competition-kernel-container-escape
GitHub用于CTF沙箱环境中分析容器逃逸路径的技能。在沙箱编排器建立假设后,映射内核与隔离边界,验证漏洞原语及跨边界证据,复现从容器到宿主的最小化逃逸链,区分内核缺陷或配置错误导致的权限提升。
Trigger Scenarios
Install
npx skills add zhaoxuya520/reverse-skill --skill competition-kernel-container-escape -g -y
SKILL.md
Frontmatter
{
"name": "competition-kernel-container-escape",
"description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for kernel attack surface, namespace and cgroup boundaries, container isolation assumptions, syscall paths, and escape primitive verification. Use when the user asks to analyze container-to-host escape paths, kernel exploit prerequisites, namespace crossover, capability misuse, or prove whether an exploit primitive crosses the sandbox boundary. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}
Competition Kernel Container Escape
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the decisive step is proving a boundary crossing between containerized context and host or higher-privilege kernel context.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Map runtime isolation first: namespaces, cgroups, seccomp, capabilities, LSM, and mount boundaries.
- Separate exploit prerequisite, primitive, and boundary-crossing proof.
- Record kernel version, config hints, runtime options, and reachable syscall surface.
- Keep instrumented observations separate from pristine challenge path.
- Reproduce one minimal primitive-to-boundary-crossing chain.
Workflow
1. Map Isolation And Kernel Surface
- Record namespace map, cgroup mode, capabilities, seccomp profile, AppArmor or SELinux state, mounted filesystems, and runtime sockets.
- Note kernel version, distro build hints, module exposure, and container runtime behavior.
- Keep host and container observations linked to exact node and context.
2. Prove Exploit Primitive And Crossover
- Show controllable input, trigger condition, affected object, and observable kernel or runtime state change.
- Capture before and after identity, namespace, mount, or process visibility to prove boundary crossing.
- Distinguish crash-only behavior from stable capability gain.
3. Reduce To Decisive Escape Chain
- Compress to: prerequisite state -> primitive trigger -> boundary crossing evidence -> resulting host-level capability.
- State whether root cause is kernel vulnerability, runtime misconfiguration, capability overgrant, or namespace leak.
- If path relies mostly on credential replay after initial foothold, hand off to Linux credential pivot skill.
Read This Reference
- Load
references/kernel-container-escape.mdfor isolation checklist, primitive checklist, and parity guidance.
What To Preserve
- Kernel and runtime context, capability set, seccomp or LSM state, and namespace map
- Primitive trigger data, boundary crossing evidence, and resulting capability
- One minimal reproducible chain from container context to host-relevant effect
Version History
- 1bec1f2 Current 2026-07-05 18:45


