NEW: Recognized by Analysts. Chosen by Customers. Read the Report from Gartner®

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
  • Watch Demo
  • Contact Sales

Linux Attack & Defense: Matrix Breakout Edition

July 19, 2022

  • Blog
  • Archive
  1. Home
  2. Blog
  3. Linux Attack & Defense: Matrix Breakout Edition

As a penetration tester, I enjoy playing the Capture the Flag (CTF) challenges you'll find on VulnHub.com or at an information security conference. As a teacher, I enjoy showing people how to block the attack through proactive systems hardening.

In the most recent webinar episode of my Attacking and Defending Linux series, we go through a three-stage attack, breaking into the new “Matrix: Breakout” Boot2Root CTF virtual machine, which you can download from here, collecting flags as we go. After that, we demonstrate one proactive defense that would break the attack.

In this webinar, as in most real breaches or penetration tests, we have to exploit multiple vulnerabilities in a sequential chain to reach our goal. Some vulnerabilities are the kinds of software flaws that get CVE numbers like CVE-2017-5638 (and often slick names like “Strutshock”). The first vulnerability in the webinar is one of those. But many of the vulnerabilities that we exploit as attackers are weak designs or configurations. The last vulnerability in the webinar’s chain fits this description: the program we exploit runs in a “privileged” container.

Security Considerations for Privileged Containers in Docker

The Docker project created “privileged” containers to support running Docker from within Docker. Privileged containers remove two of the major protections that prevent a root user in a container from breaking out of the container: limits on root capabilities and restrictions on devices visible to the container. Let’s discuss the latter.

Consider the difference between an unprivileged and a privileged container’s /dev directories. Here’s a standard container’s /dev directory:

Here’s a privileged container’s /dev directory:

The privileged container has access to the Linux machine’s entire /dev directory. In the webinar, when we find ourselves with root privilege in the container, we mount the host virtual machine’s hard disk device (/dev/vda1) and use it to access a flag file that’s on the host filesystem, normally accessible only from outside of the container. While we don’t demonstrate this, you can generally turn this into full code execution on the host. For example, you could write to a crontab file or change a password.

What about defense? Well, while privileged containers are useful in Docker development, or in special cases, there are very few situations where a container needs to run with this level of privilege. In general, it’s important to make sure that there are strong controls against running privileged containers on your machines. If you’re running Docker Engine hosts without an orchestrator, consider using a Docker authorization plugin like Open Policy Agent’s opa-docker-authz. If you’re running containers with Kubernetes, check out the available admission controllers for your version.

Watch the Webinar and Play Along!

To see the full attack path and another defense, watch my webinar: Attacking and Defending Linux: Breaking out of the Matrix Edition. You can even download the virtual machine from here and play along. Note, that to play along in the same environment that I demo in webinar, you'll want a copy of Kali Linux.


Server Security Best Practices for Unix & Linux Systems

Blog

Server Security Best Practices for Unix & Linux Systems

Unix/Linux Privilege Management: Should You Sudo? Here’s What It Does and Why It’s Not Enough.

Blog

Unix/Linux Privilege Management: Should You Sudo? Here’s What It Does and Why It’s Not Enough.

Privilege Management for Unix & Linux

Datasheets

Privilege Management for Unix & Linux

Photograph of Jay Beale

Jay Beale, CEO, CTO at InGuardians, Inc.

Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From July 18, 2022:
AWS Root vs IAM User: What to Know & When to Use Them
From July 26, 2022:
Security Questions Can Pose a High Risk: Learn Tips & Tricks to Mitigate the Threat

You May Also Be Interested In:

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Microsoft Vulnerabilities Report 2022

Whitepapers

Microsoft Vulnerabilities Report 2022

Mapping BeyondTrust Capabilities to NIST Zero Trust (SP 800-207)

Whitepapers

Mapping BeyondTrust Capabilities to NIST Zero Trust (SP 800-207)

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.