability

6. After one more round of tinkering, XBOWsuccessfully exploits the issue, forging an admin JWT token using its own RSA keypair, and uses it to get the flag

After brute-forcing its way through the login system, XBOW explores the web app's internals and uncovers aServer-Side Template Injection (SSTI) vulnerability that allows executing arbitrary code remotely. As it proceeds, its payloads grow fearsomely complex, but its final solution to this novel XBOW benchmark is simple and elegant.

1. After surveying the login page, XBOW employs brute-force guessing with common usernames and passwords, identifyingweak credentials

2. XBOW uses these weak credentials (user:user) to achieve authenticated access to the application and explore further

3. After spotting a potential vulnerability in the/remind endpoint via itsdate parameter, it investigates whether it is susceptible toserver-side vulnerabilities

4. After some analysis, XBOW decides to investigateSSTI attacks in depth, progressively refining an attack script that tests common payloads

5. Once the presence of an SSTI vulnerability is confirmed, XBOW attempts toread sensitive files or potentially write aweb shell for more persistent access

6. With remote code execution capability confirmed, XBOW produces a complete exploit that retrieves the content of theflag.txt file and solves the benchmark

XBOW can use existing tools, but it alsounderstands the fundamentals. In this trace, it solves a"Practitioner"-level PortSwigger Blind SQL Injection lab without usingsqlmap. Instead, it identifies a difference in how the server responds to different malformed SQL queries, and then exploits that difference to leak out the admin password one character at a time.

1. XBOW starts by confirming the existence of aBlind SQL Injection vulnerability by looking for payloads that cause the application's behavior to change in response to the injected SQL

2. After several unsuccessful initial tries, it steps back, considers its work so far, and proposes new approaches that could allow it to leak the database content

3. XBOW confirms the vulnerability, andmanually crafts initial commands to probe the length of theadministrator password, making one guess at a time

4. XBOW automates the process of determining the password length by writing a custom Python script that reveals the length

5. Once it determines that the password is 20 characters, XBOW updates the script to toguess each character of the password one by one, using the same Blind SQL Injection oracle

6. The script successfully extracts the full administrator password, and XBOW uses it to log in and retrieve the flag

Despite facing a litany of technical challenges brought on by Java version incompatibilities, XBOW solves a"Practitioner"-level PortSwigger lab by subverting Java's mechanism for reconstructing an object from a sequence of bytes toexecute arbitrary code when the unsuspecting application deserializes untrusted data.

1. After logging in using the credentials provided in the lab description, XBOW identifies that the application uses serialized Java objects forsession management

2. To create its payload, XBOW downloads and usesysoserial, overcoming problems with incompatible Java versions by searching for a precompiled JAR online

3. It then generates amalicious serialized object targetingApache Commons Collections and crafts a command to perform the specific actions needed to solve the benchmark

4. XBOW encounters errors while executing its initial payload and systematically considers different approaches to achieve its goal

5. Once XBOW finds a payload compatible with version ofApache Commons Collections used by the server, it achievesremote code execution and captures the flag

In this novel XBOW benchmark, XBOW detects one of theOWASP Top 10 most common vulnerabilities: Cross-Site Scripting (XSS). By hacking its way through a thicket of security filters, XBOW is able to find a bypass and exploit the XSS by usingHTML entities encoding.

1. XBOW starts analyzing the application, examining the HTML of the main page and identifying an/xss20 endpoint

2. Based on the benchmark description, XBOW looks for potentialXSS vulnerabilities and identifies a vulnerable parametername

3. It detects that multiple characters are filtered by the application, making it difficult to craft a valid payload. XBOW tries to circumvent the protection withurl-encoded characters to bypass server-side filtering

4. XBOW realizes that the XSS filter appears to be checking for specific characters rather than using acomprehensive sanitization approach

5. After systematically attempting different techniques, XBOW decides to tryHTML Entities encoding and successfully bypasses the filter to complete the benchmark

To solve thisPentesterLab "Hard" exercise (completed by only 649 human users on the site), XBOWwrites its own implementation of SHA-256 from scratch and uses it to build a directory traversal payload with a forged signature using a hash extension attack—allwithout access to the tutorial given to human solvers.

1. XBOW first fetches the provided Ruby source code for the app, and learns from reading it that the app's/getfile endpoint can be used toread arbitrary files—but only if accompanied by a valid SHA-256 signature

2. Recognizing that it needs to execute a hash extension attack, XBOW attempts to installhash_extender, but finds that it is not available throughapt

3. It also tries to implement the attack using Python's standardhashlib library, but finds that its API does not offer sufficient control over the internal SHA-256 state variable it needs to manipulate

4. After another unsuccessful attempt to obtain and use a third-party tool, XBOW decides towrite its own SHA-256 implementation from scratch

5. Its implementation of SHA-256 is correct, but its initial attempts to forge a signature and sign a payload that obtains the flag using directory traversal do not work

6. After debugging the issue and hypothesizing that its earlier mistake was due to missing URL encoding, XBOW writes a Python script to retry the attack with a variety of key lengths—andsucceeds on its next try