renkagod/hardened-docker-ctf-labs

# hardened-docker-ctf-labs [](LICENSE) **Capture The Flag labs** with production-style **Docker hardening**: non-root users, dropped capabilities, read-only filesystems, tmpfs, resource limits, and healthchecks — plus full solver scripts and writeups. Originally authored for Caplag CTF. ## What's inside | Lab | Theme | Security topics | |-----|--------|-----------------| | [01 — Ghost Dev Pipeline](labs/01-ghost-dev-pipeline/) | Web + Forensics | Git history leaks, supply-chain tarball, HMAC API, time side-channel | | [02 — VibeChain Breach](labs/02-vibechain-breach/) | Web | JWT `alg=none`, scope confusion, exception handling (OWASP A03 / A10) | Each lab includes: - Flask application (`deploy/app.py`) - `Dockerfile` + `docker-compose.yml` with hardening profile - `solve/solve.py` — deterministic exploit path - `WRITEUP.md` — step-by-step solution - `check.sh` / `check.ps1` — build, healthcheck wait, solver, teardown ## Architecture flowchart LR subgraph host [Host] compose[docker compose] solver[solve.py] check[check.sh] end subgraph container [Hardened container] app[Flask / Gunicorn] tmpfs["tmpfs /tmp /run"] end compose -->|build + limits + caps| container check --> compose check --> solver solver -->|HTTP :1337| app compose -->|healthcheck /health| app ## Quick start **Requirements:** Docker with Compose v2, Python 3.11+, Git (Lab 01 build only). # Lab 01 cd labs/01-ghost-dev-pipeline cp .env.example .env python3 build_task.py cp .env deploy/.env docker compose -f deploy/docker-compose.yml up -d --build # Lab 02 cd labs/02-vibechain-breach docker compose -f deploy/docker-compose.yml up -d --build Both services listen on **http://127.0.0.1:1337**. Run full smoke tests (Linux/macOS): bash scripts/smoke-test-all.sh ## Hardening snapshot Both labs share the same compose security baseline — see [docs/hardening.md](docs/hardening.md) for the full breakdown. cap_drop: [ALL] security_opt: [no-new-privileges:true] read_only: true tmpfs: [/tmp, /run] cpus: 0.50 mem_limit: 128m pids_limit: 50 healthcheck: ... Lab 01 runs as `nobody`; Lab 02 uses a dedicated `ctf` user and Gunicorn with bounded workers. ## Repository layout hardened-docker-ctf-labs/ ├── README.md ├── LICENSE ├── docs/ │ └── hardening.md ├── scripts/ │ └── smoke-test-all.sh └── labs/ ├── 01-ghost-dev-pipeline/ └── 02-vibechain-breach/ ## Flag format Demo flags use `FLAG{...}`. Replace via environment variables (`CTF_FLAG`, `FLAG`, `API_KEY`, `OPS_JWT_SECRET`) before any public event. ## License [MIT](LICENSE) — Copyright (c) 2026 [renkagod](https://github.com/renkagod). ## Русский **hardened-docker-ctf-labs** — репозиторий с двумя CTF-лабораториями на Flask и усиленным Docker-профилем (non-root, `cap_drop`, read-only, tmpfs, лимиты, healthcheck). Есть солверы, writeup'ы и автопроверки. Быстрый старт: скопируйте `.env.example` в Lab 01, соберите артефакты `build_task.py`, поднимите `docker compose` в `deploy/`. Подробности — в README каждой лаборатории и в [docs/hardening.md](docs/hardening.md).