Exam CS0-003 topic 1 question 98 discussion

I don't understand why everyone is saying C to check printenv. Any hacker that finds an LFI is first going to check if they can read some globally readable files, typically this is going to be /etc/passwd on linux or C:/Windows/System32/drivers/etc/hosts. Depending So in the request form you're going to see something like this (or the B64 equivalent) `../../../../../etc/passwd`) If I was red teaming and got a hit on this, you best believe the next thing I'm typing in is ../../../../etc/shadow to see if I can read it, because if I can you can copy/paste both of those to a txt file and use unshadow in kali to get the creds of the user you want and own the box. If those aren't there, then the next thing I'm going to look for is ssh keys in one of the 5ish places that they normally are, or browse around for any plaintext credentials. checking for printenv during an LFI doesn't make sense because this assumes you already have command execution, and there's plenty other commands that would give you similar info to work off of, they may never execute that command.

The /etc/shadow contains hashed passwords in the linux OS

A. /etc/shadow That's where Linux stores the passwords

A) /etc/shadow See ITManager's explanation below. Voting for visibility.

The answer is A. /etc/shadow.

While targeting files like /etc/shadow is a typical goal in LFI attacks, it doesn't represent a pattern that you would search for in logs. Instead, you would typically look for the patterns or payloads used by attackers in log entries. In this context, the pattern "; printenv" is a more direct representation of such a payload pattern.

Again, I was wrong.... Bad day. The credentials are stored in the /etc/shadow file. Since the question talks about credentials, the existence of this file on the web server could indicate a LFI vulnerability. The printenv parameter (environment variables) would not indicate any vulnerability.

My previous answer was wrong. LFI vulnerabilities typically allow an attacker to include and execute files on the server. In this case, the "; printenv" pattern may be used to include and execute a command that prints environment variables.

Correct If an attacker successfully exploits an LFI vulnerability to extract credentials from the underlying host, one way they might attempt to access sensitive files is by trying to access the "/etc/shadow" file. The "/etc/shadow" file on Unix-based systems like Linux contains the hashed passwords of users.