In Episode 007 of my Linux Attack and Defense webinar series, I attack a James Bond-themed, intentionally-vulnerable capture the flag (CTF) system created by “creosote.”
Playing this CTF, I chain together attacks. While many of the steps are focused on discovering or guessing passwords, there are two vital actions in the attack that aren’t. The first action initiates the attack: I send an image tag through a vulnerable support form, where it causes a browsing support technician to leak the URL of a management page. This tag never should have been allowed into a support application without first being filtered and safely encoded. The second vital action takes the attack from the web onto the Linux command line—I construct a deserialization exploit against a Node.JS application. It’s difficult to execute, but a great skill to learn.
Once I have obtained root and get to watch the destruction of the evil Moonraker space station, I put on my “blue team” patch and prepare to apply proactive hardening measures to break the cyberattack path.
There are at least five ways to proactively break this attack, even if you didn’t know there were vulnerabilities. Here’s what you could do for the two vital steps:
- Use an egress iptables ruleset to stop the image tag from causing an outbound request from the support technician.
- Use ModSecurity, a free web application firewall, to block support requests that carry an image tag.
- Switch the application’s deserialization library.
In my webinar, you will also learn additional systems hardening steps to thwart other stages of the attack. You can check out the on-demand webinar here and play along using your own copy of Kali Linux, attacking the Moonraker virtual machine you’ll find on VulnHub.com at: https://www.vulnhub.com/entry/moonraker-1,264/