PT0-002 · topic practice

Attacks and Exploits practice questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Attacks and Exploits

What the exam tests

What to know about Attacks and Exploits

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

Threat actor types and motivations (APT, script kiddie, insider, nation-state).

Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.

Vulnerability scanning vs penetration testing vs risk assessment.

Mitigation strategies mapped to specific attack types.

Watch out for

Common Attacks and Exploits exam traps

  • Social engineering targets people, not systems — the attack vector matters.
  • A vulnerability scanner finds weaknesses; it does not exploit them.
  • Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • Zero-day vulnerabilities have no patch available at the time of discovery.

Practice set

Attacks and Exploits questions

20 questions · select your answer, then reveal the explanation

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

During an internal penetration test, a tester discovers a Windows server running a custom service that is vulnerable to a stack-based buffer overflow. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be MOST effective to achieve code execution?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has gained a low-privileged shell on a Linux server and discovers a binary with the SUID bit set owned by root. The binary executes a system command using a relative path without sanitizing user input. Which of the following techniques would the tester MOST likely use to escalate privileges?

A penetration tester has captured NTLM hashes from a compromised machine and wants to move laterally to a server that requires NTLM authentication. The tester does not have the plaintext password. Which attack technique is MOST appropriate for authenticating using the captured hashes?

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

A penetration tester has gained access to a Windows workstation and extracted NTLM password hashes. The tester wants to move laterally to a server that authenticates using NTLM. The tester does not have the plaintext passwords. Which technique is MOST appropriate to authenticate to the server using the captured hashes?

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester finds a cron job that runs a script as root every five minutes. The script is located in /opt/backup.sh and is world-writable. Which technique should the tester use to escalate privileges?

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A penetration tester has gained a low-privileged command shell on a Windows 10 system. The tester suspects there is a vulnerable service with an unquoted service path that can be exploited for privilege escalation. Which command should the tester use to identify all services with this vulnerability?

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

A penetration tester has compromised a Linux web server via a remote file inclusion vulnerability. The tester wants to maintain persistent access on the system. Which technique is MOST reliable for persistence on a Linux system?

A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary that has both ASLR and NX (Non-Executable) enabled. The tester discovers a ROP gadget at a fixed address in a library that is not affected by ASLR. Which technique can be used to exploit this vulnerability and achieve code execution?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Attacks and Exploits sessions

Start a Attacks and Exploits only practice session

Every question in these sessions is drawn from the Attacks and Exploits domain — nothing else.

Related practice questions

Related PT0-002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PT0-002 exam test about Attacks and Exploits?
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Attacks and Exploits questions in a focused session?
Yes — the session launcher on this page draws every question from the Attacks and Exploits domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PT0-002 topics?
Use the topic links above to move to related areas, or go back to the PT0-002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PT0-002 exam covers. They are not copied from any real exam or dump site.