This is the most intriguing part of the keyword. Digital Playground 2 suggests a specific virtual environment. Let’s explore the possibilities:
Running id inside the sandbox (via a simple payload that prints $(id)) shows:
uid=1000(guest) gid=1000(guest) groups=1000(guest)
No extra capabilities, no CAP_SYS_ADMIN, and the container is unprivileged (no --privileged flag). However, the host Docker daemon is exposed through a bind‑mount: fly girls final payload digital playground 2
Inside the container we see a socket at /var/run/docker.sock. Checking its permissions:
srw-rw---- 1 root docker 0 Apr 13 12:00 /var/run/docker.sock
The guest user belongs to the docker group (GID 998) on the host, which is mapped into the container. This is a classic Docker escape vector. This is the most intriguing part of the keyword
We tried a simple curl upload:
curl -F "payload=@/bin/ls" http://playground2.flygirls.ctf/upload
Response:
[+] Uploaded successfully! Your payload is running...
No immediate output appears, but the server returns a job ID:
"job_id": "c9c8c8a1-6d45-4a6d-9c2b-9e3c5f5c5c5c"
A GET /status/<job_id> endpoint returns JSON with status (queued, running, finished) and a log_url. The logs are stored under /uploads/<job_id>/log.txt and are publicly accessible. No extra capabilities, no CAP_SYS_ADMIN , and the