AppArmorJail1

日付

10 2023年5月

Validations

0 Compromissions 0%

Note

6 votes

Description

Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

When connecting to the administrator’s server, a restricted shell via an AppArmor policy prevents you from reading the flag even though you are the owner...

Find a way to read the flag at any cost and override the AppArmor policy in place which is configured as follows:

#include <tunables/global>



profile docker_chall01 flags=(attach_disconnected,mediate_deleted) {

   #include <abstractions/base>

   network,

   capability,

   file,

   umount,

   signal (send,receive),

   deny mount,



   deny /sys/[^f]*/** wklx,

   deny /sys/f[^s]*/** wklx,

   deny /sys/fs/[^c]*/** wklx,

   deny /sys/fs/c[^g]*/** wklx,

   deny /sys/fs/cg[^r]*/** wklx,

   deny /sys/firmware/** rwklx,

   deny /sys/kernel/security/** rwklx,



   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

   # deny write to files not in /proc/<number>/** or /proc/sys/**

   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/

   deny @{PROC}/sysrq-trigger rwklx,

   deny @{PROC}/kcore rwklx,



   /home/app-script-ch27/bash px -> bashprof1,

 

}

profile bashprof1 flags=(attach_disconnected,mediate_deleted) {

   #include <abstractions/base>

   #include <abstractions/bash>

   

   network,

   capability,

   deny mount,

   umount,

   signal (send,receive),



   deny /sys/[^f]*/** wklx,

   deny /sys/f[^s]*/** wklx,

   deny /sys/fs/[^c]*/** wklx,

   deny /sys/fs/c[^g]*/** wklx,

   deny /sys/fs/cg[^r]*/** wklx,

   deny /sys/firmware/** rwklx,

   deny /sys/kernel/security/** rwklx,



   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

   # deny write to files not in /proc/<number>/** or /proc/sys/**

   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/

   deny @{PROC}/sysrq-trigger rwklx,

   deny @{PROC}/kcore rwklx,



   / r,

   /** mrwlk,

   /bin/** ix,

   /usr/bin/** ix,

   /lib/x86_64-linux-gnu/ld-*.so mrUx,

   deny /home/app-script-ch27/flag.txt r,

}

Start the CTF-ATD "AppArmorJail1"
Connect via SSH to the machine on port 22222 (app-script-ch27:app-script-ch27)
The challenge validation password is in the /home/app-script-ch27/flag.txt file
The validation password of the CTF ATD is in the file /passwd

Démarrer le CTF all the day

Temps de compromission

4 heures

Système d'exploitation

linux

démarrer cet environnement virtuel

176 Environnements Virtuels

Résultats	お名前	Validations ↓↑	Difficulté	著者	Note
	Metasploitable 2	40% 8571
	Basic pentesting 1	32% 4644
	LAMP security CTF5	25% 3875
	Docker - I am groot	51% 3006		Ech0
	LAMP security CTF4	35% 2712
	SSH Agent Hijacking	26% 2357		mayfly
	SSRF Box	18% 1757		sambecks
	Metasploitable	12% 1721
	Mr. Robot 1	21% 1636
	End Droid	35% 1245
	Imagick	22% 1036		sambecks
	SamBox v2	13% 978		sambecks
	Kioptrix level 2	25% 971
	Docker - Sys-Admin’s Docker	41% 936		Ech0
	LAMP security CTF7	39% 889
	VulnVoIP	17% 851
	SamBox v1	7% 723		sambecks
	Docker - Talk through me	42% 631		Ech0
	Well-Known	11% 620		sm0k
	Django unchained	22% 610		TiWim
	LAMP security CTF6	18% 603
	Windows - Group Policy Preferences Passwords	25% 582
	Kioptrix level 3	33% 575
	Shared Objects Hijacking	13% 557		das
	BreakingRootme2020	15% 512		Laluka
	Windows XP pro 01	5% 494		g0uZ
	Awky	8% 494		sbrk
	Kioptrix level 4	35% 462
	Rootkit Cold Case	16% 462		franb
	Windows - KerbeRoast	19% 444
	Websocket - 0 protection	6% 436		Worty
	Bluebox - Microsoft Pentest	4% 418
	Windows - ASRepRoast	35% 402
	pWnOS	32% 400
	Hackademic RTB1	19% 364
	DC-1	15% 343
	SamBox v3	5% 333		sambecks
	Exploit KB Vulnerable Web App	12% 306
	Bluebox 2 - Pentest	3% 306		sambecks
	Holynix v1	24% 292
	SAP Pentest	7% 292		iggy
	LAMP security CTF8	14% 291
	/dev/random : Pipe	5% 236
	A bittersweet shellfony	12% 233		mayfly
	LordoftheRoot	25% 230
	Hopital Bozobe	8% 228		sambecks
	Acid: Server	12% 218
	FristiLeaks 1.3	29% 215
	SkyTower	24% 213
	Ubuntu 8.04 weak	5% 206		g0uZ