Gaming Server
This engagement demonstrates how exposed credentials and LXD group misconfigurations can be chained together to achieve full system compromise via container escape techniques.
Reconnaissance
- SSH (OpenSSH)
- HTTP (Apache)
Directory enumeration revealed a hidden `/secret` path containing a private SSH key, indicating potential credential exposure.
Initial Access
The SSH private key was cracked to recover the passphrase letmein, allowing login as user john.
Key Finding: LXD Group Misconfiguration
The user belonged to the LXD group, allowing container creation and interaction with the host filesystem.
This effectively grants root-equivalent privileges when abused.
Exploitation
A privileged container was created and configured to mount the host root directory. From within the container, the host filesystem was accessed and a root shell was obtained.
lxc exec privesc-container /bin/sh
Impact
This vulnerability resulted in full system compromise, allowing access to all files, credentials, and system configurations.
Attackers could maintain persistence, manipulate users, and completely control the host.
- Never expose private SSH keys in web directories
- LXD group access can lead to full root compromise
- Containers can be abused to escape into the host
- Always check group memberships during enumeration
- Misconfigurations often chain into full compromise