LXD

Overview

This documentation outlines a privilege escalation technique leveraging membership in the LXD group to gain root-level access on a system.

Attack Method

The exploit involves several key steps:

Initialization: First, the attacker initializes LXD with default settings to establish the necessary container infrastructure.

Container Creation: A privileged Ubuntu container is instantiated using the command to create a container with elevated permissions enabled.

Filesystem Mounting: The attacker adds a disk device to the container that mounts the host system's root filesystem (/) to a path within the container, making all host files accessible.

Root Access: By executing a shell within the container, the attacker gains root-level command execution and can access previously restricted files like /etc/shadow.

Cleanup: The attacker removes traces by stopping and deleting the container and associated images.

Key Code Block

N/ABASH

lxc config device add privesc whatever disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc bash

This sequence mounts the host root directory to the container and provides shell access, enabling full system compromise.

Prerequisites

User membership in the lxd group (gid=110 in the example)
LXD installed and functional on the target system

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝