Escaping from Jails
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Search in https://gtfobins.github.io/ if you can execute any binary with "Shell" property
From wikipedia: The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out. Usually this means that to escape you need to be root inside the chroot.
The tool chw00t was created to abuse the following escenarios and scape from chroot
.
If you are root inside a chroot you can escape creating another chroot. This because 2 chroots cannot coexists (in Linux), so if you create a folder and then create a new chroot on that new folder being you outside of it, you will now be outside of the new chroot and therefore you will be in the FS.
This occurs because usually chroot DOESN'T move your working directory to the indicated one, so you can create a chroot but e outside of it.
Usually you won't find the chroot
binary inside a chroot jail, but you could compile, upload and execute a binary:
This is similar to the previous case, but in this case the attacker stores a file descriptor to the current directory and then creates the chroot in a new folder. Finally, as he has access to that FD outside of the chroot, he access it and he escapes.
FD can be passed over Unix Domain Sockets, so:
Create a child process (fork)
Create UDS so parent and child can talk
Run chroot in child process in a different folder
In parent proc, create a FD of a folder that is outside of new child proc chroot
Pass to child procc that FD using the UDS
Child process chdir to that FD, and because it's ouside of its chroot, he will escape the jail
Mounting root device (/) into a directory inside the chroot
Chrooting into that directory
This is possible in Linux
Mount procfs into a directory inside the chroot (if it isn't yet)
Look for a pid that has a different root/cwd entry, like: /proc/1/root
Chroot into that entry
Create a Fork (child proc) and chroot into a different folder deeper in the FS and CD on it
From the parent process, move the folder where the child process is in a folder previous to the chroot of the children
This children process will find himself outside of the chroot
Time ago users could debug its own processes from a process of itself... but this is not possible by default anymore
Anyway, if it's possible, you could ptrace into a process and execute a shellcode inside of it (see this example).
Get info about the jail:
Check if you can modify the PATH env variable
Check if you can create an executable file with /bin/bash as content
If you are accessing via ssh you can use this trick to execute a bash shell:
You can overwrite for example sudoers file
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ https://pen-testing.sans.org/blog/2012/0b6/06/escaping-restricted-linux-shells https://gtfobins.github.io It could also be interesting the page:
Tricks about escaping from python jails in the following page:
In this page you can find the global functions you have access to inside lua: https://www.gammon.com.au/scripts/doc.php?general=lua_base
Eval with command execution:
Some tricks to call functions of a library without using dots:
Enumerate functions of a library:
Note that every time you execute the previous one liner in a different lua environment the order of the functions change. Therefore if you need to execute one specific function you can perform a brute force attack loading different lua environments and calling the first function of le library:
Get interactive lua shell: If you are inside a limited lua shell you can get a new lua shell (and hopefully unlimited) calling:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)