►
Description
CTF Overview and Experience - Lewis Denham-Parry, Control Plane
Prepare yourself for tomorrow's CTF event with a warm-up session based on introductory SecurityCon CTF events. All experience levels are welcome!
Learn how to engage with confounding container breakouts, confusing Kubernetes misconfigurations, and the art of engaging with CTF events to prepare yourself for the high-flying no-holds-barred super-inverted gravity-defying capture the flag event at SecurityCon tomorrow!
A
Hi
everyone
how's
everyone
doing.
Has
anyone
been
able
to
get
a
taxi
this
morning?
A
Yeah
you've
got
the
taxi
an
hour
all
right
so
for
today's
ctf
there's
been
a
number
of
issues
getting
here
and
now
we're
trying
to
spin
up
100
or
so
clusters
on
conference.
Wi-Fi
james
is,
I
think,
somewhere
in
the
room.
There's
james
waving
now
I'll
speak
more
about
james
in
a
moment,
but
thank
you
for
having
me
and
it's
so
lovely,
to
see
everyone
again
in
real
life,
especially
tiffany,
and
now
I've
got
the
stage
I
just
want
to
bring
up
and
raise
up
mental
health.
I
suffer
from
depression.
A
A
Like
I
remember
when
I
went
to
my
first
conference
and
I
was
sat
in
the
room
and
it
felt
like
right-
I'm
the
imposter
here
I
don't
have
a
clue
what
anyone's
talking
about
we're
here
to
learn,
and
so
please
just
remember
that
oh
just
drink
water
take
a
breath
if
you
need
I'll,
be
the
one
who's
wearing
a
lanyard
and
a
mask.
But
if
you
need
anyone
to
speak
to
just
come,
find
me
and
we
can
have
a
chat.
A
So
it's
you
might
have
realized
that
these
slides
what
might
have
been
made
on
transit
here,
there's
a
couple
of
us
control
plane
here
today,
but
I
just
wanted
to
do.
Some
honorable
mentions
first
of
all
myself,
because
I'm
going
to
honorably
mention
myself.
If
you
want
to
get
in
touch,
raise
me
dms,
open
I'll,
be
here
all
week.
James,
who
can
you
do
that
is
james,
so
james
is
a
mastermind
behind
the
majority
of
a
ctf.
He
is
absolutely
phenomenal.
A
So
it's
definitely
someone
you
need
to
check
out
and
finally
does
anyone
know
who
andrew
martin
is.
Okay,
we
got
a
couple
of
hands
all
right.
If
you
see
andrew,
please
tell
me
where
he
is
because
I'll
be
really
useful
right
now,
but
andy
he's
the
ceo
of
control
plane.
He
was
my
inspiration.
I
he
gave
a
talk
about
five
years
ago,
where
he
did
live
hacking
on
stage
and
I
was
like
that
is
not
going
to
swear
that's
the
stuff.
I
would
like
to
be
able
to
do
so.
A
That's
why
I'm
here
today
so
previously
in
life.
I
was
a
software
developer
for
a
while
and
well
before
that
before
I
was
a
software
developer.
I
was
a
kid.
I
think
we've
all
been
kids
and
I
really
enjoyed
solving
problems,
whether
it
be
a
jigsaw
whether
it
be
whatever
I
don't
know.
I
went
jigsaw
but
computer
games
and
such
I
loved
just
solving
problems
and
that's
what
led
me
into
computers
back
in
1999.
I
didn't
understand
what
kubernetes
is,
and
I
kind
of
don't
really
understand
what
it
is
now.
A
But
that's
why
we're
here,
but
it
was
this
problem
solving
which
led
me
to
my
job,
which
is
also
a
hobby,
but
I
was
an
application
developer
and
I
was
a
developer
because
security
scared,
the
hell
out
of
me.
I
like
clearly
defined
boundaries.
I
like
to
say
that
I've
done
a
good
job
here.
I
I
like
that
security
for
me
was
like
well,
I've
secured.
Is
it
secure?
I
don't
know,
but
then
that
realization,
with
age
came
that
actually
it's
just
another
problem
for
me
to
solve.
A
A
Any
other
honorable
mentions
that
you'd
like
to
shout
out
now
unreal
tournament.
Thank
you
for
oh,
yes,
dude,
how
you
doing
hey
guys,
yeah
great,
but
for
me
it
was
about
that
community
aspect.
It's
not
just
playing
the
game
like.
I
remember
us
like
taking
all
our
like
cables
to
this
house
like
someone,
someone
rented
a
flat,
we're
like
whoa,
you've
rented
a
flat,
and
then
we
went
into
their
flat,
so
many
tv,
it
was
a
mess,
but
it
was
so
much
fun
and
then
that
was
like
our
original
meetup.
A
That's
where
we
had
so
much
pizza.
So
much
like
that's
where
we
first
found
beer
like
it
was
phenomenal
and
that's
where
we
come
to
today
so
again,
just
back
to
problem
solving
there.
That's
what
I
see
as
ctfs
like
ctfs
ctfs.
For
me,
even
though,
with
its
capture
flag.
Let
me
go
to
the
next
slide
because
again,
transit
apologies,
a
ctf
capture
flag.
The
purpose
of
this
is
is
to
find
a
flag
and
that's
an
upset
objective.
A
That's
clearly
defining
our
boundaries,
we
know
we're
going
into
a
cluster
and
we
need
to
find
this
flag
now.
Equally,
when
I
first
did
my
ctf,
I've
never
done
a
ctf
before
I
don't
know
what
I'm
doing.
I
feel
like
imposter
syndrome
kicking
in.
Like
I
shouldn't
be
here.
I
don't
have
a
clue,
nah,
that's
what
we're
going
to
do
today.
A
So
we're
going
to
give
you
access
to
a
ctf
anyone
done
ctfs
before,
first
of
all,
before
I'm
teaching
you
all
how
to
suck
eggs,
which
is
something
from
the
uk
which
doesn't
make
any
sense
to
anyone
outside
of
the
uk.
Please
do
not
suck
any
eggs
so
with
ctf.
It
gives
us
this
learning
objective.
It
allows
us
to
be
it
just
performing
the
role
of
red
team
as
an
attacker.
It
allows
us
to
do
that
fun
thing.
A
It
allows
us
to
be
like
mr
robot
for
a
moment,
and
it's
like
yes,
we've
taken
over
the
world,
but
the
importance
of
it
is
it's
actually
doing
it
and
for
me
I
learn
best.
By
doing
I
really
wish
I
could
read
a
book
and
be
able
to
take
it
straight
like
that.
But
for
me
I
need
to
do
it.
I
need
to
break
things.
That's
naturally,
who
I
am
so
that's
what
we're
doing
with
the
ctf
so
like
I
said,
I
know
nothing.
A
If
you
don't
know
anything,
raise
your
hand
come
and
find
us
we're
in
if,
if
you're
in
the
event
like
you
are
here,
we're
just
on
the
tables
to
the
left
over
there
or
to
the
right
left
right
hard
if
you're
virtual
online,
we're
also
on
a
slack
channel
and
we'll
show
you
the
slide
channel
in
a
moment,
you'll
find
us
and
I'll
mention
that
in
a
moment,
but
just
remember
we're
here
to
learn.
There
are
no
stupid
questions.
A
So,
yes,
there
isn't
any
stupid
questions,
but
there
are
the
one
thing
that
I'll
say
is
there
are
stupid
assumptions.
You
are
stupid
if
you
assume
that
I'm
going
to
remember
you
asking
me
what
you
think
is
a
stupid
question
when
to
me
it's
an
actual
normal
question,
which
I'm
asked
a
lot
of
the
time.
So
if
you
ever
feel
like
this
is
too
much
me
just
come
to
me
like
honestly,
I
can't
remember
what
my
last
slide
was.
A
That's
how
terrible
my
memory
is
right
now
and
what
we're
looking
for
is
this
feeling
of
a
land
party
that
we've
been
to
so
today
today,
james
and
I
and
a
couple
of
other
cpas
we're
going
to
run
through
last
year's
ctf.
Did
anyone
attend
last
year's
ctf
online?
Did
anyone
get
some
classes
lovely
to
meet
you
all
and
there's
a
number
of
people
who
haven't
so
if
you
haven't
played
that
we're
going
to
play
through
one
of
the
scenarios
in
a
moment?
A
A
The
thing
here
is:
is
that
we're
in
this
area,
where
it's
like
we're
going
to
try
to
enable
we're
trying
to
help
you
get
to
that
next
level?
That's
what
we're
trying
to
do
here,
and
so
tomorrow
we're
not
going
to
give
any
hints
or
tips
we're
gonna
have
ctfd
running,
which
means
that
when
you
find
a
flag,
you
can
submit
it
and
what
do
flags
make?
A
Thank
you
prizes.
Thank
you
to
the
only
person
from
the
uk,
and
so
with
that
we'll
have
a
leaderboard
and
then
again,
that's
just
for
us
to
have
some
fun
tomorrow.
A
Now
we're
basing
this.
Our
whole
system
is
based
on
this
simulator.
Please
feel
free
to
take
a
photo,
come
and
ask
us.
We
can
point
you
towards
this
repo
we've
had
it
for
a
while
now
and
in
all
honesty,
as
with
many
open
source
projects,
it
needs
a
bit
more
love
at
times
and
there's
lots
of
you
here
if
you
enjoy
what
you're
going
to
be
doing
today.
This
is
what
you
can
take
home
to
run
this
yourself.
A
This
is
how
you
can
run
it
and
pay
for
your
own
cloud
bills,
and
but
what
we're
doing
today
is
is
that
we've
got
something
else,
so
we
built
on
top
of
this.
It's
it's
scaling
it
at
high
numbers.
There's
something
there's
some
other
technology
that
we're
here
to
talk
about.
That
does
something
similar
we've.
A
So
we've
we've
created
this
little
secret
sauce
that
allows
us
to
spin
up
I'm
hoping
we're
around
like
60
70
clusters
now
james,
but
I
can
see
his
head's
deep
in
a
laptop,
so
there's
a
thumbs
up
so
for
us,
we've
never
been
in
this
position
before
so
taskmaster
again
for
one
person
from
the
uk.
If
you've
seen
the
tv
show
taskmaster,
that's
where
this
idea
came
from
during
covid,
we
created
an
identity
because
who
doesn't
make
their
own
identity
and
market,
and
so
the
taskmaster
is
there
to
support
you.
A
So
if
you
want
to
access
a
cluster,
if
you
dm
the
taskmaster,
the
taskmaster
will
send
you
a
cluster
now.
This
is
at
risk
risk
of
ddosing
ourselves
right
now.
So,
if
all
of
you
ask
for
a
cluster,
it's
not
going
to
be
too
much
fun
and
james's
thumb
up,
we'll
go
to
a
thumb
down
quite
quickly.
So
please
be
patient
with
us,
we're
trying
our
best,
but
we
will
get
you
clusters.
A
If
you
really
want
to
play
about,
we've
got
we'll
we'll
get
you
sorted,
oh
yeah,
and
we
use
this
really
secure
form
of
and
we'll
do
this
in
a
demo
now
the
way
that
we
provide
your
credentials
to
this
cluster.
We
do
this
the
most
secure
way
that
we
know
how
and
it's
by
providing
ssh
credentials
over
slack.
I
don't
know
if
anyone's
done
that
in
this
room,
but
that's
how
we're
going
to
do
it
today
and
tomorrow.
Thank
you.
A
Right
so
it's
time
for
a
demo,
my
timing
is
all
out
of
sync.
So
let's
see
how
far
we
can
go
at
this
point,
I
am
now
going
to
just
share
my
screen.
A
Right,
I'm
gonna,
try
and
refresh
this,
so
my
internet
connection
has
been
a
bit
temperamental
there.
We
go
cool
I've
gone
to
the
cncf
flag.
Hopefully
some
of
you
can
see
that
towards
the
back.
A
I
walked
into
this
room
and
I
realized
I
didn't
clear
my
history
of
what
we
previously
talked
about
on
the
cmcf,
which
was
mainly
panic,
so
I've
just
covered
it
up
there.
So
if
you
go
to
the
end
of
the
cloud
native
slack
channel,
you
can
find
it
everywhere
on
the
interwebs.
You'll
find
the
task
master,
ctf
task
master
from
control
plane.
A
A
Aka
james,
may
I
please
have
a
cluster
okay,
so
it's
not
like
we're
all
just
waiting
for
this
one
person
in
the
room
just
to
say
thank
you
james.
So
all
right,
I'm
going
to
download
this,
because
I'm
going
to
trust
this
and
congratulations
come
on
we're
using
conference
wi-fi
that
deserves
a
club
we've.
Just
we've
done
something.
A
A
Now,
if
I
do
an
ls
that
gives
me
the
files
that
I
need
to
ssh
on
again,
if
this
is
all
like
brand
new
to
you,
if
you
don't
know
what
ssh
means
honestly,
I
don't.
I
don't
care
that
you
don't
know.
I
will
more
than
happily
help
you
get
over
this
part.
So
come
find
me.
We
can
chat
so
now
that
I
have
my
credentials,
I'm
just
going
to
share
all
of
my
history
apparently
and
find
this
command
to
ssh
onto
on
to
bastion.
A
So
does
anyone
remember
the
first
scenario
from
last
year?
Please
be
quiet
then,
so
I
will
read
this
out
for
a
moment.
We
are
a
defensively
minded
organization.
We
followed
our
containery
best
practices,
but
we've
got
a
problem.
It's
hard
to
see
where
it's
coming
from
we've
discarded
our
build
layers
in
a
multi-stage,
build
scanned
for
known
cves
and
we're
confident.
The
container
file
systems
are
correct,
but
somehow
our
arch
nemesis
for
dreaded.
A
A
Okay,
so
there's
a
lot
of
information
there
again.
If
any
of
you
have
dealt
with
control
plane,
you'll
probably
know
that
we
use
lots
of
words
at
times.
A
Now
it
gave
us
some
clues,
that's
what
we're
looking
for
now.
Has
anyone
read
the
book?
Hacking,
kubernetes,
yeah
cool?
Thank
you.
Thank
you.
Thank
you.
If
you
haven't
read
the
book
it's
available
in
places,
I
don't
know,
it'll
probably
be
on
our
booth
come
find
us
and
then
you,
yes,
you
can
find
it
there.
But
hashtag
is
our
arch
nemesis
in
the
book
as
well.
We
created
a
com,
we
created
a
mock
company
for
us
to
basis
on,
and
so
this
is
where
jedi
jack
made
his
debut
last
year
at
cubecon
eu.
A
So
I've
done
an
ls
just
to
see
what
I've
got
here,
and
so
it
just
looks
like
I'm
inside
a
pod.
The
reason
I
think
I'm
on
a
part
is
is
because
in
the
top
left
here
I
can
see
that
I'm
on
hashtag
hyphen
5d4
iphone
4
d5,
so
that
to
me
suggests
I'm
within
a
pod.
That's
managed
by
it
could
be
a
deployment
in
this
instance.
Anyone
want
to
shout
out
any
things
I
could
do
if
you've
already
done
this
one
don't
give
the
answer
straight
away.
This
is
it's.
A
Pa
is
pair
hacking
all
right
I'll,
take
lead
okay
cool,
so
I
might
just
want
to
have
a
look
around,
so
I
could
check
the
environment
variables.
I
can
see
that
we're
on
a
kebab
nice
classic.
Incidentally,
this
is
running
on
a
real
cluster.
This
isn't
any
other
magic.
This
isn't
us
trying
to
just
like
put
this
facade
words
in
front
of
you.
This
is
an
actual
cluster
running
on
one
of
the
cloud
providers
and
then
you've
got
full
access
to
these
these
nodes
instantly.
The
vms
are
your
own.
A
When
we
spin
up
these
so
the
environment
variables,
yeah
doesn't
give
too
much.
I
could
have
look
at
processes.
A
I
could,
if
I
could
type
the
nerves
for
nerves
cool,
so
I
can
just
see
that
we're
doing
sleep
infinity,
which
I
plan
to
do
by
about
this
time
next
week.
A
So
how
am
I
doing
on
time?
Okay,
let's?
I
think
I
might
finish
a
little
bit
early,
but
then
we
can
all
get
refreshments,
so
the
one
useful
thing
here
would
probably
be
to
see
what
we
have
mounted
in.
So
we
can
see,
we've
got
a
service
account
available
there.
That
might
be
of
interest
in
other
scenarios.
If
you
want
to
play
about
today,
then
I'll
look
there,
but
the
one
here
that
I'm
really
of
interest
is
mount.
A
So
if
I
run
mount,
I
start
to
see
that
there
are
some
things
mounted
in
here
that
are
of
interest
to
me.
A
A
See
this
message
if
I've
lost
my
connection
now
after
doing
that,
I'm
I'm
going
to
be
fuming
and
we
can
read
this
again.
So
the
point:
what
we're
trying
to
find
here
is
is
we're
trying
to
find
out
what
hashtag
did
to
persist,
connect
to
prove
out
the
attack
path
that
hashtag
took
and
then
we're
going
to
look
for
some
persistence
as
to
what
they
did
next.
A
Now
again,
just
to
say,
because,
if
you're
like
new
to
linux,
if
if
like
this
is
your
first
cubron,
if
again,
please
come
find
us-
I
I
remember
mine
fondly
and
I
was
intimidated,
but
it's
all
about
dropping
ladders.
So
I'm
more
than
happy
to
help
you
up
to
this
point
within
the
linux
file
system
when
we
mount
something
we're
mounting
data
onto
it.
So
the
wavelength
I
like
to
think
of
it
is
just
like
a
usb
stick.
A
If
you're
running
windows
or
mac
os,
you
just
connect
that
memory
stick
in
and
then
it's
in
your
file
system.
You
can
access
it
on
linux.
We
need
to
use
mount
it's
a
little
bit
different,
that's
so
what
I
can
do
is
actually
let
me
just
prepare
this
a
little
bit
better.
So
if
we
check
on
this
mount,
we
can
see
that
there's
nothing
in
there
at
the
moment.
A
But
now,
if
we
mount
dev,
xvd
a1
into
mount
and
then
we'll
just
replay
that
command
that
we
had
a
moment
ago-
and
now
we've
mounted
this
this
disk
on
into
our
container
and
now
we
can
see
it
within
there.
So
hopefully
that
brings
it
very
if
you're
brand
new
to
this,
but
this
is
interesting.
This
looks
like
a
file
system
that
is
similar
to
our
container,
but
there's
a
little
bit
more
in
there,
and
so
this
is
probably
the
attack
path
that
hashtag
took
to
persist
a
connection.
A
So
let's
just
change
to
mount,
because
that
usually
confuses
me
at
this
point.
So
now
we're
mounted
into
another
file
system.
So
how
might
an
attacker
persist
a
connection?
A
So
what
they
might
have
done
is
is
ssh.
So
I'm
going
to
assume
that
this
is
a
virtual
machine
and
there's
other
things.
I
could
do
to
start
identifying
a
virtual
machine
if
you
want
to
do
those
things
again,
give
give
us
a
shout
we'll
give
you
scenarios
you
can
play
about
this
yourself
and
find
other
flags,
but
I'm
just
going
straight
for
kill
here.
So
I'm
going
to
just
check
what
the
root
user
has,
but
I'm
not
going
to
find
it
with
just
ls.
A
So
let's
move
into
root
and
go
to
ssh
and
stanley.
If
it
starts
with
a
dart,
then
it's
just
a
hidden
directory
or
hidden
file.
So
now,
if
we
have
a
look
here,
we
can
see
our
authorized
keys.
A
And
so,
if
I
cut
out
our
authorized
keys,
we
can
see
all
the
keys
that
we
can
use
to
access
this
then
at
the
bottom
we
can
see
just
here:
let's
bring
up
a
little
bit,
pi
radical
note
itself,
don't
misplace
this
flag,
your
cc,
hashtag,
ps
and
then
here's
our
flag.
A
So
this
is
our
introduction
yesterday
and
I'll
explain
a
bit:
what's
happened
here
now
in
a
moment,
but
what
you
do
tomorrow
is
when
you
find
a
flag
like
this
you'd
go
to
ctfd,
which
we'll
give
you
a
link
to
you,
submit
this
flag
and
then
you
get
points.
This
is
the
whole
purpose
of
a
capture
flag.
Now,
we've
shown
you
this
attack
path.
We've
shown
you
what's
happened
here,
but
we
haven't
really
described
what
it
was.
Does
anyone
know
what
happened
there?
Why
we
were
able
to
access
that
now?
A
If
you
did
it
last
year,
you're
more
than
welcome
to
shout
out
definitely
silence,
so
that
was
a
privileged
container
and
so
and
does
anyone
know
privileged
containers
in
here
or
are
we
all
absolutely
dead?
Okay,
we
got
a
couple:
okay,
sweet,
so
a
privileged
container.
Why
might
you
use
the
privileged
container
so
containers
we
use
it
to
isolate
our
workloads
and
in
isolation
using
linux,
namespaces
and
c
groups?
That
isolation
means
that
we're
not
really
like.
We
don't
have
access
outside
of
that,
because
that's
what
we
want.
We
want
this
boundary
now.
A
If
you're
running
a
workload
that's
dependent
on
something
on
the
machine,
then
you
need
to
look
at
the
capabilities
that
are
available
within
that
container.
Now,
if
you
go
into
one
of
those
favorite
websites,
I
can
take
you
from
your
favorite
search
engine
to
say
that
this
bug
is
happening.
Someone
might
suggest
you
to
run
a
privileged
container.
The
only
problem
is
is
a
running
privileged
container
essentially
means
that
you're
running
as
root
on
that
virtual
machine,
and
so
that's
what
happened
for
us.
A
This
container
within
this
part
was
being
run
as
a
privilege
and
running
as
privileged,
which
meant
that
we
had
access
to
the
xvd
a1,
which
was
the
file
system
on
the
virtual
machine,
and
then
when
we
migrated
when
we
moved
across
into
that,
we
are
able
to
act
as
root
on
that
machine
cool.
And
so
then
we
had
to
look
and
then
the
hashtag
in
this
instance.
A
A
So
that's
what
it's
taught
us
points
to
mention:
there's
a
number
of
us
from
control
plane
who
are
given
talks
over
this
week,
everything
from
operators
to
fret
modeling
to
anything
else.
So
please
come
find
us
you'll,
find
we
got
like
these
t-shirts
with
control
plane
written
on
them.
A
How
would
you
mitigate
against
this
kind
of
attack?
Incidentally?
Well,
you
wouldn't
run
a
privileged
container.
You
shouldn't
be
running
a
privileged
container.
If
you
are
don't
worry,
if
you
are,
incidentally,
we
run
this
quite
often
with
our
training
and
I've
been
in
training
before,
where
someone's
had
to
run
quite
quickly
because
it
was
in
production.
A
So
don't
worry
but
look
at
the
capabilities
instead
of
giving
focus
on
least
privilege,
and
you
want
to
not
give
like
everything
with
a
privileged
flag,
just
look
at
what
it
needs
to
enable
equally
defense
in
depth.
I'm
probably
talking
well
sorry
defense
in
depth.
Yes,
so
if
we
fret
model
of
this
and
then
we
don't
want
to
run
a
privileged
container
for
our
web
public
for
intents,
we
don't
want
to
run
a
privileged
container.
Anyway,
we
can
have
defense
in
depth.
A
Okay,
it's
at
20
past.
I'm,
I'm
pretty
much
sure
I
am
done
on
everything
else.
Thank
you
for
your
time.
If
you
do
have
any
questions,
then
I'm
more
than
happy
to
take
them
now,
if
you'd
rather
just
start
hacking
away,
then
please
dm
the
taskmaster.
We
will
get
you
a
cluster
as
soon
as
possible.
Was
this
of
interest
to
anyone,
or
am
I
just
going
to
fear
this?
A
Can
I
oh
hello,
hello,
so
thank
you
ever
so
much
if
you
want
to
find
us
we'll
just
be
on
the
tables
out
there,
but
I
hope
you
enjoy
your
kubecon.
Don't
be
a
stranger
and
I'm
hopefully
see
you
soon.