"},{"@type":"Answer","text":"${7*7}"}]},{"@type":"Question","name":"During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?","acceptedAnswer":{"@type":"Answer","text":"ret2libc to call system() with a controlled argument. Option C is correct because ret2libc allows the tester to call the system() function from libc with a controlled argument (e.g., \"/bin/sh\") to spawn a shell, bypassing DEP (which prevents code execution on the stack) without needing to execute shellcode. Since ASLR is disabled, the address of system() and the string \"/bin/sh\" in libc are predictable, making this technique reliable and effective."},"suggestedAnswer":[{"@type":"Answer","text":"Return-oriented programming (ROP) to bypass DEP"},{"@type":"Answer","text":"Heap spraying to inject shellcode"},{"@type":"Answer","text":"Stack pivoting to redirect execution to a known location"}]},{"@type":"Question","name":"A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?","acceptedAnswer":{"@type":"Answer","text":"Using a payload without quotes, such as numeric injection. Option D is correct because numeric injection does not require quotes at all, directly bypassing the single-quote filter. When the vulnerable parameter expects a numeric value (e.g., an ID), the tester can inject SQL logic like `OR 1=1` without any quotes, making it the most effective technique against input validation that blocks single quotes."},"suggestedAnswer":[{"@type":"Answer","text":"Using URL encoding for the single quote (%27)"},{"@type":"Answer","text":"Using double quotes instead of single quotes"},{"@type":"Answer","text":"Using a second-order SQL injection"}]},{"@type":"Question","name":"During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?","acceptedAnswer":{"@type":"Answer","text":"Insecure Direct Object Reference (IDOR). The vulnerability is Insecure Direct Object Reference (IDOR) because the application exposes internal object references (e.g., user ID in a URL) and fails to enforce proper authorization checks. By simply changing the ID parameter, the tester can access other users' private data without authentication or permission validation, which is the hallmark of IDOR."},"suggestedAnswer":[{"@type":"Answer","text":"Cross-Site Request Forgery (CSRF)"},{"@type":"Answer","text":"SQL Injection"},{"@type":"Answer","text":"Cross-Site Scripting (XSS)"}]},{"@type":"Question","name":"A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?","acceptedAnswer":{"@type":"Answer","text":"Perform a return-to-libc attack to call system(\"/bin/sh\"). With DEP enabled, the stack is non-executable, so injecting shellcode directly into the buffer (Option A) would fail. Since ASLR is disabled, library addresses are fixed, making a return-to-libc attack viable. Option C exploits this by overwriting the return address with the address of system() and placing the string \"/bin/sh\" in memory, achieving code execution without needing an executable stack."},"suggestedAnswer":[{"@type":"Answer","text":"Inject shellcode into the buffer and redirect execution to it"},{"@type":"Answer","text":"Use a ROP chain to call mprotect() to make the stack executable, then jump to shellcode"},{"@type":"Answer","text":"Use a heap spray to place shellcode at a known address and then trigger the overflow"}]},{"@type":"Question","name":"During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?","acceptedAnswer":{"@type":"Answer","text":"Constructing a ROP chain using gadgets from loaded DLLs to simulate shellcode execution. With DEP enabled, the stack is marked non-executable, so injecting shellcode directly (option A) would fail. ASLR being disabled means the addresses of loaded DLLs are predictable, making it feasible to construct a ROP chain using gadgets from those DLLs to simulate shellcode execution. Option C is correct because ROP chains bypass DEP by reusing existing executable code (gadgets) without needing to execute code on the stack."},"suggestedAnswer":[{"@type":"Answer","text":"Injecting shellcode directly onto the stack and overwriting the return address to jump to it"},{"@type":"Answer","text":"Using a return-to-libc attack to call system() with a command string"},{"@type":"Answer","text":"Enabling the execute bit on the stack via a memory corruption primitive"}]},{"@type":"Question","name":"A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?","acceptedAnswer":{"@type":"Answer","text":"Modify the PATH environment variable to point to a malicious script with the same name as the command called by the binary. Option B is correct because the SUID binary executes a system command using a relative path without sanitizing user input. By modifying the PATH environment variable to include a directory containing a malicious script with the same name as the command, the tester can cause the binary to execute the attacker-controlled script instead of the intended system command, thereby escalating privileges to root when the SUID binary runs."},"suggestedAnswer":[{"@type":"Answer","text":"Exploit a kernel vulnerability to gain root"},{"@type":"Answer","text":"Impersonate the root user using sudo"},{"@type":"Answer","text":"Preload a shared library using LD_PRELOAD"}]},{"@type":"Question","name":"A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?","acceptedAnswer":{"@type":"Answer","text":"Pass-the-hash. Pass-the-hash (PtH) is the most appropriate technique because it allows the tester to authenticate to the target server using the captured NTLM hash directly, without needing the plaintext password. NTLM authentication uses the hash as a secret, so the hash can be passed to the server in the challenge-response handshake. This is a well-known lateral movement technique in Windows environments."},"suggestedAnswer":[{"@type":"Answer","text":"Brute force the password from the hash"},{"@type":"Answer","text":"NTLM relay"},{"@type":"Answer","text":"Kerberoasting"}]},{"@type":"Question","name":"A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?","acceptedAnswer":{"@type":"Answer","text":"Return-oriented programming (ROP) to bypass DEP. Return-oriented programming (ROP) is the most appropriate technique because DEP marks the stack and heap as non-executable, preventing direct shellcode injection. With ASLR disabled, the attacker can reliably locate and chain small instruction sequences (gadgets) from the binary or loaded libraries to achieve arbitrary code execution without needing executable memory regions."},"suggestedAnswer":[{"@type":"Answer","text":"Simple shellcode injection on the stack"},{"@type":"Answer","text":"ASLR bypass techniques"},{"@type":"Answer","text":"Heap spraying"}]}]}
Objective 3.0
Attacks and Exploits
PT0-002 Practice Questions
Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
Threat actor types and motivations (APT, script kiddie, insider, nation-state).
Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
Vulnerability scanning vs penetration testing vs risk assessment.
Mitigation strategies mapped to specific attack types.
Common exam traps
Where candidates lose marks on Attacks and Exploits
⚠Social engineering targets people, not systems — the attack vector matters.
⚠A vulnerability scanner finds weaknesses; it does not exploit them.
⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
⚠Zero-day vulnerabilities have no patch available at the time of discovery.
A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?
During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?
During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?
A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?
During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?
A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?
During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?
A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?
A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?
A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?
A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?
A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?
A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?
A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?
A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?
A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?
During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?
A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?
A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?
During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?
A penetration tester has successfully exploited a web application and gained a reverse shell as the www-data user on a Linux server. The tester wants to escalate privileges to root. The server is running a vulnerable version of polkit's pkexec (CVE-2021-4034). Which action should the tester take to exploit this vulnerability?
A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?
A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?
A penetration tester has gained administrative access to a Windows system and wants to extract NTLM password hashes from the memory of the Local Security Authority Subsystem Service (LSASS). Which tool is most commonly used for this purpose?
During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?
A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?
A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?
During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?
A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?
A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?
More Attacks and Exploits questions available in the full practice test.