System/Host Based Attacks
๐ฉ CTFs & Labs ๐งช¶
โ Quizzes¶
Introduction To System/Host Based Attacks¶
| Question | Answer |
|---|---|
| System/Host based attacks are attacks that are targeted towards a specific system running a specific operating system? | True |
Windows¶
Overview Of Windows Vulnerabilities¶
| Question | Answer |
|---|---|
| An Information disclosure vulnerability is a type of vulnerability that could potentially allow an attacker to remotely execute arbitrary code on a target system. | False |
Frequently Exploited Windows Services¶
| Question | Answer |
|---|---|
| Which one of the following is not a frequently exploited Windows service? | SAMBA |
| Which one of the following ports is used by RDP? | 3389 |
Exploiting Microsoft IIS WebDAV¶
| Question | Answer |
|---|---|
| Which one of the following file extensions cannot be executed on a Microsoft IIS web server? | .py |
| The cadaver utility can be used to upload files on to a WebDAV server. | True |
Exploiting WebDAV With Metasploit¶
| Question | Answer |
|---|---|
| Which one of the following commands can be used to upload malicious .asp payloads with cadaver? | put /PATH-TO-FILE/payload.asp |
Exploiting SMB With PsExec¶
| Question | Answer |
|---|---|
| PsExec authentication is performed via SMB. | True |
| Which one of the following commands can be used to authenticate with a target system with PsExec? | psexec.py Administrator@192.168.1.1 |
Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)¶
| Question | Answer |
|---|---|
| The EternalBlue exploit takes advantage of a vulnerability in SMBv1. | True |
| Which one of the following CVEs was assigned to the EternalBlue vulnerability? | CVE-2017-0144 |
Exploiting RDP¶
| Question | Answer |
|---|---|
| Which one of the following commands can be used to remotely access a Windows target via RDP with xfreerdp? | xfreerdp /u:administrator /p:password123 /v:192.168.1.1 |
| RDP can be configured to run on a different TCP port. | True |
Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)¶
| Question | Answer |
|---|---|
| The BlueKeep exploit could potentially allow an attacker to execute arbitrary code on a Windows target. | True |
Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)¶
| Question | Answer |
|---|---|
Exploiting WinRM¶
| Question | Answer |
|---|---|
| Crackmapexec can be used to execute commands on a Windows target. | True |
| Which one of the following evil-winrm commands can be used to obtain a remote PowerShell shell on a Windows target? | evil-winrm.rb -u administrator -p 'password123' -i 192.168.1.1 |
Windows Kernel Exploits¶
| Question | Answer |
|---|---|
| Which one of the following Metasploit modules can be used to identify kernel exploits on a Windows target? | multi/recon/local_exploit_suggester |
| Kernel exploits are completely stable and can be executed without any issues. | False |
Bypassing UAC With UACMe¶
| Question | Answer |
|---|---|
| In order to elevate privileges by bypassing UAC, you will need access to a user that is a member of the local administrators group. | True |
| Which one of the following commands can be used to execute a malicious executable with elevated privileges with the Akagi tool? | Akagi64.exe 23 C:\Temp\payload.exe |
Access Token Impersonation¶
| Question | Answer |
|---|---|
| In order to impersonate an access token, you will need to have access to an account with the "SeImpersonatePrivilege"? | True |
| Which one of the following meterpreter commands can be used to enumerate user privileges? | getprivs |
Alternate Data Streams¶
| Question | Answer |
|---|---|
| Alternate Data Streams is an NTFS and ext4 filesystem attribute. | False |
Windows Password Hashes¶
| Question | Answer |
|---|---|
| What hashing algorithm is used to hash NTLM passwords? | MD4 |
Searching For Passwords In Windows Configuration Files¶
| Question | Answer |
|---|---|
| Which one of the following directories contains the Unattended Windows Setup utility configuration file? | C:\Windows\Panther\Unattend.xml |
Dumping Hashes With Mimikatz¶
| Question | Answer |
|---|---|
| Mimikatz makes a copy of the SAM database in order to extract NTLM hashes. | False |
| Which one of the following Mimikatz commands can be used to extract NTLM hashes via the LSA? | lsadump::sam |
Pass-The-Hash Attacks¶
| Question | Answer |
|---|---|
| Which one of the following tools can be used to perform a Pass-The-Hash attack? (Choose Two) | evil-winrm,crackmapexec |
Linux¶
Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)¶
| Question | Answer |
|---|---|
| Bash is the default shell used by most Linux distributions. | True |
| The Shellshock vulnerability affects both Windows & Linux. | False |
Exploiting FTP¶
| Question | Answer |
|---|---|
| In certain cases, FTP can be configured to allow anonymous connections. | True |
Exploiting SSH¶
| Question | Answer |
|---|---|
| SSH only supports username/password authentication. | False |
Exploting SAMBA¶
| Question | Answer |
|---|---|
| smbclient provides users with an ftp-like console interface. | True |
| Which one of the following commands can be used to enumerate shares with SMBMap? | smbmap -H 192.168.1.1 -u admin -p password123 |
Linux Kernel Exploits¶
| Question | Answer |
|---|---|
| Which one of the following compilers can be used to compile exploit code written in C? | GCC |
| When identifying kernel exploits, the kernel version and distribution release version are the most important pieces of information. | True |
Exploiting Misconfigured Cron Jobs¶
| Question | Answer |
|---|---|
| Which one of the following commands can be used to display the list of scheduled cron jobs for the current user? | crontab-l |
Exploiting SUID Binaries¶
| Question | Answer |
|---|---|
| In order to elevate our privileges, we will need to identify an SUID binary that is owned by the "root" user. | True |
Dumping Linux Password Hashes¶
| Question | Answer |
|---|---|
| Encrypted Linux account passwords are stored in the /etc/passwd file. | False |
| The /etc/shadow file can only be accessed by the "root" user. | True |