A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?
Adding a new user with ID 0 to the /etc/passwd file ensures that the penetration tester maintains root-level access persistently without interfering with the existing root user’s activities. This enables the tester to create a secondary root-level account, thus providing an undisturbed environment for the other user and preserving the legitimacy of the ongoing tasks. The other options either involve potential system changes that could disrupt the user or do not guarantee persistent access.
B, upgrading the reverse shell to a true TTY terminal, is the best choice from the available options. This option will allow the penetration tester to interact with the system in a more user-friendly way, without disrupting the work of the other user. Upgrading the reverse shell to a TTY terminal will create a new session that can be used independently of the user currently logged in as root. This option is less likely to be detected by system administrators, and does not involve making any permanent changes to the system.
A true TTY terminal is a type of terminal session that can be accessed over the network, allowing for remote access and complete control over a system. It enables users to make changes to the system, such as adding new users and modifying system files.
B is correct ?
C is correct
C is the answer The best option for the penetration tester to maintain root-level persistence on this server during the test is to add a new user with ID 0 to the /etc/passwd file. This will allow the penetration tester to use the same user account as the other user, but with root privileges, meaning that it won’t disrupt the other user’s work. This can be done by adding a new line with the username and the numerical user ID 0 to the /etc/passwd file. For example, if the username for the other user is “johndoe”, the line to add would be “johndoe:x:0:0:John Doe:/root:/bin/bash”. After the user is added, the penetration tester can use the “su” command to switch to the new user and gain root privileges.
chat gpt says b
Use 4, not 3.5. It's C.
bbbbbbbb
Adding a new user with UID 0 to the /etc/passwd file gives the penetration tester root-level access without altering the existing root account's password or behavior. This method ensures persistent access for the tester while allowing the legitimate root user to continue their work uninterrupted. It's a stealthy approach that maintains the penetration tester's access without directly impacting other users.
C the best option
C is the best
C is the answer ithink
C. Add a new user with ID 0 to the /etc/passwd file. Explanation: Adding a new user with ID 0 to the /etc/passwd file: • This method involves adding a new user with root privileges by modifying the /etc/passwd file. By giving this new user an ID of 0, the same as the root user, the penetration tester can create a backdoor user account that has root-level access without changing any existing user credentials or disrupting the legitimate user’s activities. This approach provides a stealthy and persistent way to maintain root access.
for sure
C is correct as it establishes a persistent way to access the system.
Hard question, but I am leaning towards B.
B. Upgrade the reverse shell to a true TTY terminal: • Upgrading the reverse shell to a true TTY terminal improves the usability and interaction of the shell, but it does not inherently provide persistence. The reverse shell connection would still be temporary and could be lost if the session is closed or interrupted.
The BEST option for the penetration tester to maintain root-level persistence on this server during the test without disrupting the work of the other user is to add a new user with ID 0 to the /etc/passwd file. By doing so, the penetration tester will have a persistent user account with root-level privileges that can be used to maintain access to the system, without changing the credentials of the original root user. This approach will allow the other user to continue working on the system without interruption, and the penetration tester can continue with the test as required. The other options listed would either not provide persistent access or could disrupt the work of the other user.