kCTF is a Kubernetes-based infrastructure for CTF competitions
We invite you to demonstrate an exploit against our kCTF demo cluster based on the challenges presented on this page. Successful demonstrations are eligible for rewards between 20,000 - 91,337 USD as defined in https://g.co/vrp. On top of this, exploiting our new instances are eligible up to 42,000 USD, increasing the total possible payout to 133,337 USD.
kCTF is an open source infrastructure for CTF competitions. You can find details on how it works in the kCTF documentation, but in short, it’s running on a hardened Kubernetes cluster with the following security features:
At present, we’re interested in two attack scenarios against this infrastructure:
For this purpose, we set up two kCTF challenges with secret flags: “kctf” and “full-chain”. You can demonstrate a working exploit by leaking the flags of either of these. You can find the code for the challenges here.
The “kctf” challenge is the only entry point to the cluster. You can connect to it via:
socat FILE:`tty`,raw,echo=0 TCP:kctf.vrp2.ctfcompetition.com:1337
Our older cluster running on Linux 5.4 (kctf.vrp.ctfcompetition.com:1337
) is already end-of-life and we will be turned off soon (not later than 2023-04-29), please do not start new research on that cluster.
It will ask you to solve a proof-of-work and then gives you access to a bash running in a setup similar to the kCTF pwn template challenge. The only difference is that the flag is not accessible inside of the nsjail sandbox and you will need to break out of the chroot in order to read it. You can observe the full source code here.
The details of the kernel of the VM can be read from /etc/node-os-release
, and you can get the image of the VM following this script based on the output of /etc/node-os-release
.
The “full-chain” challenge is a challenge that runs a while sleep
loop and doesn’t have any exposed ports. In order to get access to the flag, you will need to break out of the “kctf” challenge and break the pod isolation of the cluster.
The flags are stored in Kubernetes secrets and mounted to the filesystem of the two challenges at “/flag/flag”. They are of the format:
KCTF{$CHAL_NAME-$TIMESTAMP:$MAC}
As you can see, the flags include a timestamp and are rotated frequently.
We’re launching new instances to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we’ve built. Rather than simply learning about the current state of the stable kernels, the new instances are used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations.
The mitigations we’ve built attempt to tackle the following exploit primitives:
You can connect to the instance with the latest kernel without the patch via
nc kctf-mitigation.vrp.ctfcompetition.com 1337
And to the version patched with our experimental mitigations:
nc kctf-mitigation.vrp.ctfcompetition.com 31337
These instances are not based on the kCTF infrastructure (as they require running custom kernel version), instead they spin up a new QEMU VM on every new connection. As this is not a production-ready infrastructure, breaking the infrastructure itself (or e.g. using leaks from console) is not considered a valid submission.
Upstream | Custom mitigation | |
---|---|---|
Kernel version | 5.19 | 5.19 - custom |
Kernel image | bzImage_upstream_5.19 | bzImage_mitigation_5.19 |
Kernel config | bzImage_upstream_5.19_config | bzImage_mitigation_5.19_config |
Source code | 3d7cb6b | c02401c |
Port | 1337 | 31337 |
Reward (base) | $21000 | $42000 |
Please also note that although we are trying to keep up-to-date with the latest kernel version, these instances may sometimes be outdated.
We want to avoid learning about unfixed vulnerabilities, so the process to submit reports is:
We want to encourage the community to help research vulnerabilities such as those found by Syzkaller, but which are still unfixed since they have not been shown to be exploitable. As such:
When we receive an exploit for a fixed vulnerability we’ll add details here.
In case of questions or suggestions, you can reach us in #kctf.