nsjail icon indicating copy to clipboard operation
nsjail copied to clipboard

Published 20 hours ago verified publisher icon google

Not able to run a CTF binary

Open norey opened this issue 5 years ago • 3 comments

I'm running the following command for a CTF binary chal. chal is basically an echo server, so after the following, I connect to it with netcat and get the last two lines below. Anything sent is not returned. I'm very new to nsjail and I'm not sure how to troubleshoot the problem. The binary works fine without nsjail of course.

chal is 64bit and uses the normal socket functions (socket, listen, bind. connect, send, recv, write, read, etc..), system(), fork(), dlsym(), memset() and others. Nothing really out of the ordinary.

This is on Ubuntu Server 18.04 using commit a78019993fe7cffd9865300036133b8a54a23019.

$ nsjail -Ml --port 50085 --cwd /home/user/ctf_final/ --chroot /  -R /bin -R /lib -R /lib32 -R /lib64 --rw -- /home/user/ctf_final/chal
[I][2019-10-25T21:21:35-0500] Mode: LISTEN_TCP
[I][2019-10-25T21:21:35-0500] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/home/user/ctf_final/chal', bind:[::]:50085, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2019-10-25T21:21:35-0500] Mount: '/' -> '/' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/bin' -> '/bin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib32' -> '/lib32' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/lib64' -> '/lib64' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2019-10-25T21:21:35-0500] Uid map: inside_uid:1000 outside_uid:1000 count:1 newuidmap:false
[I][2019-10-25T21:21:35-0500] Gid map: inside_gid:1000 outside_gid:1000 count:1 newgidmap:false
[I][2019-10-25T21:21:35-0500] Listening on [::]:50085
[I][2019-10-25T21:21:39-0500] New connection from: [::ffff:192.168.131.1]:54972 on: [::ffff:192.168.131.150]:50085
[I][2019-10-25T21:21:39-0500] Executing '/home/user/ctf_final/chal' for '[::ffff:192.168.131.1]:54972'

norey avatar Oct 26 '19 02:10 norey

Hey,

chal is basically an echo server

and:

nsjail -Ml --port 50085

doesn't "stand well".

As it is described in the nsjail --help examples:

 Examples: 
 Wait on a port 31337 for connections, and run /bin/sh
  nsjail -Ml --port 31337 --chroot / -- /bin/sh -i

The -Ml --port ... makes nsjail host its own server and forward each connection to a newly created and sandboxed /bin/sh.

In other words, the -Ml --port ... can be used to "socketize and sandbox" a given binary or a ctf challenge. An example of that can be found at https://github.com/disconnect3d/reverse-me-python.

So you would have to use other option that -Ml but since nsjail spawns a new network namespace I am not sure if it allows you to sandbox a server-like binary out of the box.

EDIT: It probably allows to do so, since there are configs for e.g. apache: https://github.com/google/nsjail/blob/master/configs/apache.cfg but you probably have to specify the network interface somehow (see macvlan in apache config).

disconnect3d avatar Oct 27 '19 14:10 disconnect3d

I don't understand those settings and what they are used for.

 --macvlan_iface|-I VALUE
	Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'
 --macvlan_vs_ip VALUE
	IP of the 'vs' interface (e.g. "192.168.0.1")
 --macvlan_vs_nm VALUE
	Netmask of the 'vs' interface (e.g. "255.255.255.0")
 --macvlan_vs_gw VALUE
	Default GW for the 'vs' interface (e.g. "192.168.0.1")
 --macvlan_vs_ma VALUE
	MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")

I thought this was the interface that is supposed to be bound to the local one. So I used the local interface and got "Address already in use" errors so yeah.. I don't get it. And I'm not sure why this would make it work in the first place.

norey avatar Oct 28 '19 13:10 norey

The easiest way to run unmodified binary is to add --disable_clone_newnet to nsjail commandline (beware: it will use host netns then, so it will be less isolated).

happyCoder92 avatar Nov 12 '19 10:11 happyCoder92