Hall of Fame

KOTH oracle token leak via /proc/environ

Once any operator reaches uid 0 in the arena (takes crown), cat /proc/*/environ on the daemon processes leaked KOTH_ORACLE_TOKEN. With that token an attacker could POST fake crown_taken / dos_violation events from anywhere, including auto-banning other players via the watchdog flow. Fixed by sidecar refactor (daemons + token moved out of arena) + token rotation.

Ghost — root privesc via su (pam_unix.nullok empty-pw bypass)

Reported that su - from any ghost user (ghost0..ghost22) on the shared breachlab-ghost container yielded a root shell. Root cause: Ubuntu 22.04 base image ships pam_unix.so with the nullok flag in /etc/pam.d/common-auth, and pam_unix on this version accepts an empty password against a *-locked root shadow entry. Reproduces in fresh ubuntu:22.04 in isolation. Container-wide root primitive — full compromise of all 23 ghost levels with one bypass. Fix: set root to a random yescrypt hash so pam_unix.nullok no longer matches the * shadow + nologin shell. Deployed to prod 2026-04-30 ~14:50.

CVE-2026-31431 (Copy Fail) — kernel LPE in shared host kernel

Reported the just-disclosed AF_ALG + splice() page-cache write LPE (CVE-2026-31431, copy.fail) gave root inside any container sharing the host kernel. Demonstrated PoC on Phantom as phantom9, did not use to advance, DM'd the team within minutes of CVE drop. Whitehat conduct.

CVE-2026-31431 (Copy Fail) — independent confirmation on Ghost

Independently confirmed the same kernel LPE exploitable on Ghost as ghost7 (root shell out). Reported in #bugs without using to advance. Pair report with iiNovaCore enabled cross-track confirmation that the bug is host-kernel scope, not container-specific.

SUID-verify priv-esc via /etc/ld.so.preload + BASH_ENV

phantom13 writes ld.so.preload, triggers SUID phantom-verify which execs bash loading malicious .so as root, reads oracle-token, forges any flag. Equivalent vector via BASH_ENV/LD_PRELOAD/GLIBC_TUNABLES after setuid(0) drops AT_SECURE. Fixed: env scrub, ld.so.preload truncate-before-execve, lock non-owner phantomN, gate L13 misconfigs to deep-roots only.

canonical-flags.ts leaked all track flags in public repo

Platform public repo shipped canonical flag strings for every level across every track; any clone mapped flag to user password for chain progression.

LD_PRELOAD on curl intercepts oracle token — cross-level forge

curl argv capture via LD_PRELOAD yielded oracle bearer token. Old oracle accepted the token at any /verify/<level>, enabling skip L13 to L31.

L12 NOPASSWD:ALL universal skip vector

phantom12 had unrestricted sudo, allowing sudo cat on /root/shadow_flag, /root/clean_flag, and all later-level home dirs — effectively skipping L13 through L31. Reported responsibly instead of exploited. Narrowed to user-level persistence.

L8 ptrace_scope=1 silently inherited from host

gdb attach from phantom8 failed despite same-uid target. Root cause: entrypoint echo 0 > /proc/sys/kernel/yama/ptrace_scope silently failed because yama isn't a namespaced sysctl. Fix: daemon opts in via prctl(PR_SET_PTRACER_ANY).

Phantom /opt verify-script flag leak

Nine verifier scripts shipped with hardcoded FLAG="…" literals in 0755 bodies. cat /opt/verify-graduation.sh from phantom0 returned the full graduation flag without solving any level.

L8 cmdline world-readable flag leak

Reported that the L8 daemon carried its secret in argv (python3 -c secret=... ). /proc/<pid>/cmdline is world-readable, so ps aux -ww | grep Ptr4c3 from phantom0 returned the L8 flag and skipped levels 1-7. Became Class 1 in the auditor catalog.

L16 ops SSH keypair missed in flag rotation

Pointed out that the 2026-04-21 morning flag rotation touched chain-passwords and canonical flag values but not the gitignored internal/keys/ops_key. Anyone who exfiltrated before the rotation retained a valid login to [email protected] and could read /opt/oracle.py directly, bypassing L17-L26.

Ghost L22 graduation-gate bypass via ghost-archivist

Discovered that the SUID ghost-archivist was a relabelled cp /usr/bin/cat, turning it into an arbitrary file-read primitive. Reading the gatekeeper script itself leaked the expected-shard dictionary plus the graduation flag in cleartext — skipping the entire three-shard puzzle.

L23 container-log dict replay window

docker-socket-emulator kept its CONTAINERS dict across all requests forever. A legit L23 solver container id could be reused hours later by any phantomN via curl :2375/containers/<id>/logs to retrieve the flag, bypassing L0-L22.

L7 SUID system() drops euid, flag unreadable

Command injection in system-checker landed with uid=phantom7 not flagkeeper7 — bash detected the SUID mismatch and dropped euid. First fix attempt (setuid) was non-root-ineffective, follow-up setreuid equalised both ids. Caught the broken fix within 5 minutes of the first deploy.

Phantom L11 /opt/webapp/repo world-readable (755)

Git repo containing APP_SECRET in first-commit history was mode 755 root:root — any phantomN or flagkeeperM could cd in and git log -p to extract the secret and skip L0-L10 entirely.

Cross-level credential reuse: L16 ops key → mgmt shell → sudo cat L19 flag + L31 objective

Reported a cross-level access-control gap in the Phantom pivot chain that exposed a later level's flag

KOTH escalation-paths source world-readable

/opt/koth/escalation-paths/ was bind-mounted into arena read-only. Listing it leaked all 10 escalation slugs (including unreleased: leaked-root-creds, sudo-busybox-nopasswd, wrapper-cron-injection) — players could pre-plan around future escalations. Fixed: library moved into sidecar only.

KOTH escalation-daemon.py source readable

/opt/koth/escalation-daemon.py was bind-mounted into arena read-only. Anyone with crown could cat the full daemon: thresholds, polling intervals, escalation selection logic, oracle API call shapes — full game-prediction capability. Fixed: daemon moved into sidecar.

Cross-session listener leak — phantom0 reads L16 flag via lingering SSH tunnel on 127.0.0.1:9999

phantom mono shared-container localhost listener visible to all UIDs. Multi-level skip vector. Hot-patched 2026-05-11 with PAM session_close + active listener reaper.

V4bel/dirtyfrag Linux kernel privesc — host kernel exposure via esp4/esp6/rxrpc modules

Reported V4bel/dirtyfrag kernel privesc CVE on the BreachLab host. Verified host kernel 6.8.0-111-generic vulnerable. Cross-tested on identical-kernel KVM box (./exp succeeded → root). Confirmed Docker isolation blocks the exploit from inside ghost0 (rc=3). Found and shared the official mitigation: blacklist esp4, esp6, rxrpc kernel modules. Provided clean methodology: PoC, repro path, mitigation verification (rc=1 after module removal + reboot). Zero attempt at escalation, pure defensive disclosure. Mitigation applied + Ubuntu Pro Livepatch attached as defense-in-depth.

Specter L8 cross-session isolation breach via shared subnet

All Specter L_n ephemerals share a flat per-level /24 bridge (specter-l<N>-net), and the canonical PAM hook resolved password to player_id via oracle without checking that the container was spawned for that specific player. Demonstrated on L8 by sshing [email protected] (another player's active travel-pattern ephemeral) with own valid HMAC-derived L8 password, landing in the other player's working session. Auth correctness was preserved (per-player passwords still functional); the gap was missing container ownership enforcement. Fixed via first-auth-wins owner stamp in services/specter-pam-oracle.sh + services/specter-bootstrap-pam.sh — /etc/specter/owner (mode 400 root, chattr +i best-effort), atomically claimed under flock; subsequent auth attempts must match.

Phantom L1 — flag deletion via greedy cron sweep

Reported /home/flagkeeper1/level1_flag missing on prod. Root cause: defensive cron sweep used over-greedy filename glob level*_flag, nuking the legitimate L1 flag every minute. ~8h prod outage on Phantom L1.

Phantom L6 — leak via /var/tmp/flag6 (creative naming evades filename sweep)

Reported /var/tmp/flag6 (owned by flagkeeper6) holding L6 flag value. The filename-glob sweep cron only matched level*_flag pattern; creative renaming bypassed the defense. Prompted refactor to owner-based sweep.

Ghost L17 force-logout bypass via su --login

Reported that su --login ghost17 cleared SSH_CONNECTION env, causing the .bashrc force-logout check to short-circuit and grant an interactive shell. ghost17 flag readable without going through the intended ssh-with-command solve path. Fixed by removing SSH_CONNECTION check from .bashrc + adding /etc/profile.d/ghost17-kick.sh for non-bash login shells (su -s /bin/sh).

Shared-account passwd / chsh vandalism vector

Discovered passwd is runnable on phantom1 — on a shared-account container that is a one-shot lockout: phantomN changes the shared password and every next phantomN player is locked out until container restart. Same class for chsh / chfn / gpasswd. None of these are taught by any Phantom or Ghost level. Fixed via chmod 700 on both tracks; su/sudo/mount/umount/newgrp/at stay SUID for legit ops.

Phantom L6 non-canonical flag copy persisted 20h

Found /var/tmp/level6_flag (mode 644, owner flagkeeper6) holding the L6 flag value. A previous solver had edited cleanup.sh to cp the flag to /var/tmp/ instead of using the documented chmod path on the canonical file. cleanup.sh got reset shortly after, but the existing flag-perm reset only touches /var/lib/phantom-flags/ — the leaked copy persisted ~20h, world-readable to all phantom users. Reported instead of submitted.

Phantom L6 — persistent cleanup.sh poisoning ⇒ flag world-readable

Reported /var/lib/phantom-flags/level6_flag globally readable on prod main phantom container. Investigation found a previous L6 solver had legitimately modified /opt/maintenance/cleanup.sh (the SUID-flagkeeper6 cron job) on 2026-04-29 17:31 with an added chmod 644 flag line. Cron kept running it for 28 hours, keeping the flag world-readable for every subsequent phantom6 session — bypassing the entire L6 lesson via plain cat. Same vulnerability class as L12 persistence (PR #74) but on a different shared resource. Hot-fix: cleanup.sh restored + flag chmod 600. Persistent fix: new PAM session_close hook (PR #79) resets cleanup.sh + flag perms when the last phantom6 session disconnects.

Phantom L14 cross-instance flag-content replay

Reported that /root/shadow_flag content was a Dockerfile-baked constant identical across every L14 ephemeral. Solve once, learn the bytes, then in any future ephemeral echo the constant into /tmp/shadow_copy and verify-shadow.sh accepts it (cmp matches, history shows no LOUD reader against shadow_flag). Bypassed the entire shell-builtin-read teaching for L14. Persistent level-skip primitive affecting every L14 solver post-disclosure. Fix: per-session randomisation of /root/shadow_flag content in entrypoint.sh shadow case (32 hex from /dev/urandom appended to marker).

L21/L22/L23 oracle HMAC missing in container-escape emulators

docker-socket-emulator.py (Unix socket + TCP :2375) and leaky-vessels.c (CVE-2024-21626 simulator) shipped without the per-level HMAC Bearer token that the oracle gained in galile0 #2 hardening (2026-04-24). All three emulators returned "[oracle unreachable]" / "[oracle refused]" on legit exploits, silently breaking L21/L22/L23. Closed by PR #69 (read /root/.oracle-secret as root, compute HMAC, send Authorization header from emulators).

L28 /tmp/heist.flag persists across players on shared mgmt host

DNS exfil receiver wrote successful exfil flag to a fixed path /tmp/heist.flag on the shared mgmt container, with no cleanup. Any later ssh-as-ops session (reachable by anyone past L16 via the operator key) could `cat /tmp/heist.flag` and skip the entire L28 exfil chain. Closed by PR #71 (per-run-id flag drop /tmp/heist.<run_id>.flag with sanitised path component + 30-min TTL background reaper).

L30 su -s /bin/bash phantom30 bypasses the ephemeral redirect

phantom13/14/15/30 are ephemeral-only by design — their SSH login shell is /usr/local/bin/phantom-deep-redirect which prints "use port 2227" and exits. But `su -s /bin/bash phantom30` overrides the shell. With phantom30 password (== L29 flag), any phantomN session could land on the SHARED container phantom30 and run /opt/verify-clean-exit.sh against shared-filesystem state, graduating L30 + L31 from the shared box without ever touching the ephemeral container. Closed by PR #71 (/etc/su.deny + pam_listfile in /etc/pam.d/su) + PR #72 (SUID-root wrapper because pam_exec on su runs as invoker UID, not root).

L20 history-residue free-flag bypass

Phantom L20 (Am I Contained?) verifier greps /home/phantom20/.bash_history for six canonical container-detection patterns. With .bl-allow-history opt-in keeping the entrypoint wipe-loop off and PROMPT_COMMAND=history -a flushing each command into the file, the FIRST player solve seeded the history forever; every subsequent phantom20 session inherited it and the verifier rubber-stamped 6/6 without the player typing anything. Same residue shape applies to L24 Pod Games. Closed by PR #68 (PAM session_open wipe hook for phantom14/15/20/24/30).

L17 Internal Hunt canonical solve broken — StrictModes + pam_unix lstchg

Two stacked sshd issues blocked the redis-RCE-to-SSH-key canonical solve. (1) sshd StrictModes yes (default) refused authorized_keys because /home/webadmin/.ssh is mode 777, the redis-writable mode required for SAVE. (2) Even when StrictModes was disabled, pam_unix denied login because webadmin lstchg in /etc/shadow was 0, treated as must-change-password-first. Fixed by adding StrictModes no to sshd_config and chage -d 99999 webadmin. dbadmin/ops on db/mgmt preemptively patched.

L15 clean_flag is literal submit flag

/root/clean_flag equals the submit value; one-shot read solved the mission with zero cleanup work executed.

history-clear bypass defeats verify-shadow LOUD regex

Emptying ~/.bash_history before verify-shadow clears the signal-of-loud-read heuristic. Fixed with sparse-history + missing-verifier-call fallback.

L12 verify-persistence grep mismatch awarded partial credit

Fingerprint regex for SSH-key persistence looked at the wrong path — valid method counted 0/4, partial-credit gaming possible.

phantom-deep L15/L30 fresh ephemeral near-clean

On spawn only one real trace existed; /opt/verify-clean.sh returned 5/6 CLEAN immediately. Mission reduced to clearing one lastlog entry.

First-blood via 0-point orphan submission

Demonstrated that submission-exists as the prior-level check let a phantom/15 first-blood claim ride a 0-point phantom/14 orphan — without actually solving L14. Fix gated first-blood on pointsAwarded > 0 and ultimately led to strict-order enforcement on the phantom track.

L7 + L8 independent catch

Independently confirmed both the L7 setuid-vs-setreuid euid drop and the L8 yama ptrace_scope block, within 30 minutes of VoxFox. Two-reporter independent confirmation validated the exploit paths before the fixes landed.

Chain-integrity PoC + flag-value replay warning

Warned about the 32 phantom chain-passwords captured during pre-reset sessions. Triggered the full rotation + DB sha256 resync + submission reset on 2026-04-21.

L24 verify-pod-escape PID echo + HISTFILE gap

Verifier printed the host-init PID directly, spoiling the enumeration step. Separately, phantom24 had no .bl-allow-history marker, so bash history was wiped mid-session and the verifier grep-history check always failed.

Cosmetic root-lock: NOPASSWD sudo ALL on phantom12–30

Demonstrated sudo /bin/bash from phantom28 → uid=0 trivially. Root lock in shadow (!$y$…) was decorative while 12 phantom users held blanket NOPASSWD: ALL. Scoped sudoers pass now keeps ALL only where the declared level challenge needs privileged work.

wtmp/lastlog world-readable — player IP leakage

Ubuntu default mode 664 on /var/log/wtmp allowed last -a from phantom0/ghost0 to enumerate every other player SSH origin IP. Fixed by entrypoint chmod 600 right before sshd start.

phantom3 SSH Connection-reset — pam_limits glob gap

Surfaced that the limits.conf phantom* glob did not expand (pam_limits does not support user globs). No phantomN had nproc=100, and one broken LD_PRELOAD chain on L3 spawned 501 processes, wedging sshd for every subsequent player. Fixed by expanding to 43 literal users.

Ghost L20 cron daemon missing post-rebuild

cron was ad-hoc installed via docker exec without a Dockerfile entry. The PR #9 chattr rebuild wiped it and L20 silently broke (entrypoint failsafe logged FATAL, verifier returned empty). Fixed by adding cron to the apt install line.

Specter L0 verifier crash on date-typed YAML fields (unhandled serialization)

Stale redirect shell sent L14/L15/L30 players to wrong port → false "unauthorized"

Reported a deployment bug that mis-routed several Phantom levels to the wrong session port, surfacing false "unauthorized" failures

Crown Wars crown-claim integrity bypass — persistent root re-claims crown without re-exploitation

crown-claim only checks uid==0; the exploit-path argument is an unverified free-text label. A planted SUID-root backdoor (or any retained root) lets a player re-claim the crown after dethrone without re-exploiting a currently-open path, and patching paths does not protect the crown — defeating the patch-to-defend / dethrone loop.

L24 Pod Games verifier history-grep bypass — substring /proc/N/root passes without performing technique

verify-pod-escape.sh unanchored grep — mkdir/ls/echo passed. CONTENT_OK also dead (SUID-root verifier). Hot-patched 2026-05-11 with anchored reader-regex + actual-PID match + enumeration gate.

V4bel/dirtyfrag — independent verification of Docker isolation containment

Independently flagged V4bel/dirtyfrag CVE within hours of Fafikks report. Verified that Docker container isolation contains the exploit (rc=3 inside ghost0). Confirmed defense-in-depth holds at the container layer. Duplicate finding to Fafikks deeper methodology, credited for diligence and independent verification. [Score bumped from 5 → 15 to reflect ongoing high-quality contributions across multiple findings — independent verification on this CVE plus standing-contributor recognition while pending-report backlog is reviewed.]

Ghost L11 residue immortalization (chattr +i sweep inversion)

Previous solver extracted L11 data.wrapped, wrote password to core.txt, exited; container restart chattr +i sweep did not distinguish baked vs residue and locked core.txt permanently. Every subsequent ghost11 solver got a cat core.txt skip. Player flagged correctly with is-this-intentional framing.

phantom13 password drift between phantom-deep image and platform/oracle

After the chain-password rotation that updated the breachlab-phantom shared Dockerfile, the platform DB hashes (sync-flags.ts), and the mgmt oracle /root/phantom-flags/* — the phantom-deep ephemeral image was missed and stayed on the previous cycle (phantom13:bl_phtm12_41dcd45730bafb25 vs current bl_phtm12_6738ac1ce051c4ec). Players solved L12 honestly, oracle returned the new flag, but ssh phantom13@:2224 to the freshly spawned ephemeral failed at auth because the image still baked the old password. Same drift held for phantom14/15/30. Closed by phantom-deep PR #2 (sync the four chain passwords + rebuild phantom-deep:latest). Sister bug to the platform-DB drift Galile0 hit yesterday — flag rotation has FOUR storage layers, all four have to move together.

Cross-track network exposure — Specter ephemerals visible on phantom-net via Docker DNS

Reported that Specter session container names + count were enumerable from a Phantom ephemeral via Docker DNS auto-publish on the shared phantom-net bridge. Root cause: Specter ephemerals were dual-attached to phantom-net for mgmt-oracle reach. Fixed by carving out a dedicated specter-oracle-net bridge, migrating mgmt and all spawn defaults; live-migrated 16 active Specter sessions off phantom-net.

L19 ops shell exposes L31 graduation target

ops NOPASSWD cat covers both final_flag (L19) and objective.dat (L31). Chain-integrity gate blocks actual submit but L31 intent collapses. Logged for redesign.

mgmt container /opt/*.py world-readable exposes flag pipeline

oracle.py + collector scripts were mode 0644 inside phantom-mgmt — any rooted player could read expected-flag logic.

Phantom L23: Docker API TCP :2375 wide open — L0-L22 can skip 22 levels

Reported that any phantom user could curl localhost:2375/containers/create with /:/host bind and pull the L23 docker-api flag. TCP twin of the L21 Unix socket was unrestricted while the Unix socket itself was chmod 0660 root:phantom21. Fixed with iptables OUTPUT --dport 2375 uid-owner gate.

Phantom phantom-verify SUID wrapper: any user could run any verifier

Reported that /usr/local/bin/phantom-verify validates level name but not caller UID. On a freshly-booted container trace-based verifiers (clean, clean-exit, container) pass trivially because the target user has never logged in, so the oracle releases the flag to whoever runs it. Fixed with level-to-owner table and getuid() enforcement before execv.

phantom /proc/net/tcp raw-read exposes operator IPs

L5 File Authority intended-path clarification

Surfaced that root hash in /etc/shadow is !$y$… (locked, nologin) and only flagkeeper5 hash is the crack target. Led to a password-set fix ensuring the target hash is actually present in rockyou.txt.

Specter ephemeral SSH host keys info leak via /etc/specter-host-keys volume mount

Spotted that /etc/specter-host-keys is volume-mounted into every Specter ephemeral from /dev/sda1 (host disk), exposing private key filenames and mount source through ls / findmnt / /proc/self/mountinfo. Private key contents remain unreadable to non-root players (mode 600 root, perms preserved through the read-only mount), and these are the Specter ephemeral SSH server identity keys (separate fingerprints from the boxs actual host keys — verified non-overlapping). Reporter correctly identified them as not credential-actionable. Still an architectural info leak revealing host filesystem layout via /dev/sda1 device hint and shared-identity design across ephemerals. Mitigation: bake host keys into image at Dockerfile build time, drop the runtime volume mount entirely.

phantom-deep oracle stale-token UX gap

After restart in-flight ephemerals retained pre-restart tokens; verifier returned bare unauthorized. Fixed: orchestrator startup probe + 401 reconnect hint.