While performing an internal penetration test against a legacy UNIX print server, you run an nmap scan and see that TCP 515 is open. Banner grabbing returns "220 lpd server (in.lpd 1.0) ready," and a quick process check shows the daemon running with UID 0 (root). You must determine whether this service can realistically be leveraged to obtain root access on the host without making permanent configuration changes. Which action will provide the MOST conclusive evidence of privilege-escalation potential?
Use lpq to list remote printer queues and compare them with entries in /etc/printcap.
Retrieve and update the printer server's hostname via SNMP SET requests to see if LPD restarts with elevated privileges.
Transmit a crafted control file that triggers the known in.lpd buffer overflow and observe whether it spawns a root shell.
Add your workstation's IP to /etc/hosts.lpd to limit access, then rescan port 515 for changes.
Sending a benign proof-of-concept payload that exploits the documented in.lpd buffer-overflow vulnerability directly tests whether the service will execute code with root privileges, giving immediate confirmation of an escalation path. Listing print queues or altering /etc/hosts.lpd only enumerates or restricts access without demonstrating privilege gain. Changing the device hostname via SNMP and watching for a restart is indirect and does not test the LPD code path responsible for past overflows.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is port 515 used for?
Open an interactive chat with Bash
What does sending crafted data to a service mean?
Open an interactive chat with Bash
How does privilege escalation work in this context?