AppArmorJail2

Data

Validaciones

0 Compromissions 0%

Nota  Notación

1 Voto

Descripción

Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

The administrator isn’t happy: you’ve managed to bypass his previous AppArmor policy. So he’s improved it so that you can no longer read his precious secrets.

He’s so sure of himself that he’s left the configuration to you in order to taunt you. Show him it was a bad idea!

  1. #include <tunables/global>
  2.  
  3. profile docker_chall_medium flags=(attach_disconnected,mediate_deleted) {
  4. #include <abstractions/base>
  5. network,
  6. capability,
  7. file,
  8. umount,
  9. signal (send,receive),
  10. deny mount,
  11.  
  12. deny /sys/[^f]*/** wklx,
  13. deny /sys/f[^s]*/** wklx,
  14. deny /sys/fs/[^c]*/** wklx,
  15. deny /sys/fs/c[^g]*/** wklx,
  16. deny /sys/fs/cg[^r]*/** wklx,
  17. deny /sys/firmware/** rwklx,
  18. deny /sys/kernel/security/** rwklx,
  19.  
  20. deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  21. # deny write to files not in /proc/<number>/** or /proc/sys/**
  22. deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  23. deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  24. deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
  25. deny @{PROC}/sysrq-trigger rwklx,
  26. deny @{PROC}/kcore rwklx,
  27.  
  28. /usr/local/bin/sh px -> shprof2,
  29. deny /home/admin/** w,
  30. deny /home/admin/flag_here/flag.txt r,
  31. }
  32.  
  33. profile shprof2 flags=(attach_disconnected,mediate_deleted) {
  34. #include <abstractions/base>
  35. #include <abstractions/bash>
  36.  
  37. network,
  38. capability,
  39. mount,
  40. deny mount cgroup, # prevent container escape
  41. umount,
  42. file,
  43. signal (send,receive),
  44.  
  45. deny /sys/[^f]*/** wklx,
  46. deny /sys/f[^s]*/** wklx,
  47. deny /sys/fs/[^c]*/** wklx,
  48. deny /sys/fs/c[^g]*/** wklx,
  49. deny /sys/fs/cg[^r]*/** wklx,
  50. deny /sys/firmware/** rwklx,
  51. deny /sys/kernel/security/** rwklx,
  52.  
  53. deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  54. # deny write to files not in /proc/<number>/** or /proc/sys/**
  55. deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  56. deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  57. deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
  58. deny @{PROC}/sysrq-trigger rwklx,
  59. deny @{PROC}/kcore rwklx,
  60.  
  61. /lib/x86_64-linux-gnu/ld-*.so mr,
  62. deny /home/admin/** w,
  63. deny /home/admin/flag_here/flag.txt r,
  64. }

Descargar

  • Start the "AppArmorJail2" CTF-ATD
  • Connect via SSH to machine port 22222 (admin:admin)
  • The challenge validation password is in the file /home/admin/flag_here/flag.txt

Do not hesitate to change the password of the admin user so that you are the only one on the machine to carry out your operations.

Tiempo de compromiso

3 horas

Sistema operativo

 linux

iniciar este entorno virtual