I am trying to understand the chroot escape exploitation. I was reading this article: https://tbhaxor.com/breaking-out-of-chroot-jail-shell-environment/
From this website, I found this graph:
I am confused about the step where it says
"multiple chdir will change the kernel cwd to / using n times chdir("..") syscall"
Why is this true? Like chdir("..") from chrooted root directory should just return itself, right? But if you do it n times, it will take you to the host root? Why do you have to do it "n" times and then it works?
I am the author of the post you mentioned here,
Because you don't know where exactly CWD was when the user has executed chroot syscall. It could be at /home/test/john or /home/test/john/mydir and so on.
But when you do chdir("..") syscall for let's say 5 times here. In the first case, it will take back to you on root in 3 chdir and when you perform .. on the root directory it is ineffective read more.
Now in the second case, it will take you to the root directory in 4 chdir("..") syscalls. So again .. on the root directory is ineffective. Generally, exploits use 1000 chdirs just because they don't want to take any chance to miss the actual root directory. Here from "actual root directory" I mean working directory or CWD.
When you do chroot it doesn't change the working directory or cwd for kernel but only changes for the applications running inside it. That is why when you don't drop the privileges and perform double chroot in the already chrooted environment it breaks you out of the chroot jail. I have understood this working from this post. I hope you will too find it useful.
Here is one more resource for you to understand difference between CWD and ROOT directory: https://github.com/earthquake/chw00t#got-that-but-how-does-it-work.
