AppArmorJail2
Описание
Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"
The administrator isn’t happy: you’ve managed to bypass his previous AppArmor policy. So he’s improved it so that you can no longer read his precious secrets.
He’s so sure of himself that he’s left the configuration to you in order to taunt you. Show him it was a bad idea!
- #include <tunables/global>
- profile docker_chall_medium flags=(attach_disconnected,mediate_deleted) {
- #include <abstractions/base>
- network,
- capability,
- file,
- umount,
- signal (send,receive),
- deny mount,
- deny /sys/[^f]*/** wklx,
- deny /sys/f[^s]*/** wklx,
- deny /sys/fs/[^c]*/** wklx,
- deny /sys/fs/c[^g]*/** wklx,
- deny /sys/fs/cg[^r]*/** wklx,
- deny /sys/firmware/** rwklx,
- deny /sys/kernel/security/** rwklx,
- deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
- # deny write to files not in /proc/<number>/** or /proc/sys/**
- deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
- deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
- deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/kcore rwklx,
- /usr/local/bin/sh px -> shprof2,
- deny /home/admin/** w,
- deny /home/admin/flag_here/flag.txt r,
- }
- profile shprof2 flags=(attach_disconnected,mediate_deleted) {
- #include <abstractions/base>
- #include <abstractions/bash>
- network,
- capability,
- mount,
- deny mount cgroup, # prevent container escape
- umount,
- file,
- signal (send,receive),
- deny /sys/[^f]*/** wklx,
- deny /sys/f[^s]*/** wklx,
- deny /sys/fs/[^c]*/** wklx,
- deny /sys/fs/c[^g]*/** wklx,
- deny /sys/fs/cg[^r]*/** wklx,
- deny /sys/firmware/** rwklx,
- deny /sys/kernel/security/** rwklx,
- deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
- # deny write to files not in /proc/<number>/** or /proc/sys/**
- deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
- deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
- deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/kcore rwklx,
- /lib/x86_64-linux-gnu/ld-*.so mr,
- deny /home/admin/** w,
- deny /home/admin/flag_here/flag.txt r,
- }
- Start the "AppArmorJail2" CTF-ATD
- Connect via SSH to machine port 22222 (admin:admin)
- The challenge validation password is in the file /home/admin/flag_here/flag.txt
Do not hesitate to change the password of the admin user so that you are the only one on the machine to carry out your operations.
Время компромисса
3 часы
Операционная система
linux
запустить эту виртуальную среду