Exploiting and Pivoting Flashcards
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service?
a. SQL injection
b. SMB exploit
c. CGI exploit
d. MIB exploit
b. TCP 445 is a service port typically associated with SMB services.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following list:
Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows), 7.5 High, 80%, 10.0.2.7, 300/tcp
OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows), 7.8 High, 80%, 10.0.2.7, 22/tcp
MySQL /Maria weak password, 9.0 High, 95%, 10.0.2.7, 3306/tcp
Which of the entries should Charles prioritize from this list if he wants to gain access to the system?
a. The Ruby on Rails
b. The OpenSSH
c. The MySQL
d. None of these
a. The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following list:
Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows), 7.5 High, 80%, 10.0.2.7, 300/tcp
OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows), 7.8 High, 80%, 10.0.2.7, 22/tcp
MySQL /Maria weak password, 9.0 High, 95%, 10.0.2.7, 3306/tcp
If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information?
a. The Ruby on Rails
b. The Open SSH
c. The MySQL
d. Both OpenSSH and MySQL
b. The OpenSSH vulnerability specifically notes that it allows user enumeration, making this the best bet for what Charles wants to accomplish.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following list:
Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows), 7.5 High, 80%, 10.0.2.7, 300/tcp
OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows), 7.8 High, 80%, 10.0.2.7, 22/tcp
MySQL /Maria weak password, 9.0 High, 95%, 10.0.2.7, 3306/tcp
If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit vulnerability?
a. CVE
b. BID
c. MSF
d. EDB
c. Metasploit searching supports multiple common vulnerability identifier systems, including CVE, BID, and EDB, but MSF was made up for this question. It may sound familiar, as the Metasploit consle command is msfconsole.
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install addition tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?
a. SSH tunneling
b. Netcat port forwarding
c. Enable IPv6
d. Modify browser plug-ins
a. Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN “Antivirus” /TR “C:\Users\SSmith\av.exe” /ST 09:00
What has he accomplished?
a. He has set up a weekly antivirus scan
b. He has set up a job call “weekly”
c. He has scheduled his own executable to run weekly
d. Nothing, this command will only run on Linux
c. Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith’s user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide this list?
a. /etc/shadow
b. /etc/passwd
c. /var/usr
d. /home
b. On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened?
a. The malware scan discovered Meterpreter and removed it
b. The system was patched
c. The system was rebooted
d. Meterpreter crashed
c. Meterpreter is a memory-resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory-resident Meterpreter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.
Angela wants to exfiltrate data from a Windows system she has gained access to during a penetration test. Which of the following exfiltration techniques is least likely to be detected?
a. Send it via outbound HTTP as plaintext to a system she controls
b. Hash the data, then send the hash via outbound HTTPS
c. Use PowerShell to base64-encode the data, then post to a public
HTTPS-accessible code repository
d. Use PowerShell to base64-encode the data, then use an SSH
tunnel to transfer the data to a system she controls.
c. Encoding data will make it less likely that intrusion prevent and data loss prevention systems will identify acquired data, meaning that encoding is a useful technique. Sending the data to a public repository like GitHub is less likely to look unusual than an internal system opening a SSH tunnel to a previously unknown system. Sending via HTTP instead of HTTPS will make inspection of the outbound, unencoded data trivial for defenders, and hashing the data will not leave it in a recoverable state when it arrives.
Ian’s penetration test rules of engagement specify that he cannot add tools to the systems he compromises in a specific target environment. What techniques will he have to use to meet this requirement?
a. Compromise using a fileless malware package, then cover his tracks and clean up any files uses.
b. Compromise using a known exploit and dropper from Metasploit, the use living-off-the-land techniques
c. Compromise using fileless malware package, then use living -off-the-land techniques
d. Compromise using a known exploit and dropper from Metasploit, then clean up the dropped files and only use system utilities for further work.
c. A combination of fileless malware and living-off0-the-land techniques that use native tools and utilities will help Ian to ensure that he meets the rules of engagement of the penetration test he is conducting. Even cleaning up files will violate those rules, meaning that Ian could not add tools even if he is confident in his ability to clean them up after he is done. A Metasploit dropper leaves files behind, which means both answers that use this do not meet the requirements.
Tina has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?
a. Rainbow tables
b. Dictionary attacks
c. Thesaurus attacks
d. Meterpreter
b. Tina may want to try a brute-force dictionary attack to test for weak passwords. She should build a custom dictionary for her target organization, and she may want to do some social engineering work or social media assessment up front to help her identify any common password selection behaviors that members of the organization tend to display.
What built-in Windows server administration tool can allow command-line PowerShell access from other systems?
a. VNC
b. PowerSSHell
c. PSRemote
d. RDP
c. PSRemote, or PowerShell Remote, provides command-line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including use of dedicated PowerShell exploit tools.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers.
a. Scheduled tasks
b. Cron jobs
c. Trojaned services
d. Modified daemons
a. The Windows task schedule is used for scheduled tasks. On Linux, Cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with Trojaned versions, or even simply creating user accounts for later use
Time has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong?
msf exploit(unix/misc/distcc_exec) > exploit
[-] Exploit failed: The following options failed to validate: RHOST.
[*] Exploit completed, but no session was created.
a. The remote host is firewalled
b. The remote host is not online
c. The host is not routable
d. The remote host was not set
d. Metasploit needs to know the remote tart host, known as rhost, and this was not set. Tim can set it by typing set rhost <ip> with the proper IP address. Some payloads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running an exploit.</ip>
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished?
$command = ‘cmd /c powershell.exe -c Set-WSManQuickConfig-Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted-Value $True;Register-PSSessionConfiguration -Name Microsoft.Powershell-Force’
a. He has enabled PowerShell for local users
b. He has set up PSRemoting
c. He has disabled remote command-line access
d. He has set up WSMan
b. Cameron has enabled PowerShell remote access, known as PSRemoting, and has configured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it.
