CCNA Attacks And Exploits Questions

26 of 101 questions · Page 2/2 · Attacks And Exploits topic · Answers revealed

76
MCQhard

A penetration tester has obtained the NTLM hash of a service account during an internal test. The tester wants to gain access to a specific SQL server that uses Kerberos authentication. The tester does not know the plaintext password. Which attack is MOST appropriate to forge a service ticket for the SQL server?

A.Silver Ticket attack
B.Golden Ticket attack
C.Pass-the-hash attack
D.SMB relay attack
AnswerA

The Silver Ticket attack creates a forged TGS ticket for a specific service using the service account's hash, granting access to that service.

Why this answer

A Silver Ticket attack is the most appropriate because it forges a service ticket (TGS) for a specific service, such as the SQL server, using the NTLM hash of the service account. Since the tester has the NTLM hash but not the plaintext password, they can craft a valid Kerberos service ticket without needing to authenticate to the domain controller, directly granting access to the SQL server.

Exam trap

The trap here is that candidates often confuse Silver Ticket attacks (forging service tickets) with Golden Ticket attacks (forging TGTs), but the key distinction is that a Silver Ticket targets a specific service using the service account's hash, while a Golden Ticket grants domain-wide access using the KRBTGT hash.

How to eliminate wrong answers

Option B (Golden Ticket attack) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, which grants domain-wide access, not a targeted service ticket for a specific SQL server. Option C (Pass-the-hash attack) is wrong because it reuses an NTLM hash to authenticate over NTLM, but the SQL server uses Kerberos authentication, which requires a Kerberos ticket, not an NTLM hash directly. Option D (SMB relay attack) is wrong because it relays captured NTLM authentication to another service, but the goal is to forge a Kerberos service ticket, not relay NTLM challenges.

77
MCQmedium

During a penetration test, a tester has access to a Windows domain-joined machine. The tester finds that the machine is running a service that uses named pipes for interprocess communication. The tester wants to perform a relay attack to capture authentication credentials. Which of the following conditions is necessary for an SMB relay attack to succeed?

A.SMB signing must be disabled or not enforced
B.The attacker must be on the same subnet
C.The target must have a publicly available SMB share
D.The attacker must have admin privileges on the relay machine
AnswerA

SMB signing provides integrity and authentication checks; if it is disabled or not enforced, the relayed authentication succeeds because the server does not verify the source of the message.

Why this answer

SMB relay attacks work by intercepting an authentication attempt and forwarding it to a target server. For the relay to succeed, the target server must not require SMB signing, because signing ensures that the relayed authentication packet is cryptographically bound to the original session, preventing the attacker from replaying it. When SMB signing is disabled or not enforced, the relayed authentication is accepted as valid, allowing credential capture.

Exam trap

CompTIA often tests the misconception that SMB relay requires the attacker to be on the same subnet or have admin privileges, but the critical technical condition is the absence of SMB signing enforcement on the target server.

How to eliminate wrong answers

Option B is wrong because SMB relay attacks can be performed across subnets as long as the attacker can route the traffic between the victim and the target server; being on the same subnet is not a requirement. Option C is wrong because the target does not need a publicly available SMB share; the relay works against any SMB server that accepts authentication, even if no shares are accessible. Option D is wrong because the attacker does not need admin privileges on the relay machine; the relay is performed from the attacker's machine or a controlled system, and the attack succeeds based on network position and protocol weaknesses, not local administrative rights.

78
MCQhard

During a penetration test, a tester gains access to a Linux server as a low-privileged user. The server has a cron job that executes a script owned by root but writable by the tester's group. Which privilege escalation technique should the tester use?

A.Kernel exploit
B.Misconfigured sudo permissions
C.Cron job exploitation via script modification
D.Path hijacking in the cron job
AnswerC

The tester can modify the script that is executed as root by the cron job. When the job runs, the injected code executes with root privileges.

Why this answer

The cron job executes a script owned by root but writable by the tester's group. This means the tester can modify the script's contents. When the cron job runs (as root), the modified script executes with root privileges, allowing the tester to gain a root shell or execute arbitrary commands as root.

This is a classic cron job exploitation via script modification.

Exam trap

The trap here is that candidates may confuse path hijacking (which exploits an unqualified command in the script) with direct script modification (which exploits writable permissions on the script file itself), but the question explicitly states the script is writable, making modification the correct choice.

How to eliminate wrong answers

Option A is wrong because a kernel exploit targets vulnerabilities in the Linux kernel itself, but the scenario describes a misconfigured file permission (writable script) rather than a kernel bug. Option B is wrong because misconfigured sudo permissions would require the tester to have sudo access or a sudoers entry, which is not mentioned; the attack vector here is a writable cron script, not sudo. Option D is wrong because path hijacking in a cron job involves manipulating the PATH environment variable to execute a malicious binary instead of the intended one, but the scenario explicitly states the script itself is writable, so modifying the script directly is the more direct and reliable technique.

79
MCQmedium

A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?

A.Hydra
B.Impacket's wmiexec.py
C.PsExec
D.Sqlmap
AnswerB

wmiexec.py authenticates via WMI using an NTLM hash, enabling remote command execution.

Why this answer

Impacket's wmiexec.py is the correct tool because it directly supports pass-the-hash (PtH) authentication using NTLM hashes over Windows Management Instrumentation (WMI). It accepts an NTLM hash via the `-hashes` flag and establishes a remote WMI session, enabling command execution without needing the plaintext password. This makes it ideal for lateral movement in a domain environment where a local administrator hash has been captured.

Exam trap

CompTIA often tests the distinction between tools that require plaintext credentials versus those that can operate directly with NTLM hashes, leading candidates to mistakenly choose PsExec because it is a well-known remote execution tool, even though it does not natively support pass-the-hash without additional credential injection steps.

How to eliminate wrong answers

Option A (Hydra) is wrong because it is a network login cracker that performs brute-force or dictionary attacks against authentication services, not a pass-the-hash tool; it requires plaintext passwords, not NTLM hashes. Option C (PsExec) is wrong because while it can execute commands remotely, it does not natively support pass-the-hash; it requires a plaintext password or a valid Kerberos ticket, and using an NTLM hash directly would require additional tools like Mimikatz to inject the hash into the session. Option D (Sqlmap) is wrong because it is a SQL injection exploitation tool, completely unrelated to Windows authentication or remote command execution via NTLM hashes.

80
MCQhard

During an internal penetration test, a tester compromises a server that is part of a Kubernetes cluster. The tester has access to the node's operating system but not to the cluster's administrative credentials. Which of the following techniques would most likely allow the tester to escalate privileges to cluster-admin or access sensitive resources within the cluster?

A.Extracting a service account token from a running container and using it to access the Kubernetes API
B.Exploiting a kernel vulnerability on the node to escape to the host and then compromise the Kubernetes API server
C.Searching for a kubeconfig file on the node that contains a cluster-admin token
D.Modifying a ConfigMap to inject a malicious pod that runs with elevated privileges
AnswerA

Service account tokens are mounted inside pods. By entering a container (e.g., via the container runtime), the tester can read the token and authenticate to the API server, potentially with elevated rights.

Why this answer

Option A is correct because service account tokens are automatically mounted into pods at /var/run/secrets/kubernetes.io/serviceaccount/token. An attacker with node-level access can extract this token from a running container's filesystem and use it to authenticate to the Kubernetes API server. Since service accounts are often granted broad permissions via RBAC bindings, this token may allow the tester to access sensitive resources or even escalate to cluster-admin if the service account has such privileges.

Exam trap

The trap here is that candidates may assume kernel exploits (Option B) are always the best escalation path, but in Kubernetes, the service account token is a simpler and more direct method to access the API server from a compromised node.

How to eliminate wrong answers

Option B is wrong because exploiting a kernel vulnerability to escape to the host is unnecessary—the tester already has node-level OS access. Even after escaping, compromising the API server would require network access and authentication, which is not directly achieved by a kernel exploit. Option C is wrong because kubeconfig files on a node typically contain only node-level credentials (e.g., kubelet client certificates), not cluster-admin tokens; cluster-admin tokens are rarely stored on worker nodes.

Option D is wrong because modifying a ConfigMap cannot directly inject a pod; ConfigMaps store configuration data, not pod definitions. To create a malicious pod, the tester would need API server access, which is the goal, not the method.

81
MCQhard

During an internal penetration test, a tester gains access to a domain-joined Windows 10 workstation as a local administrator. The tester wants to escalate privileges to Domain Admin. Which attack involves requesting Kerberos service tickets that can be cracked offline to reveal the plaintext password of a service account?

A.Pass-the-hash
B.Kerberoasting
C.Golden ticket
D.Silver ticket
AnswerB

This attack requests and cracks Kerberos service tickets to obtain service account passwords.

Why this answer

Kerberoasting is the correct attack because it involves requesting Kerberos service tickets (TGS-REP) for service accounts registered with Service Principal Names (SPNs) in Active Directory. These tickets are encrypted with the service account's NTLM hash, which can be cracked offline to reveal the plaintext password. Since the tester has local administrator access on a domain-joined workstation, they can use tools like Rubeus or Impacket to request these tickets without needing domain admin privileges initially.

Exam trap

CompTIA often tests Kerberoasting by contrasting it with pass-the-hash, where candidates mistakenly think pass-the-hash involves cracking hashes offline, but it actually reuses the hash directly for authentication without offline cracking.

How to eliminate wrong answers

Option A (Pass-the-hash) is wrong because it reuses an NTLM hash to authenticate without cracking it, not requesting Kerberos service tickets for offline cracking. Option C (Golden ticket) is wrong because it forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash, not requesting service tickets for offline cracking. Option D (Silver ticket) is wrong because it forges a service ticket for a specific service using the service account's hash, not requesting and cracking tickets offline.

82
Multi-Selectmedium

Which TWO of the following are common techniques used during a pass-the-hash attack? (Select TWO.)

Select 2 answers
A.Extracting NTLM hashes from LSASS
B.Performing a brute-force attack on the hash
C.Using a password spray attack
D.Injecting hashes into a process to authenticate
E.Requesting Kerberos TGS tickets
AnswersA, D

LSASS stores NTLM hashes in memory; extracting them enables PtH.

Why this answer

Option A is correct because in a pass-the-hash attack, the attacker first extracts NTLM hashes from the Local Security Authority Subsystem Service (LSASS) process memory. LSASS stores user credentials, including NTLM hashes, after successful authentication. By dumping LSASS (e.g., using Mimikatz sekurlsa::logonpasswords), the attacker obtains the hash without needing the plaintext password.

Exam trap

CompTIA often tests the distinction between pass-the-hash and hash cracking: candidates mistakenly think brute-forcing the hash (Option B) is part of the attack, but pass-the-hash reuses the hash as-is, never attempting to reverse it.

83
MCQhard

A penetration tester has compromised a Linux server and wants to move laterally to a Windows server. The Linux server has network access to the Windows server on port 445. The tester has a captured NTLM hash of a domain administrator account. Which technique is most likely to allow the tester to authenticate and execute commands on the Windows server?

A.Pass-the-hash using Impacket's psexec
B.Kerberos Golden Ticket attack
C.SMB relay attack using the hash
D.Brute-force password cracking of the hash
AnswerA

Pass-the-hash allows authentication using the NTLM hash directly, enabling lateral movement to Windows systems.

Why this answer

Option A is correct because the tester has a captured NTLM hash of a domain administrator account and network access to the Windows server on port 445 (SMB). Pass-the-hash (PtH) allows authentication using the NTLM hash directly without needing the plaintext password. Impacket's psexec uses the SMB protocol to authenticate with the hash and execute commands remotely, making it the most direct and effective technique for lateral movement in this scenario.

Exam trap

The trap here is that candidates may confuse pass-the-hash with SMB relay, but relay requires intercepting a live authentication attempt, whereas pass-the-hash directly uses the captured hash to authenticate without any relay.

How to eliminate wrong answers

Option B is wrong because a Kerberos Golden Ticket attack requires forging a Ticket Granting Ticket (TGT) using the KRBTGT account's hash, which is not captured here; the captured hash is for a domain administrator account, not the KRBTGT account, and the attack also requires domain controller access, not just SMB to a Windows server. Option C is wrong because an SMB relay attack requires the tester to intercept and relay authentication attempts from a client to a server, but the tester already possesses the hash and does not need to relay it; relay attacks are used when the hash cannot be directly used (e.g., with NTLMv2 and no local admin rights), but here the hash is directly usable for pass-the-hash.

84
MCQhard

During a penetration test, a tester exploits a buffer overflow vulnerability in a legacy application. After gaining code execution, what is the next best step to maintain access?

A.Create a backdoor user account
B.Install an antivirus solution
C.Patch the buffer overflow vulnerability
D.Erase the application logs
AnswerA

A backdoor account provides reliable access even if the exploit is patched.

Why this answer

After gaining code execution via a buffer overflow, the next best step is to create a backdoor user account to maintain persistent access to the compromised system. This ensures the tester can re-enter the environment without re-exploiting the vulnerability, which may be patched or monitored. Creating a local user account (e.g., via `net user` or `useradd`) is a standard persistence technique in penetration testing, allowing continued access for lateral movement or data exfiltration.

Exam trap

CompTIA often tests the distinction between maintaining access (persistence) and covering tracks (log deletion) or remediation (patching), leading candidates to mistakenly choose log erasure or patching as the immediate next step after exploitation.

How to eliminate wrong answers

Option B is wrong because installing an antivirus solution would likely detect and remove the tester's tools or backdoors, undermining the goal of maintaining access; it also violates the tester's objective of stealth. Option C is wrong because patching the buffer overflow vulnerability would fix the exploited flaw, but this is a remediation step for the client, not a step to maintain the tester's access; it would actually prevent future exploitation. Option D is wrong because erasing application logs may help cover tracks, but it does not provide a mechanism for re-entry; log deletion is a post-exploitation cleanup step, not a persistence method.

85
MCQmedium

A penetration tester discovers a Java application that deserializes user-controlled data without validation. The tester crafts a malicious serialized object that executes a command upon deserialization. The application runs on a Linux server with a standard Java runtime. Which of the following is the most likely outcome if the malicious object is accepted?

A.The application will crash immediately due to an exception.
B.The application will disclose sensitive information in the response.
C.The tester will gain a shell with the privileges of the current user.
D.The tester will be able to execute arbitrary commands on the server.
AnswerD

Successful exploitation of insecure deserialization in Java often results in remote code execution.

Why this answer

Java deserialization of untrusted data allows an attacker to supply a crafted serialized object that, when deserialized, can execute arbitrary code via gadget chains (e.g., CommonsCollections). Since the application runs on a Linux server with a standard Java runtime, the attacker can achieve remote code execution (RCE) with the privileges of the application's user, not necessarily an interactive shell. Option D is correct because the primary impact is arbitrary command execution, which may or may not yield a shell depending on the payload.

Exam trap

The trap here is that candidates often conflate 'arbitrary command execution' with 'gaining a shell' (Option C), but the exam expects the broader, more precise impact—arbitrary command execution—since a shell is just one specific form of command execution and not guaranteed by every payload.

How to eliminate wrong answers

Option A is wrong because while deserialization can throw exceptions, a crafted malicious object is designed to execute code before or instead of throwing an unhandled exception, so a crash is not the most likely outcome. Option B is wrong because deserialization RCE does not inherently disclose sensitive information in the response; information disclosure would require a specific payload or secondary vulnerability. Option C is wrong because gaining a shell is a possible outcome of arbitrary command execution, but it is not guaranteed; the most direct and accurate description is arbitrary command execution, as the payload may execute a command without spawning an interactive shell.

86
MCQmedium

A penetration tester is testing a web application that uses JSON Web Tokens (JWTs) for authentication. The tester discovers that the server does not verify the JWT signature properly. The tester crafts a JWT with an arbitrary payload and sets the algorithm to 'none'. Which attack does this enable?

A.SQL injection
B.Server-side request forgery
C.Authentication bypass
D.Cross-site request forgery
AnswerC

Setting the algorithm to 'none' and forging the token allows the attacker to bypass authentication and gain unauthorized access.

Why this answer

Option C is correct because setting the JWT algorithm to 'none' removes all cryptographic verification. If the server does not validate the signature, it will accept a token with an arbitrary payload, allowing the attacker to impersonate any user without knowing the secret key. This directly results in an authentication bypass, as the server trusts the forged token.

Exam trap

The trap here is that candidates may confuse JWT algorithm manipulation with injection attacks (SQLi) or server-side request forgery (SSRF), but the core of this question is about signature verification failure leading to authentication bypass.

How to eliminate wrong answers

Option A is wrong because SQL injection targets database queries via input fields, not JWT token manipulation; the 'none' algorithm attack does not involve injecting SQL commands. Option B is wrong because server-side request forgery (SSRF) exploits server-side requests to internal resources, whereas this attack modifies the JWT itself to bypass authentication, not to trigger outbound requests.

87
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without proper escaping or encoding. The input is not sanitized and is included in the page's HTML. Which type of vulnerability is most likely present?

A.SQL injection
B.Cross-Site Scripting (XSS)
C.Stored XSS
D.Cross-Site Request Forgery (CSRF)
AnswerB

Reflecting unsanitized user input in the HTTP response is a primary indicator of a reflected XSS vulnerability, allowing script injection.

Why this answer

The vulnerability is reflected Cross-Site Scripting (XSS) because the web application immediately echoes user-supplied input in the HTTP response without proper escaping or encoding, allowing an attacker to inject arbitrary HTML or JavaScript that executes in the victim's browser. This matches the classic definition of reflected XSS, where the payload is part of the request and reflected back, not stored on the server.

Exam trap

The trap here is that candidates confuse reflected XSS with stored XSS because both involve injecting script into a web page, but the key differentiator is whether the payload is persisted on the server (stored) or immediately reflected in the response (reflected).

How to eliminate wrong answers

Option A is wrong because SQL injection requires user input to be incorporated into a database query without proper sanitization, not simply reflected in the HTTP response; the description lacks any mention of database interaction or query construction. Option C is wrong because stored XSS requires the malicious input to be persisted on the server (e.g., in a database or file) and later served to other users, whereas the scenario describes input being reflected immediately in the response without storage.

88
MCQhard

A penetration tester is evaluating a cloud environment (AWS) and finds an S3 bucket with public write access. Which attack is most likely to succeed if the tester wants to plant malicious files that will be served to users?

A.Exhaust the bucket's storage quota
B.Upload a malicious JavaScript file to the bucket
C.Encrypt all objects in the bucket for ransom
D.Modify the bucket policy to grant further permissions
AnswerB

Public write allows uploading files; if the bucket serves web content, users will download the malicious file.

Why this answer

Option B is correct because an S3 bucket with public write access allows anyone to upload objects without authentication. A penetration tester can upload a malicious JavaScript file (e.g., for cross-site scripting or drive-by download) that, when accessed by users via the bucket's public URL, executes in their browsers. This directly exploits the misconfiguration to serve malicious content to end users.

Exam trap

The trap here is that candidates may confuse 'public write access' with 'public read access' and assume the goal is to read data, or they may overthink the attack path and choose a privilege escalation option (D) instead of directly exploiting the write permission to plant malicious content.

How to eliminate wrong answers

Option A is wrong because exhausting the bucket's storage quota is a denial-of-service tactic, not a method to plant malicious files served to users; it disrupts availability but does not achieve the goal of serving malicious content. Option C is wrong because encrypting all objects for ransom (e.g., ransomware) requires write access but does not plant files that are served to users; it denies access to existing data and is a different attack vector (data extortion). Option D is wrong because modifying the bucket policy to grant further permissions is a privilege escalation step that could enable other attacks, but it does not directly plant malicious files to be served to users; the tester already has public write access, so changing the policy is unnecessary for the stated goal.

89
MCQhard

During a penetration test, a tester identifies a buffer overflow vulnerability in a Linux binary. The system has ASLR and NX (Non-Executable) enabled. The tester finds a ROP gadget at a fixed address in a library that is loaded at a constant address across reboots. Which exploitation method is the most appropriate to achieve code execution?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP) chain
C.Heap spraying
D.SEH overwrite exploit
AnswerB

ROP chains bypass both ASLR (if gadgets are at fixed addresses) and NX by reusing existing code snippets.

Why this answer

Option B is correct because Return-Oriented Programming (ROP) is specifically designed to bypass both ASLR and NX when a fixed-address ROP gadget is available. Since the library is loaded at a constant address across reboots, the tester can chain gadgets from that library to execute arbitrary code without needing to inject executable shellcode.

Exam trap

The trap here is that candidates may confuse return-to-libc with ROP, but return-to-libc is limited to calling a single function and cannot chain multiple gadgets, which is necessary for complex code execution when NX is enabled.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically relies on calling a single function (e.g., system()) and does not provide the flexibility to chain multiple operations; it is less effective when ASLR randomizes the base address of libc, but here the library is at a fixed address, making ROP more appropriate for complex code execution. Option C is wrong because heap spraying is a technique used to increase the predictability of heap layout for exploiting use-after-free or heap overflow vulnerabilities, not for bypassing NX or achieving code execution via a buffer overflow with ROP gadgets.

90
MCQmedium

During a penetration test, the tester exploits a local file inclusion (LFI) vulnerability to read /etc/passwd. The tester then wants to achieve remote code execution. Which technique is most likely to succeed if the web application is running as the www-data user?

A.Uploading a web shell via file upload
B.Using PHP wrapper php://input to execute commands
C.Reading /proc/self/environ triggers code execution
D.Using SSH to create a reverse shell
AnswerB

The php://input wrapper reads raw POST data, and if allow_url_include is enabled, it can be used to execute PHP code injected in the request body.

Why this answer

Option B is correct because the PHP wrapper php://input allows reading raw POST data, and when used with an LFI vulnerability, an attacker can inject PHP code into the POST body that gets executed by the include() function. Since the web application runs as www-data, this technique bypasses file upload restrictions and directly achieves remote code execution without needing write permissions.

Exam trap

The trap here is that candidates confuse passive file reads (like /proc/self/environ) with active code execution techniques, or assume file upload is always available when the primary vulnerability is LFI.

How to eliminate wrong answers

Option A is wrong because uploading a web shell via file upload requires a separate file upload vulnerability, which is not guaranteed; even if present, the uploaded file must be accessible and executable, and the www-data user may lack write permissions to the web root. Option C is wrong because reading /proc/self/environ only reveals environment variables and does not trigger code execution; it is a passive information disclosure, not an active exploitation technique.

91
MCQeasy

During a penetration test, a tester discovers a web application that reflects user input in the HTTP response without sanitization. Which attack is most likely to be successful?

A.Server-side request forgery
B.SQL injection
C.Reflected cross-site scripting
D.Cross-site request forgery
AnswerC

Reflected XSS occurs when user input is echoed back unsanitized.

Why this answer

Reflected cross-site scripting (XSS) is the correct answer because the vulnerability described—user input reflected in the HTTP response without sanitization—directly enables an attacker to inject malicious scripts (e.g., JavaScript) that execute in the victim's browser. This occurs when the application fails to validate or encode the input before including it in the response, allowing the attacker to craft a URL with a script payload that, when visited, runs in the context of the vulnerable web application's origin.

Exam trap

The trap here is that candidates often confuse reflected XSS with stored XSS or CSRF, but the key differentiator is that the input is immediately reflected in the response without sanitization, not stored on the server or requiring a forged request.

How to eliminate wrong answers

Option A is wrong because server-side request forgery (SSRF) exploits server-side functionality to make requests to internal or external resources, not the reflection of user input in HTTP responses. Option B is wrong because SQL injection targets database queries by injecting SQL commands into input fields, not by reflecting input in HTTP responses without sanitization. Option D is wrong because cross-site request forgery (CSRF) tricks a user into performing unintended actions on a web application where they are authenticated, relying on forged requests rather than reflected input in the response.

92
MCQhard

Refer to the exhibit. A penetration tester discovers this IAM policy attached to a public user role. Which attack is most likely to succeed?

A.Bucket ACL misconfiguration leading to public listing
B.Privilege escalation to admin
C.Resource exhaustion through large object uploads
D.Data exfiltration and modification
AnswerD

GetObject allows reading (exfiltration) and PutObject allows writing (modification) to the bucket.

Why this answer

The IAM policy grants `s3:PutObject` and `s3:GetObject` actions on the `arn:aws:s3:::example-bucket/*` resource, allowing a public user to both upload and download objects. This directly enables data exfiltration (via GetObject) and modification (via PutObject overwriting existing objects). The policy does not restrict object listing or require encryption, making D the most likely successful attack.

Exam trap

CompTIA often tests the distinction between bucket-level actions (like ListBucket) and object-level actions (like GetObject/PutObject), trapping candidates who assume that without ListBucket, data cannot be exfiltrated—but attackers can guess object keys or use other enumeration methods.

How to eliminate wrong answers

Option A is wrong because the policy does not grant `s3:ListBucket` or `s3:GetBucketAcl`, so a public user cannot list bucket contents or view/modify the bucket ACL; bucket ACL misconfiguration is not directly exploitable here. Option B is wrong because the policy only allows specific S3 actions on a single bucket ARN, with no permissions for IAM, STS, or other services that would enable privilege escalation to admin. Option C is wrong because resource exhaustion through large object uploads is a potential denial-of-service vector, but the question asks for the attack most likely to succeed given the explicit read/write permissions, and data exfiltration/modification is more directly enabled and common.

93
MCQmedium

During an internal penetration test, the tester gains a low-privilege shell on a Linux server running a web application. The web application runs as the www-data user. The tester discovers that the www-data user can read the /etc/shadow file. The server has AppArmor enabled, which restricts certain actions. The tester wants to escalate privileges to root. Which technique is most likely to succeed?

A.Extract password hashes from /etc/shadow and crack them offline.
B.Use a kernel exploit like Dirty COW.
C.Search for SUID binaries with known vulnerabilities and exploit one.
D.Add the www-data user to the sudoers file.
AnswerC

SUID binaries run as root, and a vulnerable one can provide a direct root shell, bypassing AppArmor if the binary's profile allows.

Why this answer

Option C is correct because SUID binaries that are misconfigured or have known vulnerabilities can be exploited to execute commands with the privileges of the binary's owner (often root). Since the tester already has a low-privilege shell and can read /etc/shadow, searching for SUID binaries is a standard privilege escalation technique that does not require kernel exploits or write access to /etc/sudoers. The presence of AppArmor does not inherently block SUID exploitation unless specific profiles restrict the binary.

Exam trap

The trap here is that candidates assume reading /etc/shadow directly leads to root access via password cracking, but they overlook the practical difficulty of using the cracked password without an interactive login method, and they underestimate the effectiveness of SUID exploitation in a restricted environment like AppArmor.

How to eliminate wrong answers

Option A is wrong because extracting password hashes from /etc/shadow and cracking them offline only yields the password for a user account (e.g., root), but the tester does not have a way to use that password to log in as root (e.g., SSH may be disabled, or the tester lacks interactive login). Option B is wrong because kernel exploits like Dirty COW (CVE-2016-5195) are likely to be blocked by AppArmor's kernel-level restrictions, and modern kernels have patched this vulnerability; the question explicitly states AppArmor is enabled, which reduces the success rate of kernel exploits. Option D is wrong because adding the www-data user to the sudoers file requires write access to /etc/sudoers, which the www-data user does not have (the file is typically owned by root and has 440 permissions), and the tester cannot modify it from a low-privilege shell.

94
Multi-Selecteasy

Which TWO of the following are common methods used to bypass network access controls during a penetration test? (Choose two.)

Select 2 answers
A.SSID broadcasting
B.MAC spoofing
C.802.1Q trunking (VLAN hopping)
D.ARP poisoning
E.SQL injection
AnswersB, C

Spoofing a allowed MAC address can bypass MAC-based ACLs.

Why this answer

MAC spoofing allows a tester to impersonate an authorized device by changing the MAC address of their network interface to match a whitelisted MAC, thereby bypassing MAC-based access control lists (ACLs) or port security. This is a common bypass because many network access controls rely on MAC addresses as a simple authentication factor, which can be trivially altered using tools like `macchanger` or `ifconfig`.

Exam trap

CompTIA often tests the distinction between passive reconnaissance (like SSID broadcasting) and active bypass techniques, leading candidates to incorrectly select SSID broadcasting as a bypass method when it is merely a visibility setting.

95
MCQhard

A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?

A.Pass-the-Hash
B.Silver Ticket
C.Golden Ticket
D.DCSync
AnswerC

With the krbtgt hash, an attacker can create a Golden Ticket—a forged TGT that allows impersonation of any user for any service in the domain.

Why this answer

A Golden Ticket attack is the correct answer because the tester has cracked the krbtgt hash, which is the key used by the Key Distribution Center (KDC) to sign all Ticket Granting Tickets (TGTs). With this hash, the tester can forge a TGT for any user (including a domain admin) with an arbitrary long validity period, granting persistent administrative access to any resource in the domain without needing to interact with the domain controller again.

Exam trap

The trap here is that candidates confuse the scope of a Silver Ticket (limited to a single service) with a Golden Ticket (full domain compromise), often picking Silver Ticket because they think 'service ticket' sounds broader, but the krbtgt hash specifically enables TGT forgery, not service ticket forgery.

How to eliminate wrong answers

Option A is wrong because Pass-the-Hash (PtH) uses an NTLM hash of a user's password to authenticate, not the krbtgt hash, and it does not provide persistent access to all resources—it only allows impersonation of that specific user until the hash changes. Option B is wrong because a Silver Ticket forges a service ticket (TGS) using the hash of a service account (e.g., for a specific service like HTTP or CIFS), not the krbtgt hash, and it only grants access to that specific service, not to any resource in the domain.

96
MCQhard

A penetration tester has successfully exploited a buffer overflow vulnerability in a Linux binary. However, the binary has Data Execution Prevention (DEP) enabled and Address Space Layout Randomization (ASLR) disabled. Which exploitation technique is MOST appropriate to achieve code execution in this environment?

A.Return-oriented programming (ROP) to bypass DEP
B.Simple shellcode injection on the stack
C.ASLR bypass techniques
D.Heap spraying
AnswerA

ROP chains use existing code snippets (gadgets) to perform operations without injecting executable code, bypassing DEP effectively.

Why this answer

Return-oriented programming (ROP) is the most appropriate technique because DEP marks the stack and heap as non-executable, preventing direct shellcode injection. With ASLR disabled, the attacker can reliably locate and chain small instruction sequences (gadgets) from the binary or loaded libraries to achieve arbitrary code execution without needing executable memory regions.

Exam trap

CompTIA often tests the misconception that DEP can be bypassed by simply injecting shellcode onto the stack, ignoring that DEP explicitly prevents execution from non-executable pages, making ROP or similar code-reuse techniques mandatory.

How to eliminate wrong answers

Option B is wrong because simple shellcode injection on the stack fails when DEP is enabled, as the CPU will raise an access violation when trying to execute code from a non-executable memory region. Option C is wrong because ASLR bypass techniques (such as information leaks or brute-forcing) are unnecessary when ASLR is already disabled; the core challenge here is DEP, not address randomization.

97
MCQmedium

During a network penetration test, the tester identifies that a web server is vulnerable to a buffer overflow. The server is running on a Windows system with DEP enabled. Which technique should the tester use to bypass DEP?

A.Return-to-libc attack
B.Return-Oriented Programming (ROP)
C.Use a NOP sled and shellcode injection
D.Stack pivoting
AnswerB

ROP uses existing code gadgets to execute arbitrary commands without injecting new code.

Why this answer

Return-Oriented Programming (ROP) is the correct technique to bypass Data Execution Prevention (DEP) on Windows. DEP marks memory pages (like the stack and heap) as non-executable, preventing direct shellcode execution. ROP chains together small instruction sequences (gadgets) already present in executable memory (e.g., in loaded DLLs) to achieve arbitrary behavior without injecting or executing new code.

Exam trap

The trap here is that candidates often confuse DEP bypass with simple shellcode injection (Option C) or assume stack pivoting alone bypasses DEP, when in fact ROP is the standard technique to execute code without relying on executable stack memory.

How to eliminate wrong answers

Option A is wrong because a return-to-libc attack typically calls a single libc function (e.g., system()) to execute a command, but on Windows with DEP, the stack is non-executable and the attack still relies on calling existing functions; however, ROP is more flexible and is the standard modern bypass for DEP, while return-to-libc is more associated with Linux and does not fully address the need for chaining multiple calls. Option C is wrong because a NOP sled and shellcode injection rely on executing code on the stack, which is blocked by DEP (non-executable stack). Option D is wrong because stack pivoting is a technique to redirect the stack pointer to a controlled memory region (e.g., heap) to facilitate ROP or other attacks, but it is not itself a method to bypass DEP; it is often used in conjunction with ROP, not as a standalone bypass.

98
MCQhard

A penetration tester is engaged to assess a corporate network that uses a centralized logging server (SIEM) with a 24/7 SOC. The tester has gained initial access to a Windows workstation via a phishing email. The goal is to move laterally to a domain controller without triggering alerts. The internal network is segmented into VLANs: a user VLAN (192.168.1.0/24) and a server VLAN (10.0.0.0/24) with strict firewall rules allowing only specific ports (e.g., RDP from user VLAN to server VLAN is denied). The tester discovers that the workstation has a PowerShell script that runs every hour to check for drive space on all servers using WinRM (port 5985) with stored domain admin credentials. The script is scheduled via a domain GPO. Which of the following actions should the tester perform to achieve lateral movement to the domain controller with the lowest chance of detection?

A.Alter the firewall rules to allow direct access from the user VLAN to the server VLAN
B.Use a RDP client to connect directly to the domain controller from the workstation
C.Modify the existing PowerShell script to include a reverse shell that connects back to the tester
D.Perform a pass-the-hash attack from the workstation to the domain controller using SMB
AnswerC

This leverages existing trusted infrastructure and credentials, blending in with normal operations.

Why this answer

Option C is correct because modifying the existing PowerShell script to include a reverse shell allows the tester to execute code on the domain controller using WinRM (port 5985), which is already permitted by the firewall and part of a legitimate scheduled task. This approach leverages the stored domain admin credentials and the trusted script execution path, avoiding any new connections or anomalies that would trigger SOC alerts. The reverse shell blends into the normal WinRM traffic, making detection by the SIEM or SOC highly unlikely.

Exam trap

The trap here is that candidates often choose pass-the-hash (Option D) because it is a well-known lateral movement technique, but they overlook the strict firewall rules and logging that would expose the SMB traffic, whereas modifying an existing trusted script (Option C) is stealthier and aligns with the scenario's constraints.

How to eliminate wrong answers

Option A is wrong because altering firewall rules requires administrative privileges on the firewall itself, which the tester does not have from a compromised workstation, and any change would be immediately detected by the SOC as an unauthorized configuration modification. Option B is wrong because RDP from the user VLAN to the server VLAN is explicitly denied by the firewall rules, and attempting a direct RDP connection would be blocked and logged as a failed connection attempt, triggering an alert. Option D is wrong because pass-the-hash over SMB typically uses port 445, which is likely blocked or restricted between VLANs, and the SMB protocol generates significant network logs that the SIEM would flag as anomalous lateral movement.

99
Matchingmedium

Match each vulnerability category to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker injects malicious SQL queries

Attacker injects client-side scripts into web pages

Attacker tricks user into performing unwanted actions

Writing more data to a buffer than it can hold

Accessing files outside the web root directory

Why these pairings

These are common web application vulnerabilities tested in the PT0-002 exam.

100
MCQmedium

A penetration tester is attempting to exploit a Linux system that has ASLR and DEP enabled. The tester has identified a buffer overflow vulnerability in a network service compiled without stack canaries and with a non-executable stack (NX). The binary is statically linked and not PIE. Which exploitation technique is most likely to succeed under these conditions?

A.Heap spraying to place shellcode in the heap and then overwrite a function pointer to execute the shellcode
B.Return-to-libc attack using libc functions
C.Return-Oriented Programming (ROP) to call mprotect and then execute shellcode on the stack
D.Ret2plt to call system() via the PLT
AnswerC

ROP allows the attacker to chain gadgets to call mprotect and change memory permissions on the stack to executable, then jump to shellcode placed on the stack. This bypasses NX while leveraging the known addresses from the statically linked, non-PIE binary.

Why this answer

Option C is correct because the binary is statically linked (no libc to return to) and has a non-executable stack (NX), so shellcode cannot execute directly on the stack. Return-Oriented Programming (ROP) allows the attacker to chain gadgets from the binary itself to call mprotect() and change the stack region to executable, then pivot to shellcode placed on the stack. Since ASLR is enabled but the binary is not PIE, its code base address is fixed, making ROP gadgets reliably addressable.

Exam trap

The trap here is that candidates assume return-to-libc is always viable, forgetting that a statically linked binary has no libc to return to, making ROP the only way to call mprotect and bypass NX.

How to eliminate wrong answers

Option A is wrong because heap spraying is typically used to increase the predictability of heap layout for a use-after-free or similar vulnerability, but here the vulnerability is a stack-based buffer overflow; overwriting a function pointer would require a separate write primitive and does not bypass NX on the stack. Option B is wrong because return-to-libc relies on libc functions being present at a known address, but the binary is statically linked, meaning no shared libc is loaded, and ASLR would randomize libc's base address even if it were dynamically linked.

101
MCQhard

During an internal penetration test, a tester captures an NTLMv2 hash of a domain admin account using a Responder attack. The organization's password policy requires at least 12 characters with uppercase, lowercase, numbers, and special characters. Which password cracking technique is most likely to succeed first?

A.Dictionary attack with common passwords
B.Brute-force attack with all possible 8-character combinations
C.Hybrid attack combining dictionary words with numbers and special characters
D.Rainbow table attack on the hash
AnswerC

This approach uses word mangling and is effective for passwords that are variations of common words.

Why this answer

Option C is correct because NTLMv2 hashes are computationally expensive to crack, and a hybrid attack that combines dictionary words with numbers and special characters is the most efficient approach given the 12-character minimum policy. This technique leverages common password patterns (e.g., 'Password123!') that users often create to meet complexity requirements, making it faster than brute-forcing all possible 12-character combinations.

Exam trap

The trap here is that candidates may assume a brute-force attack is always the most thorough method, but they overlook the time constraints of cracking 12-character hashes, making hybrid attacks the practical first choice.

How to eliminate wrong answers

Option A is wrong because a dictionary attack with common passwords is unlikely to succeed against a 12-character minimum policy, as users are forced to create longer, more complex passwords that rarely appear in standard wordlists. Option B is wrong because a brute-force attack with all possible 8-character combinations would fail to crack a 12-character password, as it only covers 8-character space and would never reach the required length.

← PreviousPage 2 of 2 · 101 questions total

Ready to test yourself?

Try a timed practice session using only Attacks And Exploits questions.