One of the things that bothers me about other sites is that they're too restrictive. I want people using this to get a proper environment for testing and teaching others, and that means you can run shell commands or write to disk. I'll rethink that if it ever becomes a problem.
# spawn a poor man's shell from repl
require 'Open3'
Open3.popen3("/bin/sh -i") do |stdin,stdout,stderr,wthr|
loop do
ready = select([$stdin, stdout, stderr], nil, nil, 10)
if ready
ready[0].each do |f|
buf = ""
begin
while d = f.read_nonblock(1024)
buf += d
end
rescue Errno::EAGAIN
end
case f
when $stdin
stdin.write(buf)
when stdout,stderr
$stdout.write(buf)
end
end
end
end
end
This lets you explore the environment a bit more. I haven't figured out anything do to with it yet. :)
BTW, using this trick, I managed to get root in your VM. I assume you have it logged and can see how (was hitting http://repl.it/jND/13 if that helps you locate it); it wasn't anything particularly clever. I didn't do much beyond that. Having no network access limits the possibilities. :)
I'm not exactly sure what a root process in a docker container can do (probably depends a lot on the container configuration, plus is probably evolving as we speak, and is subject to bugs), but in my opinion, even if you have redundant security layers, you should be at least a little concerned when somebody is able to jump up a layer (from your 'runner' non-privileged user to root in this case).
edit: I did find a kernel arbitrary code execution exploit PoC for the kernel version you're running but I decided against trying it out because I didn't want to crash your docker host.
Your root user has no password, so executing 'su' just gives you a root shell. That's pretty much it. :)
You can do it by hitting my link above, running the saved code, which defines a 'sh' function, then running the 'sh' function from the repl. That will give you a shell, which you can then 'su' in. It doesn't give you a prompt back because that first shell is non-interactive, but if you run 'sh -i' from there you'll get your # prompt.
I told you it wasn't all that clever. :)
edit: great site, by the way. i love the concept and my hat is off to you for letting people run wild. The front-end execution is nice, too.
BTW, I ran into a limit on the size of a script I could save, and I recommend keeping that, as it prevented me from easily uploading a gcc executable by statically declaring GCC="\x7FELF\x02\x01\x01\x00\x00\x00\x00..." and then writing it to a file. It can still be done, but it's a pain in the ass.
