Sandboxing


Yellow Belt (ASU CSE 466)

Dates

Assigned: September 13, 2022 at 1:00pm (Arizona time)
(solves before this date will not appear on the default scoreboard)

Due: September 22, 2022 at 11:00am UTC-07:00 (Arizona time)
(after this date, the live session of the dojo will move on to the next module, though solves will still count for scoreboard ranking)

For ASU extra credit due dates, please log in with an @asu.edu email address.


Lectures and Reading





Some tips and tricks for the challenge problems!

  • Be very careful to understand the timeline of what the challenge does. A file opened BEFORE chroot() is very different from a file opened AFTER chroot(). The sequence of actions makes a big difference.
  • There aren't any restrictions on shellcode (other than syscalls), so we highly recommend making sure your shellcode exits cleanly. That will make it easier to debug.
  • You can determine the value of constants such as AT_FDCWD by writing a quick C program that includes the relevant header files and does printf("%d\n", AT_FDCWD);.
  • chroot() will fail if you're not running as root. strace causes the SUID bit to be ignored, so you must use sudo strace to properly trace these challenges. Of course, this will only be possible in practice mode.
  • There is a known issue with strace that, in certain configurations, it will improperly resolve the syscall number of 32-bit syscalls in amd64. Using a newer Linux VM sometimes helps. If you're using int 0x80 to trigger system calls, the 32-bit ones ARE being used; strace is just lying to you.
  • On the subject of 32-bit syscalls: you do not have to assemble your shellcode in 32-bit mode (i.e., you don't need -m32). It is perfectly valid to just up and int 0x80 in the middle of an otherwise-64-bit shellcode.
  • Read this thoroughly, especially Section 3.6.1.

Challenges

Escape a basic chroot sandbox!

Escape a basic chroot sandbox by utilizing shellcode.

Escape a chroot sandbox with shellcode.

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["openat", "read", "write", "sendfile"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["linkat", "open", "read", "write", "sendfile"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["fchdir", "open", "read", "write", "sendfile"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["chdir", "chroot", "mkdir", "open", "read", "write", "sendfile"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["openat", "read", "write", "sendfile"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["close", "stat", "fstat", "lstat"]

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["read", "exit"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["read", "nanosleep"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!

Escape a chroot sandbox using shellcode, but this time only using the following syscalls: ["read"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!

Escape a different kind of sandbox in which a jailed child process is only communicable to from a parent process.

Learn the implications of a different way of sandboxing, using modern namespacing techniques! But what if the sandbox is really sloppy?

Learn the implications of a different way of sandboxing, using modern namespacing techniques! But what are the implications of sharing filesystems between the sandbox and host?

Learn the implications of a different way of sandboxing, using modern namespacing techniques! But what shenanegans can you get up to with special kernel-backed filesystems?

Learn the implications of a different way of sandboxing, using modern namespacing techniques! But what happens if you can smuggle in a resource from the outside?

Learn the implications of a different way of sandboxing, using modern namespacing techniques! What could be the harm of mounting in a harmless directory?


Module Ranking

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Score