ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 626 discussion

Actual exam question from CompTIA's CAS-004
Question #: 626
Topic #: 1
[All CAS-004 Questions]

After a server was compromised, an incident responder looks at log files to determine the attack vector that was used. The incident responder reviews the web server log files from the time before an unexpected SSH session began:



Which of the following is the most likely vulnerability that was exploited, based on the log files?

  • A. Directory traversal revealed the hashed SSH password, which was used to access the server.
  • B. A SQL injection was used during the ordering process to compromise the database server.
  • C. The root password was easily guessed and used as a parameter to open a reverse shell.
  • D. An outdated, third-party PHP plug-in was vulnerable to a known remote code execution.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Bright07 at Jan. 27, 2025, 2:38 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bright07
3 months ago
Selected Answer: A
The most likely vulnerability exploited, based on the log files, is: A. Directory traversal revealed the hashed SSH password, which was used to access the server. Brief explanation: The log entry https://myapp.mycompany.com/something.php=?../..../../etc/shadow suggests a directory traversal attack, where the attacker attempts to access files outside the web server's intended directory. /etc/shadow is a critical file on Linux systems that contains hashed passwords. If an attacker retrieves this file, they can crack the hashes to gain credentials. The sequence of events shows: Attempted directory traversal to access /etc/shadow (likely to retrieve hashed passwords). Actions like whoami indicate the attacker tested their access level after gaining entry. An SSH session was initiated shortly after, indicating the attacker used credentials from the /etc/shadow file.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago