Play the 2023 CNCF CTF Scenarios with the Revamped Simulator
By Kevin Ward
Over the past year we’ve had a lot of interest and participation in the Capture the Flag (CTF) events at KubeCon + CloudNativeCon. We’ve worked hard to bring the community interesting and challenging scenarios which test participants’ knowledge of Kubernetes, containers and CI/CD infrastructure. We are excited to announce that we are releasing the scenarios from the 2023 CNCF CTF events for everyone to play! In this blog post, we’ll walk you through the revamped simulator and how to get started with the CTF scenarios.
Revamped Simulator
It has been a while since significant updates have been pushed to simulator but as part of releasing the 2023 CNCF CTF scenarios, we have rearchitected the design to improve the user experience and make it easier to pick up and play. Essentially simulator is now a single binary that can be run locally to set up and configure an environment for you to play in, the only prerequisites you need is Docker and an AWS account.
Getting Started
Downloading and Validating the Simulator Binary
To get started, first download the latest release and choose the binary for your operating system. Once downloaded as always validate the checksum to ensure the integrity of the binary.
$ sha256sum simulator_v2.0.0_linux_amd64.tar.gz
224e07556f749302283c33b43e14d80058ebc82cb36adeb9ddc6accc320e6928 simulator_v2.0.0_linux_amd64.tar.gz
$ grep -w "simulator_v2.0.0_linux_amd64.tar.gz" ~/Downloads/checksums.txt
224e07556f749302283c33b43e14d80058ebc82cb36adeb9ddc6accc320e6928 simulator_v2.0.0_linux_amd64.tar.gz
5a60e19e6dc84145eb2d270b547830826b42f52bb22f213dfec33634bafabdda simulator_v2.0.0_linux_amd64.tar.gz.sbom
There is an SBOM included if you want to review the dependencies of the binary.
Unpack the binary based on the operating system you are using. In this instance we are using Linux so we will unpack the binary with tar.
$ tar xvf simulator_v2.0.0-alpha1_linux_amd64.tar.gz
LICENSE
simulator
Installing the Prerequisites
Next, we’ll need to configure the prerequisites for the simulator. If you do not have docker installed, you can follow the instructions. Once docker is installed, you’ll need to configure your AWS credentials. Simulator requires an IAM role with specific permissions to be configured to setup the necessary resources in AWS and supports environment variables or a shared credentials file for authentication.
With the AWS Role assumed, we can start using simulator. You can see the options for simulator by using the –help flag.
$ simulator --help
Simulator CLI
Usage:
simulator [command]
Available Commands:
ami Manage the Simulator AMIs
bucket Manage the bucket used to store the Terraform state
completion Generate the autocompletion script for the specified shell
config Configure the Simulator CLI
container Manage Simulator Container images
help Help about any command
infra Manage the Simulator infrastructure
scenario Manage the simulator scenarios
version Display the version information
Flags:
-h, --help help for simulator
--log-level string Log level (error, warn, info, debug) (default "error")
Use "simulator [command] --help" for more information about a command.
The first step to using simulator is to configure the S3 bucket where the Terraform state will be stored. This can be achieved by running the following command.
$ simulator config --bucket <name>
Next we’ll create the bucket in AWS, pull the simulator container image (used for configuration of infrastructure and scenarios) and create the two AMIs in your AWS account required for the Kubernetes Nodes.
$ simulator bucket create
$ simulator container pull
{"status":"Pulling from controlplane/simulator","id":"latest"}
{"status":"Pulling fs layer","progressDetail":{},"id":"767829bcf202"}
...
{"status":"Pull complete","progressDetail":{},"id":"5fd5bd115d6c"}
{"status":"Digest: sha256:900c0b6b2cd75351ce252861bad3ce0c006282ff33391f7f60c39ec19b41d44a"}
{"status":"Status: Downloaded newer image for controlplane/simulator:latest"}
$ for i in bastion k8s; do simulator ami build $i; done
Installed plugin github.com/hashicorp/amazon v1.2.9 in "/root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.9_x5.0_linux_amd64"
simulator-bastion.amazon-ebs.ubuntu: output will be in this color.
==> simulator-bastion.amazon-ebs.ubuntu: Prevalidating any provided VPC information
==> simulator-bastion.amazon-ebs.ubuntu: Prevalidating AMI Name: simulator-bastion-1.28-20240104145119
simulator-bastion.amazon-ebs.ubuntu: Found Image ID: ami-0c12758cca12762cd
==> simulator-bastion.amazon-ebs.ubuntu: Creating temporary keypair: packer_6596c5e7-98ef-470c-57ac-377aa783e77e
==> simulator-bastion.amazon-ebs.ubuntu: Creating temporary security group for this instance: packer_6596c5e9-cb93-775e-e794-2e4bcbcb7884
==> simulator-bastion.amazon-ebs.ubuntu: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups...
==> simulator-bastion.amazon-ebs.ubuntu: Launching a source AWS instance...
...
==> simulator-k8s.amazon-ebs.ubuntu: Deleting temporary security group...
==> simulator-k8s.amazon-ebs.ubuntu: Deleting temporary keypair...
Build 'simulator-k8s.amazon-ebs.ubuntu' finished after 4 minutes 23 seconds.
==> Wait completed after 4 minutes 23 seconds
==> Builds finished. The artifacts of successful builds are:
--> simulator-k8s.amazon-ebs.ubuntu: AMIs were created:
eu-west-2: ami-02e594da8a989cbe6
The AMI build process can take a while to complete, so grab your preferred beverage and come back in approximately 10 minutes.
Creating Simulator Infrastructure and Installing Scenarios
We are all set to configure the simulator infrastructure (Kubernetes cluster and supporting hosts) which can be done with the following command:
$ simulator infra create
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
...
null_resource.kubeadm_init (local-exec): bastion : ok=3 changed=3 unreachable=0 failed=0 skipped=4 rescued=0 ignored=0
null_resource.kubeadm_init (local-exec): internal-1 : ok=0 changed=0 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
null_resource.kubeadm_init (local-exec): master-1 : ok=3 changed=3 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0
null_resource.kubeadm_init (local-exec): node-1 : ok=1 changed=1 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0
null_resource.kubeadm_init (local-exec): node-2 : ok=1 changed=1 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0
null_resource.kubeadm_init: Creation complete after 39s [id=4643718659268881557]
Apply complete! Resources: 37 added, 0 changed, 0 destroyed.
Excellent, we can now configure simulator with a scenario.
$ simulator scenario install commandeer-container
PLAY [Commandeer Container] ****************************************************
TASK [Gathering Facts] *********************************************************
ok: [bastion]
TASK [Install calico network] **************************************************
TASK [cluster-network : Download calico manifests] *****************************
changed: [bastion]
...
PLAY RECAP *********************************************************************
bastion : ok=8 changed=6 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
Playing the Scenario and Tear Down
Once the scenario installation is completed, a player bundle is created allowing you to SSH into the starting point. Depending on your operating system or configuration, it will be in either $HOME/.simulator/player or $SIMULATOR_DIR/player.
If you want to know where the configuration is stored, you can use the –print-dir flag with the config command.
$ simulator config --print-dir
/home/simulator-demo/.config/simulator
You can SSH into the starting point via the following command:
$ ssh -F simulator_config bastion
_.--.
_.-'_:-'||
_.-'_.-::::'||
_.-:'_.-::::::' ||
.'`-.-:::::::' ||
/.'`;|:::::::' ||_
|| ||::::::' _.;._'-._
|| ||:::::' _.-!oo @.!-._'-.
\'. ||:::::.-!()oo @!()@.-'_.|
'.'-;|:.-'.&$@.& ()$%-'o.'\U||
`>'-.!@%()@'@_%-'_.-o _.|'||
||-._'-.@.-'_.-' _.-o |'||
||=[ '-._.-\U/.-' o |'||
|| '-.]=|| |'| o |'||
|| || |'| _| ';
|| || |'| _.-'_.-'
|'-._ || |'|_.-'_.-'
'-._'-.|| |' `_.-'
'-.||_/.-'
Welcome to Captain Hλ$ħ𝔍Ⱥ¢k's Booty Camp!
There is treasure to be had to those who can smuggle aboard and find the map.
It's time to show Dread Pirate what you've learnt about Kubernetes.
#
Now the fun begins! You can start exploring the environment and solving the challenges.
If you get stuck, there are walkthroughs available for each scenario but we highly encourage you to try and solve it by yourself first.
Once you are finished be sure to clean up your environment to prevent any unnecessary charges.
simulator infra destroy
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
...
module.network.aws_vpc.network: Destroying... [id=vpc-0af5015bffabc4ff6]
module.network.aws_vpc.network: Destruction complete after 1s
Apply complete! Resources: 0 added, 0 changed, 37 destroyed.
If you no longer want to play any further scenarios, remember to remove the AMIs and the bucket to reduce your AWS bill.
2023 CNCF Scenarios
So what scenarios can I play?
Well we have included the 9 scenarios used at CloudNativeSecurityCon North America (Seattle, Washington), KubeCon + CloudNativeCon Europe (Amsterdam, The Netherlands) and KubeCon + CloudNativeCon North America (Chicago, Illinois) in 2023.
The list of scenarios are:
| Scenario | Scenario ID | Scenario Description | Learning Objective | Technology Used | Difficulty | No of Flags |
|---|---|---|---|---|---|---|
| Seven Seas | seven-seas | Sail the Seven Seas, find all the missing map pieces and plunder the Royal Fortune | Kubernetes Fundamentals, Container Enumeration and Exploitation | Kubernetes Secrets, Container Images, Pod Security Standards, Network Policy, Pod Logs, Service Accounts and RBAC, Sidecar Containers | Easy | 2 |
| Commandeer Container | commandeer-container | Use Kubernetes to smuggle aboard and find the hidden treasure | Accessing containers without kubectl exec | Kubernetes Secrets, Container Images, Service Accounts and RBAC | Easy | 1 |
| CI Runner Next-Generation Breakout | ci-runner-ng-breakout | An adversary has exploited CI runner and reached the underlying host. Can you find out how? | Container breakout via containerd | Docker, Containerd | Easy | 1 |
| PSS Misconfiguration | pss-misconfiguration | In the transition away from Pod Security Policy an adversary has deployed a malicious workload which resists removal. Unravel the mystery and remove the workload off the cluster | Pod Security Standards, Pod Security Admission | Pod Security Standards, Pod Security Admission | Medium | 3 |
| Build a Backdoor | build-a-backdoor | Install a backdoor onto a Kubernetes cluster for Captain Hλ$ħ𝔍Ⱥ¢k to exploit | Kubernetes Ingress, Services and Network Policies | Kubernetes Ingress, Services, Network Policies, Kyverno | Medium | 2 |
| Cease and Desist | cease-and-desist | Fix the reform-kube licensing server and get production running again | Cilium Network Policies | Kubernetes Secrets, Cilium Network Policies | Medium | 2 |
| Devious Developer Data Dump | devious-developer-data-dump | Exploit a public repository to access a production environment and steal sensitive data | From secret discovery in a code repository to full cluster compromise | Gitea, GitHub Action Runners, Zot, SQL Database | Complex | 2 |
| Identity Theft | identity-theft | Exploit a public facing application, obtain a foothold on the cluster and access a secret store | Realistic adversary behaviour and OIDC token abuse | custom vulnerable application (pod schema validation), Dex, Kubernetes Services, Service Accounts and RBAC | Complex | 2 |
| Coastline Cluster Attack | coastline-cluster-attack | Pivot across multiple systems, escalate privileges and obtain full cluster compromise | Leveraging ephemeral containers for initial access, service account enumeration and privilege escalation, service account token abuse, vulnerable daemonsets | Ephemeral containers, Service Accounts and RBAC, Service Account Tokens, Custom “red herring” applications, Elasticsearch, Fluentbit Daemonsets | Complex | 3 |
The scenarios range from beginners looking to learn more about Kubernetes and container security to more advanced scenarios for those looking to test their skills. We hope you enjoy playing them as much as we enjoyed creating them.
Do you want more?
But what if you don’t want to use your own infrastructure? What if you want to try other challenging scenarios?
Well we have you covered! ControlPlane is building a hosted version of simulator that will allow you to play current and new scenarios without having to configure your own infrastructure.
Interested? Please register at kubesim.io