Escaping Linux CHROOT Jail

April 1, 2017 | Views: 15163

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Isolation is a security approach provided by many computer systems. It is based on splitting the system into smaller independent pieces to make sure that a compromised sub-system cannot affect the entire entity. This approach is present in every modern operating system (e.g User accounts, process address spaces etc..).

Chroot Jail is a way to separate a process that doesn’t run as root and its children from the rest of the system by creating a Jail using chroot() system call (system call is an interface between an application and the Linux kernel). The idea is to create a directory and make the process think that it is in the root folder and not letting it access or modify outside that jail. Let’s see how to build this jail and how to escape it.


Setup a Prisoner user

Create a new user: sudo adduser prisoner


Add prisoner to root group:  sudo gpasswd -a prisoner root

(Check by visiting the /etc/group path)

Create a Chroot folder: mkdir chroot

Enter chroot (cd /chroot ) and create : bin, dev, etc, home, home/prisoner, lib, var,  usr, usr/bin folders:  mkdir bin dev  etc home  home/prisoner, lib, var, usr, usr/bin

(We need at least bin and lib directory inside the jail.)

Now let’s copy the bash shell utility that we want the prisoner user to be able to use.

Type:  cp /bin/bash /chroot/bin/

To make sure that the bash shell will work properly we need to locate its necessary libraries and copying them to /lib jail folder:  ldd/bin/bash

Now, let’s use the Magic Chroot command: sudo chroot /chroot  /bin/bash

Ps: if you get this error: chroot: failed to run command ‘/bin/bash’ no such file or directory please check this answer.


Escaping the jail:

Now let’s see how to escape this type of jails:

  1. First, we need to guess the available commands by just typing some commands: cd, ls, pwd, cp, vi etc… to know what we can use to escape.
  2. Know the $SHELL and the $PATH variables using: echo $PATH and echo $SHELL.
  3. There are different methods and ideas to escape the jail for example:
  • If ‘/’ is available just run /bin/bash.
  • If ‘set’ is available use: export PATH=/bin:/usr/bin:$PATH       

            and export SHELL=/bin/sh

  • Use other system commands e.g: awk ‘BEGIN {system(“/bin/sh”)}’
  • Use scripting language e.g: python – c  ‘import os;os.system(“/bin/bash”)’  




Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. With ALL due respect !! this is just not relevant in the real world !! maybe at your local high school or local library..

  2. hhhhhhh Prison School Please Don’t Tell Me You Are Animes Fan

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 740 / December 14, 2019
How do I Get MTA Certified?
Views: 1312 / December 12, 2019
How much does your PAM software really cost?
Views: 1749 / December 10, 2019
How Do I Get into Android Development?
Views: 2139 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?