"If you implement boundaries and nobody is around to push them, do they even exist?". Tempted to test if you can escape it, if only you had a shell to give it a try? boxxy is a library that can be linked into a debug build of an existing program and drop you into an interactive shell. From there you can step through various stages of your sandbox and verify it actually contains™.
cargo run --example boxxy
Linking with rust
Just put a dev-dependencies in your Cargo.toml and copy
examples/ folder. Modify to include your sandbox.
[dev-dependencies] boxxy = "0.*"
Linking with C
There is an example program, check the Makefile to see how it's built.
Calling into machinecode
[6xpeuAEAAABIice6BQAAAA8FuDwAAABIMf8PBejh////b2hhaQo=]> [ ]> jit ww== [ ]> [ ]> jit
You can use the
objdump utility to generate shellcode from assembly:
make sc/ohai && cargo run --example objdump sc/ohai
Invoking from php
See autoboxxy for tooling to load boxxy from php, even if
shell_exec and friends are disabled by php.ini.
You may need to build a fully static binary, this is possible using the
cargo build --release --example boxxy --target x86_64-unknown-linux-musl strip target/x86_64-unknown-linux-musl/release/examples/boxxy
Debugging systemd security
There is a special ipc binary that automatically swaps its stdio interface with an unix domain socket so it can be used to debug security settings of a systemd unit.
cargo build --release --example ipc-boxxy install -Dm755 target/release/examples/ipc-boxxy /usr/local/bin/ipc-boxxy
Prepare systemd unit:
sudo tee /etc/systemd/system/[email protected] <<EOF [Unit] Description=ipc boxxy debugger [Service] User=root ExecStart=/usr/local/bin/ipc-boxxy /run/boxxy-%i.sock NoNewPrivileges=yes ProtectSystem=strict ProtectHome=true PrivateTmp=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true RestrictAddressFamilies=AF_UNIX MemoryDenyWriteExecute=true CapabilityBoundingSet= InaccessiblePaths=-/etc/ssh EOF
Attach to shell:
sudo target/debug/ipc-listener /run/boxxy-foo.sock 'systemctl start [email protected]'
You can run arbitrary commands with
exec bash -i
The example folder contains a reimplementation of lambdash, it automatically deploys boxxy as an aws lambda and allows you to execute commands on it. The client supports cross account access, but needs a preconfigured role that the lambda should use. You need to build a static binary first.
cargo run --features=aws --example lambdash -- \ --assume-role arn:aws:iam::133713371337:role/AdminRole \ --role arn:aws:iam::133337133337:role/lambda-test-role eu-west-1 boxxy
There are vulnerable sandboxes (
examples/vuln-*) as a challenge that can be
exploited using the boxxy shell (no need to compile any exploits).
DO NOT POST SPOILERS
Start a challenge using eg.
cargo run --example vuln-chroot
The shell is a basic interface for human input, do not write actual scripts, there be dragons.
Do not include boxxy in production builds.
This project is free software released under the LGPL3+ license.