Agent Skillszhaoxuya520/reverse-skill › competition-kernel-container-escape

competition-kernel-container-escape

GitHub

用于CTF沙箱环境中分析容器逃逸路径的技能。在沙箱编排器建立假设后,映射内核与隔离边界,验证漏洞原语及跨边界证据,复现从容器到宿主的最小化逃逸链,区分内核缺陷或配置错误导致的权限提升。

CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

分析容器到主机的逃逸路径 验证内核攻击面与命名空间穿越 证明利用原语是否跨越沙箱边界 检查能力滥用或系统调用路径

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-kernel-container-escape -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-kernel-container-escape -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-kernel-container-escape

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-kernel-container-escape -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-kernel-container-escape",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for kernel attack surface, namespace and cgroup boundaries, container isolation assumptions, syscall paths, and escape primitive verification. Use when the user asks to analyze container-to-host escape paths, kernel exploit prerequisites, namespace crossover, capability misuse, or prove whether an exploit primitive crosses the sandbox boundary. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition Kernel Container Escape

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive step is proving a boundary crossing between containerized context and host or higher-privilege kernel context.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Map runtime isolation first: namespaces, cgroups, seccomp, capabilities, LSM, and mount boundaries.
  2. Separate exploit prerequisite, primitive, and boundary-crossing proof.
  3. Record kernel version, config hints, runtime options, and reachable syscall surface.
  4. Keep instrumented observations separate from pristine challenge path.
  5. Reproduce one minimal primitive-to-boundary-crossing chain.

Workflow

1. Map Isolation And Kernel Surface

  • Record namespace map, cgroup mode, capabilities, seccomp profile, AppArmor or SELinux state, mounted filesystems, and runtime sockets.
  • Note kernel version, distro build hints, module exposure, and container runtime behavior.
  • Keep host and container observations linked to exact node and context.

2. Prove Exploit Primitive And Crossover

  • Show controllable input, trigger condition, affected object, and observable kernel or runtime state change.
  • Capture before and after identity, namespace, mount, or process visibility to prove boundary crossing.
  • Distinguish crash-only behavior from stable capability gain.

3. Reduce To Decisive Escape Chain

  • Compress to: prerequisite state -> primitive trigger -> boundary crossing evidence -> resulting host-level capability.
  • State whether root cause is kernel vulnerability, runtime misconfiguration, capability overgrant, or namespace leak.
  • If path relies mostly on credential replay after initial foothold, hand off to Linux credential pivot skill.

Read This Reference

  • Load references/kernel-container-escape.md for isolation checklist, primitive checklist, and parity guidance.

What To Preserve

  • Kernel and runtime context, capability set, seccomp or LSM state, and namespace map
  • Primitive trigger data, boundary crossing evidence, and resulting capability
  • One minimal reproducible chain from container context to host-relevant effect

Version History

  • 1bec1f2 Current 2026-07-05 18:45

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
c6e840b0
Indexed
2026-07-05 18:45

trang chủ - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 23:50
浙ICP备14020137号-1 $bản đồ khách truy cập$