Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Attacks and Exploits practice sets

PT0-002 Attacks and Exploits • Complete Question Bank

PT0-002 Attacks and Exploits — All Questions With Answers

Complete PT0-002 Attacks and Exploits question bank — all 0 questions with answers and detailed explanations.

101
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Attacks and Exploits/All Questions
Question 1mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

Question 2hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

Question 3hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

Question 4mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

Question 5mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

Question 6hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

Question 7hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

Question 9mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?

Question 10hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

Question 11mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?

Question 12hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?

Question 13hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

Question 14hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

Question 15mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?

Question 17hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

Question 18mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?

Question 19mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?

Question 20hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?

Question 21mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has successfully exploited a web application and gained a reverse shell as the www-data user on a Linux server. The tester wants to escalate privileges to root. The server is running a vulnerable version of polkit's pkexec (CVE-2021-4034). Which action should the tester take to exploit this vulnerability?

Question 22mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?

Question 23hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?

Question 24easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained administrative access to a Windows system and wants to extract NTLM password hashes from the memory of the Local Security Authority Subsystem Service (LSASS). Which tool is most commonly used for this purpose?

Question 25hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?

Question 26mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?

Question 27hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?

Question 28hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

Question 29hardmultiple choice
Read the full DNS explanation →

A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?

Question 30mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?

Question 31easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a client-side attack against a user. The tester sends an email with a malicious attachment that, when opened, executes a macro that downloads a payload. Which type of attack is this?

Question 32mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, the tester exploits a local file inclusion (LFI) vulnerability to read /etc/passwd. The tester then wants to achieve remote code execution. Which technique is most likely to succeed if the web application is running as the www-data user?

Question 33hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains a foothold on a Linux system with ASLR and NX enabled. The tester identifies a stack buffer overflow in a SUID binary. The binary has no PIE (Position Independent Executable) and is compiled without stack canaries. The tester wants to execute a shell. Which technique should be used?

Question 34hardmultiple choice
Read the full DNS explanation →

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

Question 35easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains access to a web application that uses a MongoDB backend. The tester discovers that the search functionality directly interpolates user input into a NoSQL query without sanitization. Which technique should the tester use to extract data from the database?

Question 36easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Linux server and gained a low-privilege shell. The tester discovers that the /etc/shadow file is readable by the tester's user. Which attack is most directly enabled by this finding?

Question 37mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained initial access to a Linux server through a vulnerable web application. The server has a restrictive outbound firewall that only allows traffic on ports 80, 443, and 53. The tester wants to establish a reverse shell that is likely to bypass the firewall. Which of the following techniques would be most effective?

Question 38mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester discovers a web application that deserializes user-controlled data without validation. The application uses Java serialization. The tester creates a malicious serialized object that executes a system command. Which of the following conditions is required for this exploit to succeed?

Question 39mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a foothold on a Windows server running IIS. The tester wants to perform an SMB relay attack to move laterally within the domain. Which of the following conditions must be met for this attack to succeed?

Question 40mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is attempting to exploit a Linux system that has ASLR and DEP enabled. The tester has identified a buffer overflow vulnerability in a network service compiled without stack canaries and with a non-executable stack (NX). The binary is statically linked and not PIE. Which exploitation technique is most likely to succeed under these conditions?

Question 41mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Windows workstation and obtained a low-privileged domain user account. The tester discovers that this user belongs to a group that has the 'GenericWrite' privilege over a computer object in Active Directory. Which attack is most directly enabled by this misconfiguration?

Question 42mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a penetration tester suspects an LDAP injection vulnerability. The application uses user input to dynamically construct an LDAP query. The tester submits the following payload in the username field: 'admin)(&)'. The application returns a list of all users instead of the expected single user. Which of the following best describes the reason this payload was effective?

Question 43hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester compromises a server that is part of a Kubernetes cluster. The tester has access to the node's operating system but not to the cluster's administrative credentials. Which of the following techniques would most likely allow the tester to escalate privileges to cluster-admin or access sensitive resources within the cluster?

Question 44mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester has access to a Windows domain-joined machine. The tester finds that the machine is running a service that uses named pipes for interprocess communication. The tester wants to perform a relay attack to capture authentication credentials. Which of the following conditions is necessary for an SMB relay attack to succeed?

Question 45hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Linux server and wants to move laterally to a Windows server. The Linux server has network access to the Windows server on port 445. The tester has a captured NTLM hash of a domain administrator account. Which technique is most likely to allow the tester to authenticate and execute commands on the Windows server?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

A penetration tester has gained low-privilege access on a Windows 10 machine. The tester discovers that a service runs with SYSTEM privileges and has the following binary path: C:\Program Files\MyApp\service.exe. The path is unquoted. Which exploitation technique is most likely to allow the tester to escalate privileges?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

Question 48mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?

Question 49mediummultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester captures a NetNTLMv2 hash via an SMB relay attack. The target network does not enforce SMB signing. What is the most effective next step to gain access to a remote server?

Question 50mediummultiple choice
Read the full NAT/PAT explanation →

A penetration tester is testing a web application that uses JSON Web Tokens (JWTs) for authentication. The tester discovers that the server does not verify the JWT signature properly. The tester crafts a JWT with an arbitrary payload and sets the algorithm to 'none'. Which attack does this enable?

Question 51hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester gains a shell as the 'www-data' user on a Linux server. The server runs a PHP web application that connects to a PostgreSQL database using credentials stored in a config file. The tester discovers that the PostgreSQL server trusts all local connections (no password required) and that the web application's database user has the 'CREATEFUNC' privilege. Which technique is most effective for escalating privileges to database administrator (superuser) and executing system commands as the database service account?

Question 52mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester with a low-privileged domain user account performs a Kerberoasting attack. What is the primary goal of this attack?

Question 53mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester gains shell access on a Linux server as a low-privileged user. The user is identified to be a member of the 'docker' group. Which technique is most effective for escalating privileges to root?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

Question 55hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

Question 56mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?

Question 57hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains a low-privileged shell on a Linux server and discovers that the user is a member of the 'docker' group. The tester wants to escalate privileges to root. Which technique is most effective?

Question 58easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without proper escaping or encoding. The input is not sanitized and is included in the page's HTML. Which type of vulnerability is most likely present?

Question 59hardmultiple choice
Study the full Python automation breakdown →

A penetration tester has gained low-privilege shell access on a Linux server. The tester runs `sudo -l` and sees the following entry: `(root) NOPASSWD: /usr/bin/python3 /opt/scripts/*.py` The `/opt/scripts/` directory is owned by the tester's current user. Which technique is most effective for escalating privileges to root?

Question 60hardmulti select
Read the full Attacks and Exploits explanation →

A tester has low-privilege shell access on a Linux server. Which two checks are most appropriate for local privilege escalation enumeration? (Choose 2.)

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A penetration tester gained low-privileged access to a Linux server and found that the user can run a custom script located at /opt/tool/backup.sh with setuid root. The script begins with a hashbang #!/bin/bash and uses an internal variable defined as BASEDIR=$(dirname $0) to determine paths. Which technique is most likely to allow privilege escalation?

Question 62mediumdrag order
Read the full Attacks and Exploits explanation →

Drag and drop the steps to perform a password cracking attack using John the Ripper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 63mediumdrag order
Read the full Attacks and Exploits explanation →

Drag and drop the steps to perform a web application fuzzing using Burp Suite Intruder into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 64mediummatching
Read the full Attacks and Exploits explanation →

Match each vulnerability category to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker injects malicious SQL queries

Attacker injects client-side scripts into web pages

Attacker tricks user into performing unwanted actions

Writing more data to a buffer than it can hold

Accessing files outside the web root directory

Question 65mediummatching
Read the full Attacks and Exploits explanation →

Match each reporting element to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

High-level overview for non-technical management

Detailed steps and tools used during testing

List of vulnerabilities with severity ratings

Recommended actions to fix vulnerabilities

Raw logs, scripts, and supporting evidence

Question 66easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without sanitization. Which attack is most likely to be successful?

Question 67mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to escalate privileges on a Linux target after gaining initial shell access. The /etc/passwd file shows a user 'jake' with UID 0. What does this indicate?

Question 68hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is targeting a web application that uses parameterized queries for all database interactions. Which attack vector is most likely to succeed?

Question 69easymultiple choice
Read the full Attacks and Exploits explanation →

While performing a password audit, a tester finds that the hash of 'Password123' is stored in the LAN Manager (LM) hash format. What is the primary security weakness of LM hashes?

Question 70mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a man-in-the-middle attack on a network using ARP spoofing. What is the primary purpose of ARP spoofing?

Question 71hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester exploits a buffer overflow vulnerability in a legacy application. After gaining code execution, what is the next best step to maintain access?

Question 72easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is using a vulnerability scanner that reports a 'Critical' severity for an 'SMBv1 vulnerability' on a Windows server. Which of the following is the correct remediation recommendation?

Question 73mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a web application that stores session tokens in HTTP cookies without the HttpOnly flag. Which attack is most likely to succeed?

Question 74hardmultiple choice
Read the full Attacks and Exploits explanation →

During a red team engagement, a penetration tester needs to pivot from a compromised internal web server to a database server that is not directly accessible. The web server has two network interfaces: 10.0.1.5 and 192.168.1.5. The database server is at 192.168.1.10. Which technique should the tester use to reach the database?

Question 75mediummulti select
Read the full Attacks and Exploits explanation →

Which TWO of the following are common techniques used during a pass-the-hash attack? (Select TWO.)

Question 76easymulti select
Read the full Attacks and Exploits explanation →

Which THREE of the following are example of privilege escalation techniques on Linux systems? (Select THREE.)

Question 77hardmulti select
Read the full Attacks and Exploits explanation →

Which TWO of the following are indicators that a web application is vulnerable to XML External Entity (XXE) attacks? (Select TWO.)

Question 78easymultiple choice
Read the full Attacks and Exploits explanation →

Refer to the exhibit. A penetration tester sends the request and receives the response shown. Which vulnerability is confirmed?

Exhibit

Refer to the exhibit.
GET /search?q=<script>alert('XSS')</script> HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Content-Type: text/html

<html><body>
  <p>You searched for: <script>alert('XSS')</script></p>
</body></html>
Question 79mediummultiple choice
Read the full Attacks and Exploits explanation →

Refer to the exhibit. After running a port scan in Metasploit, what is the next best step to identify vulnerabilities on the open ports?

Exhibit

Refer to the exhibit.
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.0.0.1
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000
msf6 auxiliary(scanner/portscan/tcp) > run

[*] 10.0.0.1:22 - TCP OPEN
[*] 10.0.0.1:80 - TCP OPEN
[*] 10.0.0.1:443 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
Question 80hardmultiple choice
Read the full Attacks and Exploits explanation →

Refer to the exhibit. A penetration tester discovers this IAM policy attached to a public user role. Which attack is most likely to succeed?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*"
    }
  ]
}
Question 81easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is tasked with exploiting a web application that uses an insecure deserialization vulnerability. Which type of attack should the tester primarily use to execute arbitrary code on the server?

Question 82easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has discovered a vulnerable service running on a Linux server that allows remote code execution. Which of the following is the most appropriate next step to maintain access?

Question 83easymultiple choice
Read the full wireless explanation →

During a penetration test, a tester needs to perform a man-in-the-middle attack on a network that uses WPA2-Enterprise with PEAP. Which tool is most appropriate for capturing the authentication handshake to attempt offline cracking?

Question 84mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a social engineering campaign against a client. The tester wants to send a phishing email that bypasses the email security gateway and appears to come from an internal source. Which technique is most effective?

Question 85mediummultiple choice
Read the full Attacks and Exploits explanation →

An organization has a web application that stores session tokens in a cookie named 'auth_token'. The token is a base64-encoded JSON object containing the username, role, and expiration timestamp. Which attack is most likely to succeed if the encryption is not used?

Question 86mediummultiple choice
Read the full Attacks and Exploits explanation →

During a network penetration test, the tester identifies that a web server is vulnerable to a buffer overflow. The server is running on a Windows system with DEP enabled. Which technique should the tester use to bypass DEP?

Question 87hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a Linux system that has ASLR enabled but no stack canaries. The vulnerability is a classic stack-based buffer overflow. Which of the following is the most effective method to achieve code execution?

Question 88hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is targeting a Windows domain controller. After compromising a standard user account, the tester wants to escalate to domain admin. Which attack is most effective if the tester can capture plaintext passwords from memory?

Question 89hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is evaluating a cloud environment (AWS) and finds an S3 bucket with public write access. Which attack is most likely to succeed if the tester wants to plant malicious files that will be served to users?

Question 90easymulti select
Read the full Attacks and Exploits explanation →

Which TWO of the following are common methods used to bypass network access controls during a penetration test? (Choose two.)

Question 91mediummulti select
Read the full Attacks and Exploits explanation →

Which TWO of the following are effective methods for bypassing AppLocker during a penetration test? (Choose two.)

Question 92hardmulti select
Read the full Attacks and Exploits explanation →

Which THREE of the following are common techniques used to evade antivirus (AV) detection of post-exploitation tools? (Choose three.)

Question 93mediummultiple choice
Read the full Attacks and Exploits explanation →

Refer to the exhibit. A penetration tester performed a port scan and collected the information shown. Which vulnerability is most likely present based on the software versions?

Exhibit

Refer to the exhibit.

Exhibit:
```
SMTP Banner: 220 mail.example.com ESMTP Postfix (Ubuntu)

Open Ports:
25/tcp  SMTP
80/tcp  HTTP Apache httpd 2.4.29
443/tcp HTTPS Apache httpd 2.4.29

HTTP headers:
Server: Apache/2.4.29 (Ubuntu)
X-Powered-By: PHP/7.2.24
```
Question 94hardmultiple choice
Read the full Attacks and Exploits explanation →

Refer to the exhibit. The firewall rules shown are in effect. A tester has compromised a host at 192.168.1.100 and wants to exfiltrate data to an external server. Which technique will most likely succeed?

Exhibit

Refer to the exhibit.

Exhibit:
```
firewall rules:
  - direction: inbound
    source: 10.0.0.0/8
    destination: 192.168.1.100
    port: 3389
    action: allow
  - direction: inbound
    source: any
    destination: 192.168.1.0/24
    port: 80
    action: allow
  - direction: outbound
    source: any
    destination: any
    port: 443
    action: allow
  - direction: outbound
    source: any
    destination: 10.0.0.0/8
    port: 53
    action: allow
```
Question 95hardmultiple choice
Open the full VLAN trunking answer →

A penetration tester is engaged to assess a corporate network that uses a centralized logging server (SIEM) with a 24/7 SOC. The tester has gained initial access to a Windows workstation via a phishing email. The goal is to move laterally to a domain controller without triggering alerts. The internal network is segmented into VLANs: a user VLAN (192.168.1.0/24) and a server VLAN (10.0.0.0/24) with strict firewall rules allowing only specific ports (e.g., RDP from user VLAN to server VLAN is denied). The tester discovers that the workstation has a PowerShell script that runs every hour to check for drive space on all servers using WinRM (port 5985) with stored domain admin credentials. The script is scheduled via a domain GPO. Which of the following actions should the tester perform to achieve lateral movement to the domain controller with the lowest chance of detection?

Question 96easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is planning a social engineering campaign against a corporation. The goal is to trick the CEO into revealing sensitive information. Which type of attack should the tester use?

Question 97mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application penetration test, a tester identifies a potential SQL injection vulnerability in a search field. The tester wants to extract data from the database without generating error messages that could trigger an alert. Which technique is most appropriate?

Question 98hardmulti select
Read the full wireless explanation →

A penetration tester is assessing a wireless network's security. The tester wants to capture WPA2 handshakes for offline password cracking. Which two attacks can be used to force a client to re-authenticate and capture the handshake? (Choose TWO.)

Question 99easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has physical access to a small office. The network switch is in a locked cabinet, but the tester notices the lock is broken. The switch has multiple ports, and the tester wants to connect to the internal network. The tester has a laptop with an Ethernet port. However, the tester suspects that port security is enabled on the switch ports, which would block the connection if the MAC address is not authorized. Which action should the tester take first to gain network access?

Question 100mediummultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, the tester gains a low-privilege shell on a Linux server running a web application. The web application runs as the www-data user. The tester discovers that the www-data user can read the /etc/shadow file. The server has AppArmor enabled, which restricts certain actions. The tester wants to escalate privileges to root. Which technique is most likely to succeed?

Question 101hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester captures a valid JWT from a user session. The JWT header contains a 'kid' (key ID) parameter. The tester suspects the application is vulnerable to a key injection attack via the 'kid' parameter. Which attack technique should the tester use to forge a valid JWT without knowing the secret key?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 10 Questions→PT0-002 Practice Test 2 — 10 Questions→PT0-002 Practice Test 3 — 10 Questions→PT0-002 Practice Test 4 — 10 Questions→PT0-002 Practice Test 5 — 10 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Planning and ScopingInformation Gathering and Vulnerability ScanningAttacks and ExploitsReporting and CommunicationTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Attacks and Exploits setsAll Attacks and Exploits questionsPT0-002 Practice Hub