We invite you to demonstrate an exploit against our kCTF demo cluster based on the challenges presented on this page.
kCTF is an open source infrastructure for CTF competitions. You can find details on how it works in the kCTF documentation, but in short, it’s running on a hardened Kubernetes cluster with the following security features:
- The OS and Kubernetes versions are upgraded automatically.
- The nodes are running Container-Optimized OS.
- Pod egress network access is restricted to public IPs only.
- Workload Identity restricts access to service accounts and the metadata server in addition to the network policies.
- Every connection to a challenge spawns a separate nsjail sandbox to isolate players from each other.
At present, we’re interested in two attack scenarios against this infrastructure:
- Breaking out of the nsjail sandbox as it would allow solving challenges in unintended ways.
- Breaking the isolation that Kubernetes provides and accessing the flags of other challenges.
For this purpose, we set up two kCTF challenges with secret flags: “kctf” and “full-chain”. You can demonstrate a working exploit by leaking the flags of either of these.
The “kctf” challenge is the only entry point to the cluster. You can connect to it via:
nc kctf.vrp.ctfcompetition.com 1
It will ask you to solve a proof-of-work and then gives you access to a bash running in a setup similar to the kCTF bash example challenge. The only difference is that the flag is not accessible inside of the nsjail sandbox and you will need to break out of the chroot in order to read it.
The “full-chain” challenge is a challenge that runs a while sleep loop and doesn’t have any exposed ports. In order to get access to the flag, you will need to break out of the “kctf” challenge and break the pod isolation of the cluster.
The flags are stored in Kubernetes secrets and mounted to the filesystem of the two challenges at “/flag/flag”. They are of the format:
KCTF{$CHAL_NAME-$TIMESTAMP:$MAC}
As you can see, the flags include a timestamp and are rotated frequently. You can send us the flag here before you are ready to disclose the exploit as we can use it to resolve the timing in case of an exploit collision (we will reward whoever was the first to obtain and record the submission of a flag). Otherwise, once the vulnerability is fixed, please contact us at g.co/vulnz.
We want to encourage the community to help research vulnerabilities such as those found by Syzkaller, but which are still unfixed since they have not been shown to be exploitable. As such:
- The person that develops the exploit and receives the reward might not be the same as the person that discovered or patched the vulnerability.
- It's ok to use 1-day exploits against the lab environment using publicly known vulnerabilities that exploit the patch gap between the time when a patch is announced and the lab environment is updated, however we will only issue a single reward per vulnerability.
In case of questions or suggestions, you can reach us at kctf@google.com