CompTIA PenTest+ (PT0-001) — Question 185

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ''changepass.`
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using `strings" to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp

GLIBC_2.0 -

ENV_PATH -
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?

Answer options

• A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.
• B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path '/home/user/'. Then run changepass.
• C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
• D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'.

Correct answer: D

Explanation

The correct answer is D because executing changepass with sudo after setting the ENV_PATH to a directory containing a malicious binary allows the tester to escalate privileges. Option A is incorrect as it does not use sudo, and B and C do not ensure the execution context can effectively exploit the setuid behavior of changepass.