Linux Attack and Defense: Exploiting a PHP Application and Breaking the Exploit

In this blog, I will describe how you can hack a Linux system. Then, I will detail how you could have proactively defeated the same attack—even if you didn’t know about any of the vulnerabilities in the system!

Breach2 (“boot2root”)

We attack the Breach2 “boot2root,” an intentionally-vulnerable virtual machine that serves as a one-person Capture the Flag (CTF). CTF’s are great training grounds for security practitioners to keep their attack skills sharp. The boot2root’s on VulnHub.com are especially engaging, because they are often themed after popular movies, books, and television shows. Breach2 is themed on the cult classic movie, “Office Space.” Here’s how the attack path proceeds:

1. Port scanned to find an SSH server on a strange port
2. Guessed Peter Gibbons’ password to unlock network access to Peter’s blog
3. Port scanned to find Peter’s blog
4. Used a persistent cross-site scripting (XSS) vulnerability to hook Peter’s browser
5. Exploited Peter’s browser to gain a shell on his machine
6. Found a localhost-based network daemon to gain a “Milton” user and a new web app
7. Guessed a password and planted a PHP reverse shell Trojan horse in the new web app
8. Received a connection from the web app’s PHP shell, acquiring a privileged user
9. Discovered that the new (blumbergh) account can run tcpdump as root using sudo
10. Created a script for tcpdump to run, granting milton more privilege in the sudoers file
11. Used sudo from milton’s account to get root and capture the flag

Disrupting the Attack

There are a number of proactive techniques you could use to disrupt this attack. You’d want to break one or more of the “links” in that attack path “chain.” In the webinar, we break the attack path at step 4, blocking access to Peter’s blog’s cross-site scripting (XSS) vulnerability by configuring the free ModSecurity tool to serve as a web application firewall (WAF). ModSecurity would block exploitation of the XSS vulnerability, even if that vulnerability had been a non-publicly-known “zero day.” Let’s look at four other links in the chain we can break with proactive measures.

Use the Free OSSEC Tool

First, we can use the free OSSEC tool to block the port scans in step 1 and step 3. OSSEC can detect a port scan and temporarily block list an IP address, cutting off the attacker’s access. In my on-demand webinar, How to Attack a Linux System + Ways to Detect and Respond Swiftly, I demonstrate how you can do this. I also cover it in this blog.

Created an AppArmor Profile

Second, we could have created an AppArmor profile to confine the web application’s behavior, such that it couldn’t write the Trojan horse PHP code to the filesystem, preventing the system from running that code in step 7. You can learn how to do that in my on-demand webinar Breaking the Zero-Day Attack on Linux. I also cover it in this blog.

Create a Strong “Egress” (Outbound) Firewall Rule Set

Third, we can create a strong “egress” (outbound) firewall rule set to block the Trojan horse “reverse shell” connection back to the attacker in step 8. The more capable attackers could counter this by using a less convenient “web shell” in place of the Trojan horse’s reverse shell, but we will have blocked the attackers who didn’t have the time, tools, or knowledge to outmaneuver our countermeasures.

Use a Tighter Policy on sudo

Fourth, we could use a tighter policy on sudo so that when we allow the blumbergh user to run tcpdump, we don’t grant him the root access achieved in step 10. Instead of allowing blumbergh to run tcpdump with arbitrary arguments, we could construct a script that runs it with only the arguments that we approve ahead of time. This script would need to check the arguments passed to it carefully or, ideally, not accept any arguments.

You’re in a Battle with Attackers

Here’s the point: you’re in a battle with attackers. It’s not a battle with a fair division of labor—you have to build, maintain, and defend a system, while their mission is solely to attack. With that said, proactive security tools and techniques can poise you to effectively parry attacks and defend against attackers. If this blog has piqued your interest, I’d certainly recommend watching its matching on-demand webinar "Linux Attack and Defense: Exploiting a PHP Application and Breaking the Exploit" and taking a look at the other webinars linked to in this article.