Attacks and Exploits

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?

A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?

A penetration tester has successfully exploited a web application and gained a reverse shell as the www-data user on a Linux server. The tester wants to escalate privileges to root. The server is running a vulnerable version of polkit's pkexec (CVE-2021-4034). Which action should the tester take to exploit this vulnerability?

A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?

A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?

A penetration tester has gained administrative access to a Windows system and wants to extract NTLM password hashes from the memory of the Local Security Authority Subsystem Service (LSASS). Which tool is most commonly used for this purpose?

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?

A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?

A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?

A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?

A penetration tester is performing a client-side attack against a user. The tester sends an email with a malicious attachment that, when opened, executes a macro that downloads a payload. Which type of attack is this?

During a penetration test, the tester exploits a local file inclusion (LFI) vulnerability to read /etc/passwd. The tester then wants to achieve remote code execution. Which technique is most likely to succeed if the web application is running as the www-data user?

A penetration tester gains a foothold on a Linux system with ASLR and NX enabled. The tester identifies a stack buffer overflow in a SUID binary. The binary has no PIE (Position Independent Executable) and is compiled without stack canaries. The tester wants to execute a shell. Which technique should be used?

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

A penetration tester gains access to a web application that uses a MongoDB backend. The tester discovers that the search functionality directly interpolates user input into a NoSQL query without sanitization. Which technique should the tester use to extract data from the database?

A penetration tester has compromised a Linux server and gained a low-privilege shell. The tester discovers that the /etc/shadow file is readable by the tester's user. Which attack is most directly enabled by this finding?

A penetration tester has gained initial access to a Linux server through a vulnerable web application. The server has a restrictive outbound firewall that only allows traffic on ports 80, 443, and 53. The tester wants to establish a reverse shell that is likely to bypass the firewall. Which of the following techniques would be most effective?

A penetration tester discovers a web application that deserializes user-controlled data without validation. The application uses Java serialization. The tester creates a malicious serialized object that executes a system command. Which of the following conditions is required for this exploit to succeed?

A penetration tester has gained a foothold on a Windows server running IIS. The tester wants to perform an SMB relay attack to move laterally within the domain. Which of the following conditions must be met for this attack to succeed?

A penetration tester is attempting to exploit a Linux system that has ASLR and DEP enabled. The tester has identified a buffer overflow vulnerability in a network service compiled without stack canaries and with a non-executable stack (NX). The binary is statically linked and not PIE. Which exploitation technique is most likely to succeed under these conditions?

A penetration tester has compromised a Windows workstation and obtained a low-privileged domain user account. The tester discovers that this user belongs to a group that has the 'GenericWrite' privilege over a computer object in Active Directory. Which attack is most directly enabled by this misconfiguration?

During a web application test, a penetration tester suspects an LDAP injection vulnerability. The application uses user input to dynamically construct an LDAP query. The tester submits the following payload in the username field: 'admin)(&)'. The application returns a list of all users instead of the expected single user. Which of the following best describes the reason this payload was effective?

During an internal penetration test, a tester compromises a server that is part of a Kubernetes cluster. The tester has access to the node's operating system but not to the cluster's administrative credentials. Which of the following techniques would most likely allow the tester to escalate privileges to cluster-admin or access sensitive resources within the cluster?

During a penetration test, a tester has access to a Windows domain-joined machine. The tester finds that the machine is running a service that uses named pipes for interprocess communication. The tester wants to perform a relay attack to capture authentication credentials. Which of the following conditions is necessary for an SMB relay attack to succeed?

A penetration tester has compromised a Linux server and wants to move laterally to a Windows server. The Linux server has network access to the Windows server on port 445. The tester has a captured NTLM hash of a domain administrator account. Which technique is most likely to allow the tester to authenticate and execute commands on the Windows server?

A penetration tester has gained low-privilege access on a Windows 10 machine. The tester discovers that a service runs with SYSTEM privileges and has the following binary path: C:\Program Files\MyApp\service.exe. The path is unquoted. Which exploitation technique is most likely to allow the tester to escalate privileges?

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?

During an internal penetration test, a tester captures a NetNTLMv2 hash via an SMB relay attack. The target network does not enforce SMB signing. What is the most effective next step to gain access to a remote server?

A penetration tester is testing a web application that uses JSON Web Tokens (JWTs) for authentication. The tester discovers that the server does not verify the JWT signature properly. The tester crafts a JWT with an arbitrary payload and sets the algorithm to 'none'. Which attack does this enable?

During an internal penetration test, a tester gains a shell as the 'www-data' user on a Linux server. The server runs a PHP web application that connects to a PostgreSQL database using credentials stored in a config file. The tester discovers that the PostgreSQL server trusts all local connections (no password required) and that the web application's database user has the 'CREATEFUNC' privilege. Which technique is most effective for escalating privileges to database administrator (superuser) and executing system commands as the database service account?

A penetration tester with a low-privileged domain user account performs a Kerberoasting attack. What is the primary goal of this attack?

During a penetration test, a tester gains shell access on a Linux server as a low-privileged user. The user is identified to be a member of the 'docker' group. Which technique is most effective for escalating privileges to root?

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?

A penetration tester gains a low-privileged shell on a Linux server and discovers that the user is a member of the 'docker' group. The tester wants to escalate privileges to root. Which technique is most effective?

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without proper escaping or encoding. The input is not sanitized and is included in the page's HTML. Which type of vulnerability is most likely present?

A penetration tester has gained low-privilege shell access on a Linux server. The tester runs `sudo -l` and sees the following entry: `(root) NOPASSWD: /usr/bin/python3 /opt/scripts/*.py` The `/opt/scripts/` directory is owned by the tester's current user. Which technique is most effective for escalating privileges to root?

A tester has low-privilege shell access on a Linux server. Which two checks are most appropriate for local privilege escalation enumeration? (Choose 2.)

A penetration tester gained low-privileged access to a Linux server and found that the user can run a custom script located at /opt/tool/backup.sh with setuid root. The script begins with a hashbang #!/bin/bash and uses an internal variable defined as BASEDIR=$(dirname $0) to determine paths. Which technique is most likely to allow privilege escalation?