AppArmorJail2

Date

25 September 2023

Validations

0 Compromissions 0%

Note

0 Vote

Description

Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

The administrator isn’t happy: you’ve managed to bypass his previous AppArmor policy. So he’s improved it so that you can no longer read his precious secrets.

He’s so sure of himself that he’s left the configuration to you in order to taunt you. Show him it was a bad idea!

#include <tunables/global>
profile docker_chall_medium flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
capability,
file,
umount,
signal (send,receive),
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/kernel/security/** rwklx,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
/usr/local/bin/sh px -> shprof2,
deny /home/admin/** w,
deny /home/admin/flag_here/flag.txt r,
}
profile shprof2 flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/bash>
network,
capability,
mount,
deny mount cgroup, # prevent container escape
umount,
file,
signal (send,receive),
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/kernel/security/** rwklx,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
/lib/x86_64-linux-gnu/ld-*.so mr,
deny /home/admin/** w,
deny /home/admin/flag_here/flag.txt r,
}

Download

Start the "AppArmorJail2" CTF-ATD
Connect via SSH to machine port 22222 (admin:admin)
The challenge validation password is in the file /home/admin/flag_here/flag.txt

Do not hesitate to change the password of the admin user so that you are the only one on the machine to carry out your operations.

Compromission time

3 hours

Operating system

linux

start this virtual environnement

173 Virtual Environnements

Results	Name	Validations	Difficulty	Author	Note
	Challenge SecuriTech	1% 13
	Windows XP pro 01	5% 490		g0uZ
	Exploit KB Vulnerable Web App	12% 305
	Holynix v1	24% 292
	Kioptrix level 2	25% 962
	Kioptrix level 3	33% 569
	Kioptrix level 4	35% 459
	LAMP security CTF4	35% 2687
	LAMP security CTF5	26% 3825
	LAMP security CTF6	18% 599
	Metasploitable	12% 1698
	Metasploitable 2	40% 8344
	Moth	21% 107
	pWnOS	32% 394
	Ubuntu 8.04 weak	5% 205		g0uZ
	Ultimate LAMP	18% 147
	VulnVoIP	17% 826
	VulnVPN	12% 59
	LAMP security CTF8	14% 288
	LAMP security CTF7	39% 879
	Hackademic RTB1	19% 362
	No Exploiting Me	14% 54
	SamBox v1	7% 714		sambecks
	SamBox v2	13% 951		sambecks
	RA1NXing Bots	8% 16
	Murdering Dexter	16% 49
	LoBOTomy	4% 9
	Vulnix	2% 12
	Xerxes	3% 18
	Infernal Hades	6% 15
	SkyTower	24% 212
	Bluebox - Microsoft Pentest	4% 408
	Acid: Reloaded	18% 174
	Acid: Server	12% 212
	CsharpVulnJson	6% 14		notfound404
	CsharpVulnSoap	11% 8
	/dev/random : Pipe	5% 233
	/dev/random : Relativity	7% 96
	/dev/random : Sleepy	4% 44
	brainpan1	4% 82
	LordoftheRoot	25% 227
	Flick 1	8% 64
	Flick 2	10% 10
	FristiLeaks 1.3	29% 214
	The Purge	5% 14
	SickOs: 1.1	13% 90
	Xerxes: 2.0.1	13% 20
	brainpan2	9% 22
	brainpan3	6% 6
	SAP Pentest	7% 284		iggy