What is This?
This Kubernetes Capture the Flag (CTF) contest features a Kubernetes-based CTF challenge, where teams and individuals can build and test their Kubernetes skills. Each team/individual is given access to a single Kubernetes cluster that contains a set of serial challenges.
This year, we have two scenarios!
Scenario 1: Learning CTF (Non-competitive) - Friday and Saturday
On Friday and Saturday, we have a non-competitive learning run, where you can go through the Kubernetes CTF scenario from DEF CON 29, themed on the movie "Hackers". It has an available "cheat sheet" that shows you how to run through, start to finish! You can do this without the "cheat sheet" if you want a puzzle.
Each team/individual gets a Kubernetes cluster that contains a set of serial challenges.
This is open to up to 30 teams and is available from Friday 12pm to Saturday 5pm Pacific.
How to Register
- Note: Feel free to register after the exercise begins. We will be running registration until 5pm each day.
- Send an email to register-defcon@containersecurityctf.com
- We’ll give you the IP address of one of your target cluster’s nodes, as well as the "cheat sheet" that you can use (if you want) to learn from the past CTF scenario.
- You will enter the cluster by using a remote code execution vulnerability in an application exposed to the Internet.
- Your team will have exclusive access to your cluster; other teams will have different clusters than yours.
- You won’t be able to reach your cluster until the CTF begins.
- After 12pm pacific on Friday, we will give all teams’ IP addresses access to their Kubernetes clusters. You’ll then be free to start hunting for your first flag!
- We will be available in the #ce-kubernetes-ctf-text channel in the DEFCON Discord to help with any technical issues.
- Try to get as far as you can! :)
Scenario 2: Competitive CTF
On Saturday, we have a timed competition from 10:30a-5:30pm on a new scenario.
Each team/individual is given Kubernetes API access to a single Kubernetes cluster that contains a set of parallel challenges. The team can capture flags and win points as they progress. No portscanning will be necessary this year - you will receive a kubeconfig file for each challenge.
Flags start out all worth the same value. They will reduce value (in points) as they are solved by more teams.
There is one scenario (and flag) that will be given only to teams that get all other flags. This scenario involves a zero day vulnerability and may not be disclosed in write-ups until January 1, 2025.
A scoreboard tracks the teams’ current and final scores. In the event of a tie, the first team to achieve the score wins that tie. This is open to only 30 teams and only from Saturday 10:30am - 5:30pm Pacific.
How to Register
- Note: Feel free to register after the competition begins. We will be running registration until 5pm each day.
- Send an email to register-defcon@containersecurityctf.com
- We’ll reply with an access code which you’ll use to sign up for our CTFd server.
- You will submit all your flags to the CTFd server.
- We’ll also give you the IP address of one of your target cluster’s nodes.
- You will enter the cluster by finding a remote code execution vulnerability in an application exposed to the Internet.
- Your team will have exclusive access to your cluster; other teams will have different clusters than yours.
- You won’t be able to reach your cluster until the CTF begins.
- After 10am pacific on Saturday, we will give all teams’ IP addresses access to their Kubernetes clusters. You’ll then be free to start hunting for your first flag!
- We will be available in the #ce-kubernetes-ctf-text channel in the DEFCON Discord to help with any technical issues.
- Try to get as far as you can! :)
Links