In my Attacking and Defending a Linux System – Morpheus Edition webinar, we attacked a new Linux Boot-to-Root system called “Morpheus:1.” I encourage you to watch it or, if you’re feeling adventurous, to download the virtual machine and follow along, performing the attack yourself. In this blog, I will walk through a Linux attack path to demonstrate how attackers look to exploit vulnerabilities, then I will explore several ways to break the cyberattack chain.
On the first step in the attack path, you find a “graffiti” web application and realize that you can use it to make the target machine run your PHP code. In the webinar, we demonstrate writing a PHP “web shell” into the web server’s directory, then running it to get access onto the system. From there, we move laterally via an abnormal Set-UID binary, then escalate privilege via an attack enabled by a Python interpreter that has the cap_sys_admin “capability.”
We didn’t get a chance to show the defense demonstration, but you can find it here.
In that defense, we create an AppArmor profile that confines the web server, not allowing it to write to any files it can serve, except for the intended graffiti file. AppArmor is built in or available on all Linux distributions, though on Red Hat-based distributions, it’s more natural to use SELinux.
We created the AppArmor profile by running the profile generator, aa-genprof, which runs our Apache web server and watches what files it reads, writes, and executes, as well as what Linux root capabilities it uses. For example, it sees the Apache web server drop down to a non-root user, www-data, and suggests the “setuid” capability for the profile, or it sees Apache write to the graffiti.txt file and suggests allowing that.
At the end of the profiling session, we ended up with this profile:

Watch the webinar , then take a look at the defense video to see the full profiling experience and how it then blocks the attack.
There are other defenses that could also block the attack path. For example, in the second step of the attack path, we’re running as the web server’s account “www-data”. We find that there’s a firewalling binary that has Set-UID set, allowing any account on the system to run it with root privileges. The binary xtables-legacy-multi, is the program that you run when you run iptables. As the attacker, we use this to create a network address translation (NAT) rule to redirect incoming port 81 traffic to a program we control. This lets us capture a password that the Cypher user tried to send to a second web server on the system. As a defender, this is easy to protect against once we know that the firewall binary is Set-UID root and executable by all accounts on the system. There’s no reason the web server’s www-data user should need to modify the firewall.
If we regularly look for non-standard Set-UID programs on the system, we’d catch that issue and remove Set-UID from iptables/xtables-legacy-multi. Alternatively, if we needed some users on the system to run that firewall utility with root privilege, we could use Linux groups to permit that privilege in a more granular fashion.
There’s one other place in the attack path where we could defeat this attack. The final escalation from Cypher’s user to root hinges on a Python interpreter that’s been given the cap_sys_admin capability. Most Linux system owners probably don’t realize that a non-Set-UID binary can grant one of these “root special power” capabilities (this is demonstrated in the webinar). For our defense, we need to find out whether there’s a program that grants capabilities before our attacker discovers one. We can do that by running the getcap utility on a regular basis, looking for new lines. As you will see in the webinar, it takes only a few seconds.
For deeper, over-the-shoulder insights, check out the webinar and the defense video. For a hands-on experience, download the Morpheus:1 virtual machine here and try it yourself!
BeyondTrust Privilege Management for Unix & Linux is the gold-standard product for granularly controlling privilege access, including commands typed, across Unix & Linux systems. The product also layer on file integrity monitoring, as well as privileged session monitoring and management, for a complete audit trail of all activities performed. Contact BeyondTrust to learn more.
Watch Other Linux Attack & Defense Webinars
How a Linux Attacker can Escalate from Low-Level Privileges to Root
Linux Attack and Defense: The Matrix
Linux Attack and Defense - Office Space Style!

Jay Beale, CEO, CTO at InGuardians, Inc.
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.