lxd
Linux Daemon (LXD) is similar to Docker and is Ubuntu's container manager. LXD is a management API for dealing with LXC containers on Linux systems. It will perform tasks for any members of the local lxd group. It does not make an effort to match the permissions of the calling user to the function it is asked to perform.
Before we can use this service to escalate our privileges, we must be in either the lxc
or lxd
group.
Source: https://www.hackingarticles.in/lxd-privilege-escalation/. In this article, you can find a good explanation about how lxc works. Original source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071.
Privileges escalation
Privilege escalation through lxd requires the access of local account and that that local account belongs to the group lxd.
Create our own container with Alpine and transfer it to the target system
In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:
Steps to be performed on the attacker machine:
Steps to be performed on the victim machine:
Example from HackTheBox
Unzip the Alpine image.
Start the LXD initialization process. Choose the defaults for each prompt. Consult this post for more information on each step.
Import the local image.
Start a privileged container with the security.privileged
set to true
to run the container without a UID mapping, making the root user in the container the same as the root user on the host.
Mount the host file system.
Finally, spawn a shell inside the container instance. We can now browse the mounted host file system as root.
Docker
Placing a user in the docker group is essentially equivalent to root level access to the file system without requiring a password. Members of the docker group can spawn new docker containers:
This command creates a new Docker instance with the /root directory on the host file system mounted as a volume. Once the container is started we are able to browse the mounted directory and retrieve or add SSH keys for the root user. This could be done for other directories such as /etc
which could be used to retrieve the contents of the /etc/shadow
file for offline password cracking or adding a privileged user.
Disk
Users within the disk group have full access to any devices contained within /dev
, such as /dev/sda1
, which is typically the main device used by the operating system. An attacker with these privileges can use debugfs
to access the entire file system with root level privileges.
1. Check if the user is in the disk
group
2. Identify the disk partitions available
3. Look for partitions like /dev/sda1, which usually contains the root filesystem. Open the filesystem with debugfs
4. Access and read sensitive files (e.g., /etc/shadow)
ADM
Members of the adm group are able to read all logs stored in /var/log. This does not directly grant root access, but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running cron jobs.