AppArmorJail1

日付

Validations

0 Compromissions 0%

Note  Notation

1
2
3
4
5
6 votes

Description

Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

When connecting to the administrator’s server, a restricted shell via an AppArmor policy prevents you from reading the flag even though you are the owner...

Find a way to read the flag at any cost and override the AppArmor policy in place which is configured as follows:

#include <tunables/global>

profile docker_chall01 flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   network,
   capability,
   file,
   umount,
   signal (send,receive),
   deny mount,

   deny /sys/[^f]*/** wklx,
   deny /sys/f[^s]*/** wklx,
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,

   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/kcore rwklx,

   /home/app-script-ch27/bash px -> bashprof1,
 
}
profile bashprof1 flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   #include <abstractions/bash>
   
   network,
   capability,
   deny mount,
   umount,
   signal (send,receive),

   deny /sys/[^f]*/** wklx,
   deny /sys/f[^s]*/** wklx,
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,

   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
   deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
   deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
   deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/kcore rwklx,

   / r,
   /** mrwlk,
   /bin/** ix,
   /usr/bin/** ix,
   /lib/x86_64-linux-gnu/ld-*.so mrUx,
   deny /home/app-script-ch27/flag.txt r,
}
  • Start the CTF-ATD "AppArmorJail1"
  • Connect via SSH to the machine on port 22222 (app-script-ch27:app-script-ch27)
  • The challenge validation password is in the /home/app-script-ch27/flag.txt file
  • The validation password of the CTF ATD is in the file /passwd

Démarrer le CTF all the day

Temps de compromission

4 heures

Système d'exploitation

 linux

démarrer cet environnement virtuel

 176 Environnements Virtuels

Résultats お名前 Validations Difficulté  Difficulté 著者 Note   Notation
pas_valide SSH Agent Hijacking 26% 2357 mayfly
pas_valide Ubuntu 8.04 weak 5% 206 g0uZ
pas_valide Kioptrix level 2 25% 971
pas_valide Docker - Sys-Admin’s Docker 41% 936 Ech0
pas_valide OpenClassrooms - Juice Shop 1% 7 Sh1n, EtienneC
pas_valide root-me-spip 9% 101 real
pas_valide BreakingRootme2020 15% 512 Laluka
pas_valide Acid: Server 12% 218
pas_valide AppArmorJail1 0% 0 nivram
pas_valide ARP Spoofing EcouteActive 0% 0 voydstack
pas_valide Metasploitable 2 40% 8571
pas_valide OpenClassrooms - Sécurité Active Directory 11% 173
pas_valide Mr. Robot 1 21% 1636
pas_valide Docker - Talk through me 42% 631 Ech0
pas_valide I’m a Bl4ck H4t 7% 48
pas_valide Bash considered harmful 8% 138 sbrk
pas_valide SAP Pentest 7% 292 iggy
pas_valide Rootkit Cold Case 16% 462 franb
pas_valide Docker - I am groot 51% 3006 Ech0
pas_valide Bluebox - Microsoft Pentest 4% 418
pas_valide LAMP security CTF5 25% 3875
pas_valide LAMP security CTF7 39% 889
pas_valide DC-4 17% 156
pas_valide SSRF Box 18% 1757 sambecks
pas_valide Basilic 4% 19
pas_valide Imagick 22% 1036 sambecks
pas_valide Billu-b0x2 10% 123
pas_valide LAMP security CTF6 18% 603
pas_valide DeRPnStiNK 29% 41
pas_valide k8s 10% 168 sambecks
pas_valide /dev/random : Pipe 5% 236
pas_valide Basic pentesting 1 32% 4644
pas_valide Bee-box v1 6% 41
pas_valide LAMP security CTF4 35% 2712
pas_valide Metasploitable 12% 1721
pas_valide OpenClassrooms - DVWA 2% 84 Sh1n, EtienneC
pas_valide CTFair 0% 0
pas_valide A bittersweet shellfony 12% 233 mayfly
pas_valide SamBox v2 13% 978 sambecks
pas_valide Bulldog 27% 195
pas_valide Command Injection OS 18% 56
pas_valide Gemini-Pentest-v1 8% 29
pas_valide Texode_Back 8% 75
pas_valide Lazysysadmin 16% 56
pas_valide DC-6 30% 112
pas_valide Challenge SecuriTech 1% 13
pas_valide SkyTower 24% 213
pas_valide CsharpVulnJson 6% 14 notfound404
pas_valide OpenClassrooms - P7 - Analyste SOC 0% 0
pas_valide BBQ Factory 6% 125 sm0k, dvor4x