Mission
This challenge places you on a host that exposes a node-level Kubernetes control API on an unauthenticated port. The API is meant for the node agent to be managed by the control plane but is reachable by anyone who can send it a request. To solve the challenge, use the API to execute a command inside an existing pod of your choice on the node and read a file that pod holds at /secrets/flag. Write the captured flag to /flag on the host.
Starting toolkit (you may need more)
curlWhy this matters in 2026
Self-managed Kubernetes clusters routinely ship with node-level APIs reachable without authentication — the fix requires explicit configuration that many operators miss. Finding and exploiting one of these is a top-five move in every real K8s engagement.
Mitigation era: 2026-04 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
How to reach this level
Use the password for phantom19 that you captured on the previous level, then:
ssh phantom19@phantom.breachlab.org -p 2223
SSH endpoint is being provisioned. Follow @BreachLab for launch announcement.
Log in to submit flags and track progress.