Home > Articles

Exploiting Local Host and Physical Security Vulnerabilities

  • Print
  • + Share This

In this sample chapter from CompTIA PenTest+ PT0-001 Cert Guide, you will learn how to take advantage of insecure services and protocol configurations during a penetration testing engagement.

This chapter is from the book

This chapter is from the book

In this chapter you will learn about exploiting local host vulnerabilities, as well as physical security flaws. This chapter provides details on how to take advantage of insecure services and protocol configurations during a penetration testing engagement. You will also learn how to perform local privilege escalation attacks as part of penetration testing. This chapter provides details to help you gain an understanding of Set-UID, Set-GID, and Unix programs, as well as ret2libc attacks. This chapter also covers privilege escalation attacks against Windows systems and the security flaws of Android and Apple iOS mobile devices. In this chapter you will also gain an understanding of physical security attacks such as piggybacking, tailgating, fence jumping, dumpster diving, lock picking, and badge cloning.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

Table 7-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section


Exploiting Local Host Vulnerabilities


Understanding Physical Security Attacks


  1. Which of the following is not an insecure service or protocol?

    1. Cisco Smart Install

    2. Telnet

    3. Finger

    4. Windows PowerSploit

  2. Consider the following example:

    omar@ares:~$ ls -l topsecret.txt
    -rwxrwxr-- 1 omar omar 15 May 26 21:15 topsecret.txt

    What permissions does the user omar have in the topsecret.txt file?

    1. Read only

    2. Write only

    3. Read, write, execute

    4. Write, execute

  3. Which of the following is not true about sticky bits?

    1. A restricted deletion flag, or sticky bit, is a single bit whose interpretation depends on the file type.

    2. For directories, the sticky bit prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories such as /tmp.

    3. If the sticky bit is set on a directory, files inside the directory cannot be renamed or removed by the owner of the file, the owner of the directory, or the superuser (even though the modes of the directory might allow such an operation).

    4. For regular files on some older systems, the sticky bit saves the program’s text image on the swap device so it will load more quickly when run.

  4. Which of the following is a type of attack in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process?

    1. Ret2libc

    2. ASLR bypass

    3. CPassword

    4. Sticky-bit attack

  5. Which of the following is a component of Active Directory’s Group Policy Preferences that allows administrators to set passwords via Group Policy?

    1. Ret2libc

    2. CPassword

    3. Sticky-bit

    4. GPO crack

  6. Which of the following tools allows an attacker to dump the LSASS process from memory to disk?

    1. John the Ripper

    2. SAMsploit

    3. Sysinternals ProcDump

    4. Windows PowerShell

  7. The SELinux and AppArmor security frameworks include enforcement rules that attempt to prevent which of the following attacks?

    1. Lateral movement

    2. Sandbox escape

    3. Cross-site request forgery (CSRF)

    4. Cross-site scripting (XSS)

  8. Which of the following is not one of the top mobile security threats and vulnerabilities?

    1. Cross-site request forgery (CSRF)

    2. Insecure data storage

    3. Insecure communication

    4. Insecure authentication

  9. Which of the following is an attack in which the attacker tries to retrieve encryption keys from a running operating system after using a system reload?

    1. Hot-boot

    2. Rowhammer

    3. Cold boot

    4. ASLR bypass

  10. Which of the following is the term for an unauthorized individual following an authorized individual to enter a restricted building or facility?

    1. Lockpicking

    2. Dumpster diving

    3. Badge cloning

    4. Tailgating

  • + Share This
  • 🔖 Save To Your Account