博文

A SandboxEscape Challenge: BleedingEdge

图片
Introduction
This is a challenge I made for XNUCA'2019 CTF Qualifier.
The challenge itself is not as hard as many pwnables,
you don't even need trigger any memory corruption
(I'm not sure if there has one) to solve it, but it'll require some basic knowledge about MicrosoftEdge and Windows Privilege Mechanisms.
I've never seen anyone takes MicrosoftEdge's Sandbox into a CTF challenge before, so I think it's interesting to post it here.
Why Sandbox In CTF? JSEngine bug in browser can do few things unless cooperating with a SandboxEscape bug.
From a realworld view, A SandboxEscape bug is very valuable.
Which also indicates the difficulty of finding one.
Sandbox Shown in CTF In GoogleCTF 2019,
Challenge amount distribution:
4 PWN
3 REVERSING
4 WEB
5 SANDBOX
What's the difficulty about Sandbox? Highly relying on Operating System Privilege Mechanisms.
Linux: Seccomp, namespace ...
Windows: AppContainer, Integrity level, SACL/DACL...
What…