hack.CERT.PL - Zadanie "Wine Sandbox"

pwn misc

Wine Sandbox

Punkty: 290

Rozwiązań: 11

Did you know that Wine has the sandbox option?
We've turned it on and now we're giving you direct access to the command line. Try your best at reading the /flag.txt. You can write your stuff in C:\temp\.
Also, because we're not that bad, we've installed Windows Script Hosting for your convenience :).

nc ecsc19.hack.cert.pl 10130

If you want to setup the challenge locally, that's basically the "source code":

Dockerfile

FROM ubuntu:bionic

WORKDIR /tmp

RUN apt-get update \
    && apt-get install -y --no-install-recommends git ca-certificates build-essential bison flex pkg-config libprotobuf-dev libnl-route-3-dev protobuf-compiler \
    && git clone --recurse-submodules https://github.com/google/nsjail \
    && cd nsjail \
    && make \
    && mv nsjail /usr/local/bin/ \
    && cd / \
    && rm -rf /tmp/nsjail \
    && apt-get remove -y git build-essential bison flex pkg-config protobuf-compiler \
    && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/*

RUN dpkg --add-architecture i386 \
    && apt-get update \
    && apt-get install -y --no-install-recommends wine-stable wine32 winetricks \
    && rm -rf /var/lib/apt/lists/*

RUN useradd -m sandbox

USER sandbox
WORKDIR /home/sandbox

RUN winetricks wsh57
RUN winetricks settings sandbox

COPY flag.txt /
COPY wine-sandbox.cfg .

CMD nsjail --config wine-sandbox.cfg

wine-sandbox.cfg

name: "wine-sandbox"

mode: LISTEN
port: 5000
hostname: "wine-sandbox"
cwd: "/home/sandbox"

envar: "HOME=/home/sandbox"
envar: "WINEPATH=C:\\windows;C:\\windows\\system32"

rlimit_nofile: 1024

mount {
    src: "/flag.txt"
    dst: "/flag.txt"
    is_bind: true
}

mount {
    src: "/dev/urandom"
    dst: "/dev/urandom"
    is_bind: true
}

mount {
    src: "/bin"
    dst: "/bin"
    is_bind: true
}

mount {
    src: "/lib"
    dst: "/lib"
    is_bind: true
}

mount {
    src: "/lib64"
    dst: "/lib64"
    is_bind: true
}

mount {
    src: "/usr"
    dst: "/usr"
    is_bind: true
}

mount {
    dst: "/tmp"
    fstype: "tmpfs"
    rw: true
    is_bind: false
}

mount {
    src: "/home/sandbox"
    dst: "/home/sandbox"
    is_bind: true
}

mount {
    dst: "/home/sandbox/.wine/dosdevices/c:/temp"
    fstype: "tmpfs"
    rw: true
    is_bind: false
}

mount {
    src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>"
    dst: "/etc/fonts/fonts.conf"
}

exec_bin {
    path: "/usr/lib/wine/wine"
    arg: "cmd"
    arg: "/c"
    arg: "cd c: && cmd"
}

Format flagi: ecsc19{litery_cyfry_i_znaki_specjalne}.

Aby wysłać flagę, musisz się zalogować.