An afternoon of Kubernetes hacking at Kubecon Europe

Last week some of my colleagues and I attended Kubecon Europe 2024, a CNCF event about everything related to Kubernetes.After two (long) days of interesting talks it was time to get our hands dirty and compete in the Capture The Flag challenge that was held by controlplane.io on Friday. At 11 a.m. sharp we were present at the Security Hub in room W08 to receive our first assignment from the Taskmaster, and start hacking away. My colleagues and me competed as a team, which is obviously a welcome advantage if you are up against some of the brightest Kubernetes engineers.

security-hub

The first challenge, demanding deployments

To start, the Taskmaster provides you with a link that you must follow to download an ssh config file. Using this file, you log in to the jumpserver, which is configured to access our hacking target, the Kubernetes cluster.

taskmaster

We started full speed on the first scenario, trying to decipher the “message of the day” for clues. We had access to Git frontend (Gitea) and a Continuous Delivery frontend (Tekton), but not to the underlying cluster directly.

After a bit of fiddling, it became clear that a Pod was stuck in CrashLoopBackoff state. We quickly realized that we needed to fix it by modifying the Git repository, because we suspected the flag was hidden in the logs of that Pod.

After about one hour we succeeded in getting the Pod in a healthy state and sure there it was – our first flag!

flag

Next, trick the Chatbot

Because the challenges were hard, and the time moves fast, we skipped the search for the 5 point bonus flag and continued straigth to the next scenario.

Meanwhile, other competing engineers were a little bit faster, and Skybound began to take a noticable lead.

For the second challenge we were presented with a program that interacts with a chatbot. It didn’t really seem like it was possible to type commands, but then again, it was a hacking contest, there had to be a way to inject commands into the message box.

During lunch, we succesfully managed to inject commands into the container running the Chatbot, employing a combination of quotes (‘) and operators (&&). Shortly thereafter, we obtained the second flag.

Around the same moment I stumbled on the bonus flag for this scenario, by adressing the chatbot with “please”. A bit lousy, but points are points!

flag

I had an idea of where the third flag was located, but we couldn’t figure out a way to escape from the Pod to the Node, so we decided to skip this flag and move on to the last challenge.

Last challenge, until the last second

The final challenge was really difficult in my opinion, and we had to struggle until the last seconds of the CTF just to obtain one flag out of three. I decided to use a hint for 5 points, but it didn’t help much, so I felt a bit frustrated about losing the points!

In the end the tip (serviceaccounts can be used to gain persistence to a Kubernetes cluster) gave my colleague an idea, and just in time we found that flag.

flag

The winners

security-hub

While we didn’t win the CTF, I believe we can still be proud we made it into the top 10 among more than 50 contestants participating.

Even if you don’t make it to the top, participating in a CTF is always fun because you learn a lot of tricks you wouldn’t think about in most day-to-day operations.

A lot of respect and congratulations to the winners, Skybound and Alexis, we’re already looking forward to next year’s CTF.

Menu