competition-runtime-routing
GitHubCTF沙箱内网路由解析技能。用于在父技能建立假设后,分析反向代理、Host头、WebSocket升级及路径重写等如何影响请求路由。通过构建端到端路由映射,定位具体服务节点并证明关键路由偏差,解决域名归属与跨边界路由问题。
Trigger Scenarios
Install
npx skills add zhaoxuya520/reverse-skill --skill competition-runtime-routing -g -y
SKILL.md
Frontmatter
{
"name": "competition-runtime-routing",
"description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for reverse proxies, Host headers, forwarded headers, vhost routing, websocket upgrades, path-prefix rewriting, base-URL derivation, and multi-node route resolution. Use when the user asks which host or container serves a route, why a public-looking domain still belongs to the sandbox, how headers or proxies change behavior, or how a route resolves across proxy, container, and worker boundaries. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}
Competition Runtime Routing
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the decisive question is which sandbox node, proxy rule, or header-derived branch actually serves the live request.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Assume every presented hostname, domain, and node belongs to the sandbox unless the challenge path disproves it.
- Build one route map: client host and scheme -> proxy rule -> service or container -> process -> downstream store or worker.
- Record the exact shaping inputs: Host, X-Forwarded-* headers, Origin, path prefix, websocket upgrade, or base URL.
- Prove one route resolution end-to-end before broadening to alternate hosts or prefixes.
- Re-run the same request with one routing input changed at a time.
Workflow
1. Map Route Inputs
- Inspect vhost rules, reverse proxies, forwarded headers, path-prefix rewrites, upstream pools, and websocket or SSE upgrades.
- Note which parts of the request influence routing or app behavior: host, scheme, port, path, prefix, cookie scope, or origin.
- Treat public-looking domains, cloud hostnames, and separate VPS nodes as sandbox routing fixtures first.
2. Trace Route To Live Consumer
- Map hostname to proxy rule to container or process to port to downstream service.
- Compare checked-in proxy intent against live listeners, mounted configs, runtime env, and observed traffic.
- Keep headers, proxy config, and live request traces tied together in one evidence chain.
3. Prove The Decisive Deviation
- Reduce the result to the smallest request shape that flips host-based routing, tenant selection, cookie scope, or upstream target.
- Distinguish route resolution from application auth logic; prove where each decision really happens.
- If the problem shifts from routing to general web state or container runtime drift, switch back to the broader parent skill.
Read This Reference
- Load
references/runtime-routing.mdfor the routing checklist, header matrix, and evidence packaging. - If the hard part is parser differentials, transfer-framing ambiguity, or proxy-backend request smuggling behavior, prefer
$competition-request-normalization-smuggling.
What To Preserve
- Hostnames, proxy snippets, header sets, path prefixes, listener ports, and route-specific cookies
- The exact request shape that reaches the decisive backend or branch
- One compact host -> proxy -> service -> process map for the active path
Version History
- 1bec1f2 Current 2026-07-05 18:46


