Informations

• Virtual environnement chosen : AppArmorJail2
• Description : 
  Attention : this CTF-ATD is linked to the challenge "AppArmor Jail - Introduction"

  The administrator isn’t happy: you’ve managed to bypass his previous AppArmor policy. So he’s improved it so that you can no longer read his precious secrets.

  He’s so sure of himself that he’s left the configuration to you in order to taunt you. Show him it was a bad idea!

  1. #include <tunables/global>
  2.  
  3. profile docker_chall_medium flags=(attach_disconnected,mediate_deleted) {
  4. #include <abstractions/base>
  5. network,
  6. capability,
  7. file,
  8. umount,
  9. signal (send,receive),
  10. deny mount,
  11.  
  12. deny /sys/[^f]*/** wklx,
  13. deny /sys/f[^s]*/** wklx,
  14. deny /sys/fs/[^c]*/** wklx,
  15. deny /sys/fs/c[^g]*/** wklx,
  16. deny /sys/fs/cg[^r]*/** wklx,
  17. deny /sys/firmware/** rwklx,
  18. deny /sys/kernel/security/** rwklx,
  19.  
  20. deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  21. # deny write to files not in /proc/<number>/** or /proc/sys/**
  22. deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  23. deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  24. deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
  25. deny @{PROC}/sysrq-trigger rwklx,
  26. deny @{PROC}/kcore rwklx,
  27.  
  28. /usr/local/bin/sh px -> shprof2,
  29. deny /home/admin/** w,
  30. deny /home/admin/flag_here/flag.txt r,
  31. }
  32.  
  33. profile shprof2 flags=(attach_disconnected,mediate_deleted) {
  34. #include <abstractions/base>
  35. #include <abstractions/bash>
  36.  
  37. network,
  38. capability,
  39. mount,
  40. deny mount cgroup, # prevent container escape
  41. umount,
  42. file,
  43. signal (send,receive),
  44.  
  45. deny /sys/[^f]*/** wklx,
  46. deny /sys/f[^s]*/** wklx,
  47. deny /sys/fs/[^c]*/** wklx,
  48. deny /sys/fs/c[^g]*/** wklx,
  49. deny /sys/fs/cg[^r]*/** wklx,
  50. deny /sys/firmware/** rwklx,
  51. deny /sys/kernel/security/** rwklx,
  52.  
  53. deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  54. # deny write to files not in /proc/<number>/** or /proc/sys/**
  55. deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  56. deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  57. deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
  58. deny @{PROC}/sysrq-trigger rwklx,
  59. deny @{PROC}/kcore rwklx,
  60.  
  61. /lib/x86_64-linux-gnu/ld-*.so mr,
  62. deny /home/admin/** w,
  63. deny /home/admin/flag_here/flag.txt r,
  64. }

  Download

  • Start the "AppArmorJail2" CTF-ATD
  • Connect via SSH to machine port 22222 (admin:admin)
  • The challenge validation password is in the file /home/admin/flag_here/flag.txt

  Do not hesitate to change the password of the admin user so that you are the only one on the machine to carry out your operations. Game duration : 180 min

• Validation flag is stored in the file /passwd
• Only registered players for this game can attack the virtual environnement.
• A tempo prevent game starting to early or too late.
• Game will start when one player has choosen his virtual environnement and declared himself as ready.

Player's list

• Max1Truc (choice : AppArmorJail2, ready)