Crown Wars

Multiple routes to root. Core routes are always open; escalation routes unlock as the round runs. What each one is — and how it works — is yours to find. That's the game.

Run crown-claim with no args on the box to list the slugs it accepts; pass the one you used. One-liners live in the in-arena cheat sheet.

Market: every primitive starts the round at its base value (10–18). Each grab via a path drops its price by 2 (floor: 2). Price is locked at grab time. Resets on round close.

After 5 min on the throne, your score starts bleeding 30% per minute. Patch the path you got hit with (+5) to reset the timer. Or pray the Guard heals you.

After 5 min of an active king, the arena opens a fresh escalation primitive (60s warning). Up to 3 per round, ~3 min apart. Watch the exploit market on the arena page — new slug = the king's reign just got shorter.

Pure browser play, no SSH needed. One slot per round, first-come-first-served, opens only after the first crown grab. Sits with the king against attackers.

The arena mutates every round. SUID binaries are renamed AND relocated — same primitive, different name and path. The exploit vector itself rotates too: a wrapper accepts exactly one input shape per round and silently ignores the rest. Memorize the chain, not the name.

Each round also plants a decoy SUID binary. Looks exploitable; isn't. Touching it logs your uid and argv to a file the Guard's Eye reads — naive attackers get burned. strings a binary before you trust it.

Everything you need for this round — current names, dirs, and the active signature — is in /etc/breachlab-drift. Read it once, enumerate with find / -perm -4000, then craft.

Every syscall the king makes streams live to /battles/koth. Captured outside the arena via host-namespace strace — king-as-root cannot disable it. You ARE being watched while you sit on the throne.

30-minute clock starts on the first crown grab, not when the arena opens. Until then: standing by, you can ssh in, look around, prep. After close: container force-recreated, primitives reset, prices reset, drift reshuffles. SSH keys persist.

A 3-step climb to root on your own private box — clear each step to unlock the next; fastest total time takes the crown. Same box for every player worldwide, shared leaderboard, resets 00:00 UTC. See /battles/koth/daily.

Do anything to the box. Do nothing to deny the box. Hardening, patching, killing attackers mid-exploit, booby-trapping — game. Locking everyone out so you alone sit on the throne — not.

✓ allowed

• Patch the path you got hit with
• Kill specific exploit PIDs mid-run
• Booby-trap files attackers might run
• Read auth.log, ps, w

✗ not allowed · watchdog enforced

• Kill-on-login loops · killing other ops' shells on sight
• Fork bombs · OOM bombs · disk fill
• Killing sshd · iptables-blocking SSH
• Bricking critical files (chmod 000 /bin/bash, /etc/passwd…)

Trigger = round forfeit + force-recreate. Repeat = manual ban.

─ other

• No attacks on platform, host, or other tracks
• No sharing private keys
• Arena escape · platform vulns → DM @ato in Discord