Skip to content

Welcome

Hello and welcome to the ControlPlane Capture the Flag (CTF) event at KubeCon + CloudNativeCon North America 2023.

We're here to learn the best security practices. There are a number of ways of learning:

  • Talks throughout the day presented by individuals leading the way
  • Meeting and collaborating with your peers at the event

Our Capture the Flag event is here to bring a third option to the learning experience, by doing!

TL;DR

⚔️ Attack ⚔️

We have Kubernetes clusters spun up with vulnerabilities ready for you to enumerate, exploit and learn from. You will follow the trail of destruction, left in the wake of the nefarious D̸r̷e̶͈̾̏ả̷̖̤d ̵͇̰͌͆Pir̸̢͝a̵̫̠̔te ᶜᵃᵖᵗᵃⁱⁿ Hλ$ħ𝔍Ⱥ¢k, hoping to clean up his mess and restore order and control to the vulnerable and broken clusters he has ravaged.

🚨 Warning 🚨

We're going to be performing some activities that can be considered a crime if done without prior authorization. You have our permission to attack the Kubernetes cluster assigned to you for the duration of the event. Please double check any tooling that you use to ensure it is configured correctly, within the scope of the above statement. We are available to discuss this matter further if you require more clarification.

The lessons learned from these exercises are to help educate, please don't look to hurt people or get yourself in trouble.

Only perform security assessments against your own systems or with written permission from the owners!

For more information in regards to using KubeSim again, please message the Taskmaster.

💻 Setup 💻

To get started, DM the Taskmaster (CTF Taskmaster (from ControlPlane)🚩) on the CNCF Slack Security Days Channel. The Taskmaster will provide you with SSH credentials to access the cluster. Please follow the guide in our Setup page for further information.

🚩 The Objective 🚩

The aim is to find flags by enumerating what you have access to, doing some research about the resources involved and keeping an eye on the objective outlined at the beginning of the scenario. Flags are hidden away but clearly defined with the flag_ctf{} prefix e.g. flag_ctf{IncludePrefixWhenSubmitting}. A flag could be anything from a variable to a file. The flags would be deemed high value for an attacker, whether this would be linked to credentials to data to exhilarate, that's enough clues for now!

Once you have found a flag, please register and submit them to the CTFd scoreboard. Once you have completed a scenario, you will be given new credentials to access the next one.

PLEASE be respectful to other participants and don't ruin their fun by disclosing hints or flags on the CTF slack channel.

🆘 Assistance 🆘

This is your opportunity to learn, if you feel out of your depth you're in the right place. We have assistants from ControlPlane ready to help you out, but their first tip is:

TRY HARDER!

The second is:

Take a break

You have at least two hours per scenario to attempt to capture the flags! If you require a pointer in the right direction, then you can reveal hints through our CTFd scoreboard for a small point deduction. Technical problems/assistance can be sought from our Taskmaster.