August 18-19th

eBPF
Summit 2021

Capture The Flag

Welcome to the first-ever eBPF-themed Capture the Flag (CTF) event. The CTF is open to everyone, please see below how to participate. The CTF will feature 3 stages which can be solved separately, each stage will be unlocked and open to solving 24h before the respective live solving session hosted at the eBPF Summit & the eCHO live-stream.

Moderator & Commentator: The awesome Tabitha Sable

How to Participate

  • 1Register for the eBPF Summit 2021.
  • 2Visit this site 24h before the live solving sessions for information on how to access each individual stage.
  • 3Join the eBPF Summit and eCHO live-stream to attend the entertaining CTF live solving sessions moderated and commentated by Tabitha Sable.

Live Solving Sessions

Stage 1

Aug 18, 10:50am PT, 19:50 CET eBPF Capture the Flag (CTF) #1

Stage 2

Aug 19, 10:55am PT, 19:55 CET eBPF Capture the Flag (CTF) #2

Stage 3

Aug 20, 7am PT, 15:00 CET eCHO Live Stream
All solving sessions will be recorded and made available after the event.

Instructions

Stage 1

The Story So Far

You have a bad feeling about this.

You, Jephen’Tsa, have always kept away from politics, and you live a quiet life on the planet Berpaffyl, in the Kloudna system. You’re a beekeeper, and extracting honey from the giant bees living on the planet does not leave you much time to think about conflicts raging at the other end of the quadrant.

But politics caught up with you. The Empire has taken an interest in the planet, imposed a blockade, and seized various assets, including your hives. Your dear, cherished hives and bees, now aboard a Star Destroyer! They said you’d get them back. Of course, they would. But the bureaucrats from the Empire are not renowned for keeping their word, and you don’t believe them. There must be something you can do?

From a friend of a friend, a Mon Calamari going under the name Blue Hex that you met on a speedbike ride, you have heard that a moon in a neighbor system might be hosting more friends—the Rebel Alliance. After a few days of reflection you contact her again to ask if she knows how to pass the blockade to reach them. There is a way, she says, to bypass the jamming signals and eavesdrop the passphrase required for passing the checkpoint. You board the Yellow Stripe, your small aircraft, you take off and you head towards the imperial cruisers…

Prerequisites

This challenge requires Docker and a recent Linux kernel with eBPF and WireGuard support enabled (5.6+, although Ubuntu 20.04 with kernel 5.4 and backported Wireguard support is known to work).

We recommend running it with Fedora CoreOS on an always free e2-micro instance on Google Cloud:

VM_NAME=ebpf-summit-ctf1

# Create VM
gcloud compute instances create $VM_NAME \
    --machine-type=e2-micro \
    --zone=us-central1-a \
    --image-project=fedora-coreos-cloud \
    --image-family=fedora-coreos-stable

# Fix docker permissions
gcloud compute ssh --zone=us-central1-a core@$VM_NAME -- sudo setfacl --modify user:core:rw /var/run/docker.sock

# Log in
gcloud compute ssh --zone=us-central1-a core@$VM_NAME

# Delete VM (when done)
gcloud compute instances delete --zone=us-central1-a $VM_NAME

Task

Your objective is to receive a secret from a UDP server. The server is running in the berpaffyl network namespace and is accessible via a WireGuard tunnel with the 100.202.1.1 IP address.

To send a request to that IP, you can use echo | netcat -u 100.202.1.1 1138.

Unfortunately, a jamming signal was installed. You can see it with iptables-save -c. You are not allowed to remove it but you are allowed to bypass it.

Your ally mentioned the existence of a /bpf directory, which you might find useful.

The CTF challenge itself needs to run as a privileged container. Start the challenge as follows:

sudo docker run --privileged --name ctf-1 --rm --tty --interactive "quay.io/isovalent/ebpf-summit-2021-ctf-challenge-1"

To create a new terminal:

sudo docker exec -ti ctf-1 /bin/bash

Rules

  1. Do not add or remove any iptables rules. The goal of the challenge is to solve it using eBPF only.

Good luck!

Hints

A mysterious entity has reached out on your Holocomm while you were flying towards the imperial ships. There are three hints available to help you evade the blockade if you feel stuck, they said. But beware! Each clue you read may bring you a little bit closer to the Dark Side! (The hints are ordered, start with number 1.)

Stage 2

The Story So Far

It was a trap!

After the Empire invaded your home planet and stole your hives, you, Jephen’Tsa, joined the Rebel Alliance and helped them retrieve secret information about the Death Star… Or so you thought. Blue Hex, your former ally, has turned coat! She never went to the Death Star. While she had you believe you hacked into the Death Star controls, she just stole data from a smaller ship for her own account, and secretly implanted a tracer for your communications. Now the Empire has found your base, and made you a prisoner!

Some Rebels managed to flee, but you have been taken aboard the Grim Hornet, a Star Destroyer, the Empire’s flagship now controlling the whole solar system. On the way to your cell, you soon manage to escape from your escort of stormtroopers. Ha! That’s what happens when they take you on the same ship as your bees and don’t bother confiscating your remote control for the hives’ hatches. After a few epic moments involving laser shots, multiple stings, various explosions, and even a lightsaber duel—the Force is strong with you—you reach the control room of the ship.

You now have a unique chance to reverse the situation. You are logged in into the system, and you know that there is a passphrase to temporarily deactivate the whole fleet. The remaining Rebels are outside, only waiting for a chance to neutralize the imperial ships. But will you manage to lift the measures protecting that secret? The destiny of your planet is in your hands. May the Force be with you!

Prerequisites

This challenge requires Docker and a recent Linux kernel with BTF support. We recommend running it with ContainerOS M93 on an always free e2-micro instance on Google Cloud:

VM_NAME=ebpf-summit-ctf3

# Create VM
gcloud compute instances create $VM_NAME \
    --machine-type=e2-micro \
    --zone=us-central1-a \
    --image-project=cos-cloud \
    --image-family=cos-dev

# Log in
gcloud compute ssh --zone=us-central1-a $VM_NAME

# Delete VM (when done)
gcloud compute instances delete --zone=us-central1-a $VM_NAME

Task

The CTF challenge itself needs to run as a privileged container. Start the challenge as follows:

sudo docker run --privileged --name ctf-3 --rm --tty --interactive "quay.io/isovalent/ebpf-summit-2021-ctf-challenge-3"

Your objective is to receive a secret from a TCP server. The server must be accessed via the loopback device (i.e. localhost) and is listening on port 1977. Try to access it (from inside the CTF container) as follows:

curl localhost:1977

As you will notice, there are some security measures in place which will prevent you from accessing this server. Your task is to disable these security measures so that the above curl command can succeed.

Good luck!

Stage 3

The Story So Far

You are Jephen’Tsa, former beekeeper, and active member of the Rebel Alliance now that the Empire has invaded your home planet. You only joined recently, but the Alliance is, well, pretty much understaffed, and given your recent achievements to escape a blockade, you already got a top-priority assignment. Blue Hex, a fellow member, has stolen a terminal from a stormtrooper. She’s confident that, with the help of a new imperial tool, it could give you access to the management systems of the Death Star, no less!

While you study the stolen terminal in the base, Blue Hex takes her X-wing and flies towards the gigantic station somewhere in the Inner Rim, relying on you to lift the restrictions so she can infiltrate the system. Do your best!

Task

Your friend x-wing needs to connect to the Death Star's management system (death-star), but communications seem to be blocked. There may be some sort of eBPF-based firewall in place. Luckily you were able to get access to a stormtrooper's unmonitored terminal (stormtrooper) and will hopefully be able to open a breach in the firewall to allow communications to flow.

Prerequisites

Mandatory Preparation Steps

minikube start --network-plugin=cni
cilium install
cilium hubble enable
minikube kubectl -- create ns inner-rim
minikube kubectl -- apply -n inner-rim -f https://isogo.to/ctf2-yaml

Rules

  1. Everything that you are able to do within the pod stormtrooper-XXXXXX-yyyyy is allowed. The instructions on how to enter this pod are provided below, in the Start section.
  2. You can open editor.cilium.io, a brand new technology deployed by the Empire, and interact with it freely and copy/paste from there into the stormtrooper-XXXXXX-yyyyy pod.
  3. Everything else is forbidden.

Start

When you are ready to start, run

minikube kubectl -- exec -n inner-rim -ti deployment/stormtrooper -- bash

Good luck!

eBPF Summit 2021 Registration

The event is fully virtual and free to attend. By signing up, you'll receive information on how to participate, ahead of the event.

Register