A penetration tester discovers an application running with elevated privileges. This application is configured to load a dynamic-link library (DLL) from a directory that has insecure permissions, allowing any user to write files to it. Which of the following methods describes the most direct way for an attacker to achieve privilege escalation in this scenario?
Create a new local user account and add it to the local administrators group for persistent access.
Craft a malicious DLL, place it in the writable directory, and give it the name of the expected library.
Dump credential hashes from the memory of the privileged process to use in a pass-the-hash attack.
Alter a system's PATH environment variable to redirect the application to a malicious library in another location.
The most direct attack is to place a malicious DLL with the same name as the legitimate one into the insecurely permissioned directory. When the privileged application starts, it will load the attacker's malicious DLL instead of the intended one, executing the malicious code with the application's elevated privileges. This is a classic library injection technique known as DLL hijacking. While altering environment path variables can also be a form of library injection, it is less direct and might fail if the application uses an absolute path. Credential dumping and creating hidden accounts are different types of attacks that do not directly exploit this specific file-loading vulnerability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DLL hijacking?
Open an interactive chat with Bash
What are insecure directory permissions?
Open an interactive chat with Bash
Why is altering PATH variables less effective than DLL hijacking?