AppArmorJail1

التاريخ

Validations

0 Compromissions 0%

Note  Notation

6 اراء

Description

Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

When connecting to the administrator’s server, a restricted shell via an AppArmor policy prevents you from reading the flag even though you are the owner...

Find a way to read the flag at any cost and override the AppArmor policy in place which is configured as follows:

#include <tunables/global>

profile docker_chall01 flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   network,
   capability,
   file,
   umount,
   signal (send,receive),
   deny mount,

   deny /sys/[^f]*/** wklx,
   deny /sys/f[^s]*/** wklx,
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,

   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/kcore rwklx,

   /home/app-script-ch27/bash px -> bashprof1,
 
}
profile bashprof1 flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   #include <abstractions/bash>
   
   network,
   capability,
   deny mount,
   umount,
   signal (send,receive),

   deny /sys/[^f]*/** wklx,
   deny /sys/f[^s]*/** wklx,
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,

   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/kcore rwklx,

   / r,
   /** mrwlk,
   /bin/** ix,
   /usr/bin/** ix,
   /lib/x86_64-linux-gnu/ld-*.so mrUx,
   deny /home/app-script-ch27/flag.txt r,
}
  • Start the CTF-ATD "AppArmorJail1"
  • Connect via SSH to the machine on port 22222 (app-script-ch27:app-script-ch27)
  • The challenge validation password is in the /home/app-script-ch27/flag.txt file
  • The validation password of the CTF ATD is in the file /passwd

Démarrer le CTF all the day

Temps de compromission

4 heures

Système d'exploitation

 linux

démarrer cet environnement virtuel