Mission
This challenge places you inside a container and exposes a specific quirk of how the container runtime launches new processes. A carefully crafted payload written at exactly the right moment can cause the next invocation of a runtime command to execute attacker code with the runtime's own privileges on the host. To solve the challenge, cause the host to execute a payload that writes /host-proof, then read /flag. The host will perform an administrative action against your container within 30 seconds of your payload being in place.
Starting toolkit (you may need more)
lscatWhy this matters in 2026
This is the template case for every subsequent container runtime vulnerability — a cross-boundary binary replacement bug where the container writes to a path the host is about to execute. Every modern runtime has been audited against this pattern, and new variants still appear.
Mitigation era: legacy-2019 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
How to reach this level
Use the password for phantom16 that you captured on the previous level, then:
ssh phantom16@phantom.breachlab.org -p 2223
SSH endpoint is being provisioned. Follow @BreachLab for launch announcement.
Log in to submit flags and track progress.