Back to Details

competition-kernel-container-escape

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Kernel Container Escape

竞赛内核容器逃逸

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive step is proving a boundary crossing between containerized context and host or higher-privilege kernel context.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当
$ctf-sandbox-orchestrator
已激活并确立沙箱假设、节点所有权和证据优先级时,才作为下游专业化技能使用。如果还未满足上述条件,请先返回
$ctf-sandbox-orchestrator
当需要验证容器上下文与主机或更高权限内核上下文之间的边界穿越这一决定性步骤时,使用本技能。
除非用户明确要求英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Map runtime isolation first: namespaces, cgroups, seccomp, capabilities, LSM, and mount boundaries.
  2. Separate exploit prerequisite, primitive, and boundary-crossing proof.
  3. Record kernel version, config hints, runtime options, and reachable syscall surface.
  4. Keep instrumented observations separate from pristine challenge path.
  5. Reproduce one minimal primitive-to-boundary-crossing chain.
  1. 首先映射运行时隔离机制:namespaces、cgroups、seccomp、capabilities、LSM以及挂载边界。
  2. 区分漏洞利用前置条件、原语以及边界穿越证明。
  3. 记录内核版本、配置提示、运行时选项以及可访问的syscall攻击面。
  4. 将插桩观察结果与原始挑战路径分开。
  5. 复现一条最小化的原语到边界穿越的利用链。

Workflow

工作流

1. Map Isolation And Kernel Surface

1. 映射隔离机制与内核攻击面

  • Record namespace map, cgroup mode, capabilities, seccomp profile, AppArmor or SELinux state, mounted filesystems, and runtime sockets.
  • Note kernel version, distro build hints, module exposure, and container runtime behavior.
  • Keep host and container observations linked to exact node and context.
  • 记录namespace映射、cgroup模式、capabilities、seccomp配置文件、AppArmor或SELinux状态、挂载的文件系统以及运行时套接字。
  • 记录内核版本、发行版构建提示、模块暴露情况以及容器运行时行为。
  • 将主机和容器的观察结果与确切的节点和上下文关联起来。

2. Prove Exploit Primitive And Crossover

2. 验证漏洞利用原语与边界穿越

  • Show controllable input, trigger condition, affected object, and observable kernel or runtime state change.
  • Capture before and after identity, namespace, mount, or process visibility to prove boundary crossing.
  • Distinguish crash-only behavior from stable capability gain.
  • 展示可控输入、触发条件、受影响对象以及可观测的内核或运行时状态变化。
  • 捕获身份、namespace、挂载或进程可见性的前后变化,以证明边界穿越。
  • 区分仅导致崩溃的行为和稳定的权限提升结果。

3. Reduce To Decisive Escape Chain

3. 精简为决定性逃逸链

  • Compress to: prerequisite state -> primitive trigger -> boundary crossing evidence -> resulting host-level capability.
  • State whether root cause is kernel vulnerability, runtime misconfiguration, capability overgrant, or namespace leak.
  • If path relies mostly on credential replay after initial foothold, hand off to Linux credential pivot skill.
  • 压缩为:前置状态 -> 原语触发 -> 边界穿越证据 -> 最终获得的主机级权限。
  • 说明根本原因是内核漏洞、运行时配置错误、权限过度授予还是namespace泄露。
  • 如果路径主要依赖初始立足点后的凭证重放,请移交到Linux凭证流转技能。

Read This Reference

参考资料

  • Load 
    references/kernel-container-escape.md
    for isolation checklist, primitive checklist, and parity guidance.
  • 加载
    references/kernel-container-escape.md
    获取隔离检查清单、原语检查清单以及一致性指导。

What To Preserve

需要留存的内容

  • Kernel and runtime context, capability set, seccomp or LSM state, and namespace map
  • Primitive trigger data, boundary crossing evidence, and resulting capability
  • One minimal reproducible chain from container context to host-relevant effect
  • 内核与运行时上下文、权限集、seccomp或LSM状态、namespace映射
  • 原语触发数据、边界穿越证据以及最终获得的权限
  • 一条从容器上下文到产生主机相关影响的最小可复现利用链