Scenario
The CasinoLimit Challenge requires participants to compromise a simulated environment by progressing through a series of attack techniques mapped to MITRE ATT&CK tactics. Starting with SSH access to the initial host, attackers move laterally to a webcam-equipped machine, where they capture a photo revealing part of a password and gather intelligence about a vulnerable bastion server. After brute-forcing the remaining password characters, they escalate privileges on the bastion using a kernel exploit, then pivot to an intranet website vulnerable to server-side template injection. By exploiting this flaw, they execute SQL queries to delete a specific user's data, triggering an email containing the challenge flag. Throughout, players must navigate interconnected networks, impersonate multiple users, and extract clues from system artifacts, all via command-line interactions on Linux systems.
The challenge can be re-deployed from https://gitlab.inria.fr/pirat-public/casinolimit.
Event
The CasinoLimit Challenge was held during the BreizhCTF 2024, from May 17th 2024 8:30 PM to May 18th 2024 8:00 PM (CET). During the event 120 teams competed and 114 instances of the challenge were played.
