redpwn / jail Goto Github PK

I have a jail using python

#!/usr/local/bin/python

import random, time

x = random.randint(80, 120)

random.seed(time.time())

ll = [random.randrange(0,4294967294) for _ in range(624)]

togive = {"given":ll}

print(togive)

and this is the Dockerfile

FROM python:slim AS app
RUN pip install --no-cache-dir randcrack

FROM pwn.red/jail
COPY --from=app / /srv

ENV JAIL_POW=0 JAIL_PORT=1337 JAIL_TIME=20

COPY app.py /srv/app/run

WORKDIR /srv/app

RUN chmod +x run

and this is the compose file

version: '3.7'

services:
  predict:
    container_name: PyREDICTOR
    restart: unless-stopped
    build:
      context: ./challenge
      dockerfile: Dockerfile
    ports:
      - "5000:1337"
    privileged: true 

but i have this error when launching a connection

PyREDICTOR  | [I][2024-05-11T12:50:57+0000] Setting 'cpu.max' to '100000 1000000'
PyREDICTOR  | [I][2024-05-11T12:50:57+0000] Executing '/app/run' for '[::ffff:172.19.0.1]:42914'
PyREDICTOR  | [E][2024-05-11T12:50:57+0000][1] newProc():225 execve('/app/run') failed: No such file or directory
PyREDICTOR  | [F][2024-05-11T12:50:57+0000][1] runChild():483 Launching child process failed
PyREDICTOR  | [W][2024-05-11T12:50:57+0000][1] runChild():503 Received error message from the child process before it has been executed
PyREDICTOR  | [I][2024-05-11T12:50:57+0000] pid=12 ([::ffff:172.19.0.1]:42914) exited with status: 255, (PIDs left: 0)

I'm trying to use you docker image to host a pwn ctf challenge, but I'm having difficulties adding more allowed syscalls.

auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=7050 comm="run" exe="/app/run" sig=31 arch=40000003 syscall=45 compat=1 ip=0xf7f44e3b code=0x0

So, I identified the forbidden syscall is 45, which is brk, according to kafael and because the ELF is 32bits, and then add to my Dockerfile ENV JAIL_SYSCALLS brk.

However the application continues to fail with the same auditd log.

Is this enough to add a syscall? Or did I miss something?

When one side (typically the client) half-closes the TCP stream to send an EOF to the other side, the connection is immediately terminated instead of allowing communications to continue for a short period. This behavior is sometimes used for signalling, especially if it is intentional for the program being hosted in the jail to only process after the EOF (e.g. sort), and thus is not compatible with the current implementation of redpwn/jail

Currently, in the jail proxy server for PoW, whenever one end of the socket reaches EOF, the entire socket is then close()d, which likely breaks half-closes at the proxy server.
In addition, nsjail also immediately kills the process when the connection is half-closed, breaking half-close when jail is operating without a PoW in exec mode. We will need a patch to nsjail first to either disable the behavior or trigger the kill after a short delay.

the situation is that i want to deploy a pwn chall under ctfd
and the --privileged option is banned from the admin , which means in normal case i cannot run the container

is there a way to add nodejs to the docker image, I have tried following the same way as the example and it always fails

Trying to host a challenge in Azure but I don't think there is a "privileged" mode like docker. Doesn't appear to be working. Any suggestions?

We currently mknod /jail/dev/{null,zero,urandom} during build and then bind mount /jail/dev to /srv/dev at runtime:

Instead, we should mount a tmpfs to /srv/dev at runtime, mknod all the devices we want, and remount the tmpfs as read-only.

This allows the devices available to the jail to be specified at runtime. It also means that /dev in each jail will be mounted read-only, so we don't have to rely on file permissions there.

When I use git clone to get the repository and build a docker image, I still have to git clone the fork separately.
Please fix it, or at least add a note in the Readme.md that we need to get specifically your forked nsjail for this to work.