Break out of my Python sandbox.

Submit real Python — imports, eval, dunder access, all allowed. It runs inside a hardened sandbox built from namespaces, cgroups, a default-deny seccomp filter, Landlock, and a uid drop. Three flags are hidden behind three different isolation barriers. Find one, get credited.

Start playing →

Scope of engagement

Found something real? It'll be auto-detected. If you want to be credited, you'll get a chance to leave contact info once a flag match is confirmed. Questions or responsible disclosure: chs@chs.us.

What we log

Every run is recorded so the challenge can be operated and escapes reviewed: the code you submit, its output, exit/kill status and duration, a timestamp, and the source IP of the request. Don't paste anything private or identifying into the editor — treat submissions as public.

Ordinary runs are auto-deleted after 30 days. Confirmed flag captures are kept so they can be credited on the hall of fame. Blocked syscalls are also logged at the kernel level for security review. Nothing here is sold or shared with third parties.

Be honest about the risk

Hand-rolled seccomp + namespaces + Landlock has more historical CTF pyjail escapes than purpose-built sandboxing tools like nsjail or gVisor — that's a deliberate tradeoff for shipping this fast, not an oversight. Read the full design rationale.