CompTIA Pentest+ Chapter 10 Questions Flashcards
One important step during postexploitation is to gain situational awareness to gather important knowledge of the host and internal network. Which of the following techniques from the MITRE ATT&CK framework are identified as “discovery” tactics? (Select all that apply.)
A.Enumerate files and directories on the local or shared file system.
B.Search for local or domain-level groups and permission settings.
C. Timestomp files and directories after exploitation.
D.Use a protocol native to the operating system like SSH or FTP to transfer files.
A. Enumerate files and directories on the local or shared file system.
B. Search for local or domain-level groups and permission settings
Explanation:
Enumerating files and directories on local or shared file systems (File and Directory Discovery: T1083) and searching for local or domain-level groups and permission settings (Permission Groups Discovery: T1069) are two techniques related to gaining situational awareness. Timestomping files and directories is a defense evasion technique (Timestomp: T1099), and transferring files using native operating system protocols is a data exfiltration technique (Exfiltration over Alternative Protocol: T1048).
2.During a pentest, you successfully compromised user-level access to a Linux host within your customer’s network. The user’s default shell is BASH. Which command syntax could you use to suspend command recording for your terminal session? (Select all that apply.) A.unset HIST B.unset HISTFILE C.set +o history D.export HIST=0
B.unset HISTFILE
C.set +o history
Explanation:
The unset HISTFILE technique will allow temporary history but will prevent the command history from being written to $HOME/.bash_history. The set +o history will
prevent temporary command history and subsequently prevent any command history from being written to disk. Answers A and D are incorrect, as they are improperly formatted commands.
You find that the user account “user1” you just compromised might be permitted to execute privileged commands on the system using sudo. After you suspend command recording in your terminal window, you execute the sudo -l command and are not prompted for a password. To your surprise, the account can execute all commands on the operating system and you still are not prompted for a password. Which setting in the /etc/sudoers file would allow the user to execute commands without a password? A.%sudo ALL=(ALL:ALL) ALL B.%sudo ALL=(ALL:ALL) NOPASSWD:ALL C.user1 ALL=(ALL:ALL) ALL D.user ALL=(ALL:ALL) NOPASSWD:ALL
B.%sudo ALL=(ALL:ALL) NOPASSWD:ALL
Explanation:
The account “user1” is likely in the sudoers group called “sudo.” The NOPASSWD:ALL option will allow any command on the operating system to be executed without the need to prompt for a password. Using the groups or id -a command syntax, you would be able to see which groups the user was a part of. In the /etc/sudoers file, groups or users can be configured with specific sudo privileges on the local operating system. Answer D has the NOPASSWD:ALL option, but is specified for the account called “user,” which is not the account we currently have access to.
Group Policy Preferences (GPP) was introduced in Windows 2008 Server and allows domain administrators to create domain policies to automate tedious tasks, such as changing the local Administrator account password on the host operating system. Each policy is created with an encrypted password (cPassword) embedded within the policy, and each policy is stored in SYSVOL, which is accessible to any user that is a member of the domain. During a pentest, you successfully mount the SYSVOL volume using user-level privileges on the domain. The domain server is a Windows 2012 server. Which file will contain the cPassword entry? A.Group.xml B.Users.xml C.Groups.xml D.Policy.xml
C.Groups.xml
Explanation:
The groups.xml file will contain the encrypted cPassword entry. The AES 256-bit key was disclosed online from Microsoft, which allows the cPassword entry to be decrypted, thus disclosing the sensitive password. Users.xml, policy.xml, and group.xml are likely custom settings applied through Group Policy within the customer’s domain.
When using the GNU debugger (gdb), which command can you use to pause program execution in a function when the assembly instruction is reached? A.break B.nexti C.info registers D.x $rsp
A.break
Explanation:
The break * func+43 command can be used to cause the program to stop executing (pause the program) when the assembly instruction is reached at . This affords us the ability to inspect the program state at the time of execution. The nexti command will allow you to step into the next operation, and the info registers command will print the contents of general process registers. The x $rsp command will print the hexadecimal address for the $rsp register.
A \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ is unique and is used to identify each instance of a Windows service. In Windows, Kerberos requires that \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ be associated with at least one service logon account (i.e., the account that runs the service). A.Hostname B.Domain name C.Unique identifier D.Service principal name
D.Service principal name
A.Hostname
Explanation:
D. The service principal name (SPN) is unique and is used to identify each instance of a Windows service. In Windows, Kerberos requires that the SPN be associated with at least one service logon account. A hostname is the name of a host, and the domain name is a unique name used to identify a realm on the Internet.
A user ID or UID is a unique integer assigned to each user on a Unix-like system. None of these options have any relation to a Windows service.
During a pentest, you use the wmic command to identify unquoted service paths. You were able to find a path at C:\Program Files (x86)\data\shared files\vulnerable.exe and used accesschk.exe to find that you have write privileges in the “data” directory. To escalate privileges the next time the service is executed, you need to lay down an executable that will execute within the service path. What is the correct name for the executable that you should create? A.shared.exe B.files.exe C.Files.exe D.Program.exe
A.shared.exe
Explanation:
When the service starts, it will follow the execution path to C:\Program Files (x86)\data\shared files\vulnerable.exe to run the executable. Since the path is not in quotations in the registry, it will first look to load C:\Program Files (x86)\data\shared.exe because there is a space between the directory “shared files.” Files.exe/files.exe will not work, as there is no break after the directory name. The Program.exe option would work; however, the user does not have write access to the folder.
During a pentest, you come across an SSH private key (id_rsa) in a user’s home directory and suspect that this key can be used to remotely log in to other Linux hosts. However, before you try to use the key, you want to compare the key to the contents of the authorize_keys file to ensure it matches one of the public keys stored in the file. Which command would you run to generate a public key from the private key?
A.ssh-keygen -y -f id_rsa
B.ssh-keygen -t rsa -b 2048
C.diff id_rsa.pub id_rsa
D.openssl rsa -in id_rsa | cat id_rsa.pub
A.ssh-keygen -y -f id_rsa
Explanation:
The ssh-keygen command is used to generate keys. To compare the private and public key values, you would generate a public key from the private key using the following syntax: ssh-keygen -y -f . Then, you could read the contents of the authorized_keys file and compare/contrast the differences, if any. Answer B will generate an RSA private and public key pair of 2048 bits. Answer C will read and differentiate the contents of the public key and private key; however, they are not the same key values, so that will not work. Answer D is incorrect, as openssl will validate the contents of the RSA key and pipe the command output along with the output from the cat id_rsa.pub command to the screen, which will not help you find the public key value from the compromised RSA private key.