Mission
This challenge places you inside a container that has the host's container-runtime control socket exposed inside it. You can talk to the host daemon directly. To solve the challenge, write the string PHANTOM-<your-username> to /host/proof on the host filesystem, then read /flag inside the original container.
Starting toolkit (you may need more)
curllsWhy this matters in 2026
The single most common container escape in real-world pentests is a mounted control socket — it appears in any environment where someone wanted a containerized CI agent to build images. Finding it is a muscle memory for every modern red teamer.
Mitigation era: 2026-04 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
How to reach this level
Use the password for phantom13 that you captured on the previous level, then:
ssh phantom13@phantom.breachlab.org -p 2223
SSH endpoint is being provisioned. Follow @BreachLab for launch announcement.
Log in to submit flags and track progress.