Docker group/LXD group

Docker Group Privilege Escalation

If you have docker group privileges, then you can easily get root:

In docker, you have a -v (bind mount a volume) option. This means you can bind the root directory to a place in a docker container. So you can basically “import” the root directory of the host OS to some place in a docker container (like /mnt/someplace):

Docker run -v /:/mnt/someplace -it <container-name> bash

So when you navigate to /mnt/someplace inside the docker container, you will be able to read (and write I think?) the files as root, since you are root in the docker container.

LXD Group Privilege Escalation

Pretty much the same method works if you're in the lxd group.

Follow this guide the machine doesn't have internet:

lxd/lxc Group - Privilege escalationHackTricks

Follow this one if it does have internet access:

Privilege Escalation Using the Docker/LXD groupsRangeForce