Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Linux Attack and Defense: Exploiting a PHP Application and Breaking the Exploit

January 22, 2018

  • Blog
  • Archive

blog-linux-attack-defense.jpg


Note: This blog complements this on-demand webinar by the same name: "Linux Attack and Defense: Exploiting a PHP Application and Breaking the Exploit" view now

In this blog, I will describe how you can hack a Linux system. Then, I will detail how you could have proactively defeated the same attack—even if you didn’t know about any of the vulnerabilities in the system!

Breach2 (“boot2root”)

We attack the Breach2 “boot2root,” an intentionally-vulnerable virtual machine that serves as a one-person Capture the Flag (CTF). CTF’s are great training grounds for security practitioners to keep their attack skills sharp. The boot2root’s on VulnHub.com are especially engaging, because they are often themed after popular movies, books, and television shows. Breach2 is themed on the cult classic movie, “Office Space.” Here’s how the attack path proceeds:

  1. Port scanned to find an SSH server on a strange port
  2. Guessed Peter Gibbons’ password to unlock network access to Peter’s blog
  3. Port scanned to find Peter’s blog
  4. Used a persistent cross-site scripting (XSS) vulnerability to hook Peter’s browser
  5. Exploited Peter’s browser to gain a shell on his machine
  6. Found a localhost-based network daemon to gain a “Milton” user and a new web app
  7. Guessed a password and planted a PHP reverse shell Trojan horse in the new web app
  8. Received a connection from the web app’s PHP shell, acquiring a privileged user
  9. Discovered that the new (blumbergh) account can run tcpdump as root using sudo
  10. Created a script for tcpdump to run, granting milton more privilege in the sudoers file
  11. Used sudo from milton’s account to get root and capture the flag

Disrupting the Attack

There are a number of proactive techniques you could use to disrupt this attack. You’d want to break one or more of the “links” in that attack path “chain.” In the webinar, we break the attack path at step 4, blocking access to Peter’s blog’s cross-site scripting (XSS) vulnerability by configuring the free ModSecurity tool to serve as a web application firewall (WAF). ModSecurity would block exploitation of the XSS vulnerability, even if that vulnerability had been a non-publicly-known “zero day.” Let’s look at four other links in the chain we can break with proactive measures.

Use the Free OSSEC Tool

First, we can use the free OSSEC tool to block the port scans in step 1 and step 3. OSSEC can detect a port scan and temporarily block list an IP address, cutting off the attacker’s access. In my on-demand webinar, How to Attack a Linux System + Ways to Detect and Respond Swiftly, I demonstrate how you can do this. I also cover it in this blog.

Created an AppArmor Profile

Second, we could have created an AppArmor profile to confine the web application’s behavior, such that it couldn’t write the Trojan horse PHP code to the filesystem, preventing the system from running that code in step 7. You can learn how to do that in my on-demand webinar Breaking the Zero-Day Attack on Linux. I also cover it in this blog.

Create a Strong “Egress” (Outbound) Firewall Rule Set

Third, we can create a strong “egress” (outbound) firewall rule set to block the Trojan horse “reverse shell” connection back to the attacker in step 8. The more capable attackers could counter this by using a less convenient “web shell” in place of the Trojan horse’s reverse shell, but we will have blocked the attackers who didn’t have the time, tools, or knowledge to outmaneuver our countermeasures.

Use a Tighter Policy on sudo

Fourth, we could use a tighter policy on sudo so that when we allow the blumbergh user to run tcpdump, we don’t grant him the root access achieved in step 10. Instead of allowing blumbergh to run tcpdump with arbitrary arguments, we could construct a script that runs it with only the arguments that we approve ahead of time. This script would need to check the arguments passed to it carefully or, ideally, not accept any arguments.

You’re in a Battle with Attackers

Here’s the point: you’re in a battle with attackers. It’s not a battle with a fair division of labor—you have to build, maintain, and defend a system, while their mission is solely to attack. With that said, proactive security tools and techniques can poise you to effectively parry attacks and defend against attackers. If this blog has piqued your interest, I’d certainly recommend watching its matching on-demand webinar "Linux Attack and Defense: Exploiting a PHP Application and Breaking the Exploit" and taking a look at the other webinars linked to in this article.

Jay Beale

co-founder, COO and CTO, InGuardians

Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.