Skip to content

Welcome

QR Code

TL;DR

  • Join https://cloud-native.slack.com (if you aren't registered, go to https://slack.cncf.io)
  • Join #cnsecuritycon-ctf
  • Message @CTF Taskmaster and request credentials
  • Download your bundle, extract your files, and run ssh -F simulator_config bastion
  • Find the flags

Main Text

Hello and welcome to the ControlPlane Capture the Flag (CTF) event at CloudNativeSecurityCon North America 2024.

We're running a Capture The Flag to teach you all the best security practices. There are a number of ways of learning:

  • Talks throughout the day presented by individuals leading the way
  • Meeting and collaborating with your peers at the event

Our Capture the Flag event is here to bring a third option to the learning experience, by doing!

We're starting with a demo scenario on Wednesday, and will have 3 more of varying difficulties available on Thursday.

⚔️ Attack ⚔️

We have Kubernetes clusters spun up with vulnerabilities ready for you to enumerate, exploit and learn from. You will follow the trail of destruction, left in the wake of the nefarious D̸r̷e̶͈̾̏ả̷̖̤d ̵͇̰͌͆Pir̸̢͝a̵̫̠̔te ᶜᵃᵖᵗᵃⁱⁿ Hλ$ħ𝔍Ⱥ¢k, hoping to clean up his mess and restore order and control to the vulnerable and broken clusters he has ravaged.

🚨 Warning 🚨

We're going to be performing some activities that can be considered a crime if done without prior authorization. You have our permission to attack the Kubernetes cluster assigned to you for the duration of the event. Please double check any tooling that you use to ensure it is configured correctly, within the scope of the above statement. We are available to discuss this matter further if you require more clarification.

The lessons learned from these exercises are to help educate, please don't look to hurt people or get yourself in trouble.

Only perform security assessments against your own systems or with written permission from the owners!

For more information in regards to using KubeSim again, please message the Taskmaster.

💻 Setup 💻

To get started, DM the Taskmaster (CTF Taskmaster (from ControlPlane)🚩) on the CNCF Slack CTF Channel. The Taskmaster will provide you with SSH credentials to access the cluster. Please follow the guide in our Setup page for further information.

🚩 The Objective 🚩

The aim is to find flags by enumerating what you have access to, doing some research about the resources involved and keeping an eye on the objective outlined at the beginning of the scenario. Flags are hidden away but clearly defined with the flag_ctf{} prefix e.g. flag_ctf{IncludePrefixWhenSubmitting}. A flag could be anything from a variable to a file to Kubernetes secret in a namespace. The flags would be deemed high value for an attacker or for performing good security practices, but that's enough clues for now!

Once you have found a flag, please register and submit them to the CTFd scoreboard. Once you have completed a scenario, you will need to message the Taskmaster to be given new credentials for the next one.

Note that there is a test flag. Submitting this first will unlock the rest of the submission options. If you found a flag before this, make sure you submit the test flag before trying to submit your challenge flag.

PLEASE be respectful to other participants and don't ruin their fun by disclosing hints or flags on the CTF slack channel.

🆘 Assistance 🆘

This is your opportunity to learn, if you feel out of your depth you're in the right place. We have assistants from ControlPlane ready to help you out.

You have at least two hours per scenario to attempt to capture the flags! If you require a pointer in the right direction, then you can reveal hints through our CTFd scoreboard for a small point deduction. Technical problems/assistance can be sought from our Taskmaster, either in the room or through Slack.