This is the lxd privilege escalation tutorial. One fundamental step for ethical hacking is to look at what groups a user is. This is critical for Linux privilege escalation.
You can install lxd on a Linux machine or you use a preconfigured machine to learn how to exploit lxd. For example looking at the Cynix 1 vulnhub tutorial you should know that it is a great machine for testing lxd exploitation.
Finding out that the low level user I control is a member of the lxd group is the first step.
Notice that the output of LinEnum.sh a Linux privilege escalation tool confirms that this is a good idea.
Exploit LXD
When you install LXD on a Linux machine some things happen by default:
- Adds $user to the lxd group.
If the user who installs lxd is a sudoers user, such as root for example, then the user can used to run lxd as root thereby opening an exploit avenue.
The first part of the exploitation for privilege escalation is to create a new container and import it.
Alpine is a very popular container in Docker. People love it because it is so small and I don’t want a ton of space taken up on my Kali Linux VM.
There is a Github repo with a perfect lxd Alpine container builder script that will do this for automatically.
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder.git
./build-alpineThe next step is start the container and give it security privileges therefore making it a privileged container.
The last step is run the exec command to start a bash session on the host which will be run under the root user.
What I have done here is create a new lxd container, given it security privileges, and then set its mount path as /mnt.
From this point we are telling the container to interact with the host’s filesystem as root and we are mounting the filesystem at the defined mount path.
This makes sense right? We are abusing the container to mount the host’s (target machine) filesystem which contains the root flag so that we can capture it.
This is one reason why the lxd group should be granted carefully and its use monitored for privilege escalation activites.