75 of 181 questions · Page 1/3 · Ptp Attacks Exploits topic · Answers revealed
A tester finds a Linux binary with the SUID bit set that is owned by root and can be executed by any user. The binary is known to have a vulnerability that allows arbitrary code execution. Which command does the tester use to find all SUID binaries on the system?
This command finds all files with SUID permission (4000).
Why this answer
The 'find / -perm /4000' command locates files with the SUID bit set (4000 permission).
A tester exploits an XXE vulnerability to read local files. Which of the following is a typical XXE payload to read /etc/passwd?
This payload defines an entity reading the file.
Why this answer
XXE uses an external entity with file:// to read local files.
During a web application test, a tester discovers an endpoint that fetches a URL from user input without validation. They attempt to access the AWS metadata endpoint. Which IP address is commonly used for the cloud metadata service?
This is the link-local address for cloud metadata.
Why this answer
AWS metadata is accessible at 169.254.169.254, a link-local address.
A penetration tester is performing a web application assessment. Which of the following are common techniques to identify and exploit IDOR vulnerabilities? (Select TWO.)
Changing IDs to access other users' data.
Why this answer
IDOR involves manipulating object references; enumeration of IDs and modifying parameter values are common techniques.
A penetration tester wants to perform a pass-the-hash attack against a Windows system using a captured NTLM hash. Which tool can be used to authenticate and execute commands remotely?
pth-winexe passes the NTLM hash to authenticate and execute commands.
Why this answer
pth-winexe allows pass-the-hash authentication to Windows systems.
During a web application test, a tester discovers that the application uses JWTs for session management. The tester captures a JWT and notices the 'alg' header is set to 'none'. Which attack is the tester likely to perform?
Correct: alg:none attack exploits acceptance of unsigned tokens.
Why this answer
If the server accepts 'none' algorithm, an attacker can forge arbitrary tokens by setting alg=none and removing the signature.
A penetration tester has gained initial access to an internal Windows server and wants to escalate privileges to SYSTEM. The tester identified that the current user has the SeImpersonatePrivilege enabled. Which TWO of the following tools or techniques would be most appropriate to exploit this privilege for privilege escalation?
PrintSpoofer exploits SeImpersonatePrivilege to gain SYSTEM privileges.
Why this answer
SeImpersonatePrivilege allows impersonating a user after obtaining a token. Potato attacks (e.g., RottenPotato, JuicyPotato) and PrintSpoofer exploit this to escalate to SYSTEM. PsExec and Pass-the-Hash are lateral movement tools, not privilege escalation.
Kerberoasting obtains service account hashes but does not directly exploit SeImpersonatePrivilege.
A penetration tester successfully compromises a web server and wants to establish persistence on the system. Which THREE of the following are effective persistence mechanisms on a Linux system?
Correct: Cron jobs can run periodically.
Why this answer
Cron jobs, SSH authorized_keys, and systemd services are common persistence methods on Linux. Scheduled tasks and registry Run keys are Windows-specific.
You are performing a penetration test and capture a Kerberos TGS ticket for a service account. What kind of attack can you perform offline to crack the service account password?
Kerberoasting cracks TGS tickets offline.
Why this answer
Kerberoasting involves requesting TGS tickets and cracking them offline to recover service account passwords.
During a Windows privilege escalation attempt, a tester finds that the SeImpersonatePrivilege is enabled for the current user. Which tool can be used to escalate privileges to SYSTEM using this privilege?
PrintSpoofer uses SeImpersonatePrivilege to escalate to SYSTEM via named pipe impersonation.
Why this answer
PrintSpoofer is a tool that exploits SeImpersonatePrivilege to impersonate SYSTEM tokens.
During a penetration test, a tester captures NTLM hashes by spoofing LLMNR responses on the internal network. Which tool is most commonly used for this purpose?
Responder is specifically designed for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes.
Why this answer
Responder is the standard tool for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes.
In a Windows domain, you have compromised a user account with SeImpersonatePrivilege enabled. Which tool or technique would best leverage this privilege to escalate to SYSTEM?
PrintSpoofer leverages SeImpersonatePrivilege to impersonate SYSTEM.
Why this answer
SeImpersonatePrivilege allows token impersonation; PrintSpoofer exploits it to get SYSTEM.
You have compromised a low-privileged Windows user and want to move laterally to a domain controller. Which THREE techniques could be used for lateral movement if you have valid credentials? (Select THREE.)
WMIExec uses WMI for remote command execution.
Why this answer
PsExec, WMIExec, and Evil-WinRM are common lateral movement tools using credentials.
During a penetration test, you capture NTLM hashes by poisoning LLMNR requests. Which tool would you use to exploit this and obtain the hashes?
Responder poisons LLMNR/NBT-NS/mDNS to capture NTLM authentication hashes.
Why this answer
Responder is the primary tool used for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes from network authentication attempts.
During a penetration test, a tester gains initial access to a Linux server and wants to pivot to an internal network that is not directly accessible. Which of the following tools is specifically designed for creating SOCKS proxies for pivoting?
Correct: Chisel is designed for tunneling and SOCKS proxies.
Why this answer
Chisel is a tool that creates tunnels and SOCKS proxies over HTTP, ideal for pivoting through restrictive networks.
A tester is exploiting a web application and identifies a parameter that reflects user input in the response without sanitization. The tester wants to steal session cookies from other users. Which type of cross-site scripting (XSS) attack should the tester use?
Reflected XSS is suitable for crafting a malicious link that executes when the victim clicks it.
Why this answer
Reflected XSS occurs when input is immediately reflected in the response. Stored XSS persists on the server. DOM-based XSS occurs client-side.
For stealing cookies, reflected XSS can be crafted into a link sent to the victim.
A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?
Responder listens for LLMNR/NBT-NS/mDNS queries and responds falsely, causing victims to send NTLMv2 hashes.
Why this answer
Responder poisons LLMNR/NBT-NS/mDNS to trick hosts into sending NTLM hashes to the attacker, capturing them without the attacker needing to authenticate.
A penetration tester needs to crack NTLM hashes obtained from a Windows domain. The hashes are in the format used by Windows. Which hashcat mode should the tester use?
Mode 1000 corresponds to NTLM hashes.
Why this answer
Hashcat mode 1000 is for NTLM hashes.
A penetration tester is performing a web application test and identifies an endpoint that is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions can the tester perform using this vulnerability? (Choose TWO.)
SSRF allows the attacker to make requests to internal services from the server.
Why this answer
SSRF can be used to access internal services and cloud metadata endpoints.
During a penetration test, a tester identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester attempts to access the AWS metadata endpoint to retrieve temporary credentials. Which IP address is commonly used for the cloud metadata endpoint?
This is the link-local address used by cloud providers for instance metadata.
Why this answer
The AWS metadata endpoint is available at 169.254.169.254 for all cloud providers.
A penetration tester is performing a web application test and wants to exploit a SQL injection vulnerability to extract data from a database. The tester knows that the application returns results in the HTTP response. Which type of SQL injection is being used?
UNION-based SQL injection leverages the UNION operator to combine results and display them in the output.
Why this answer
UNION-based SQL injection returns results directly in the application's output.
A tester is using Hashcat to crack NTLM hashes. They want to try all possible passwords consisting of exactly 8 lowercase letters. Which attack mode and mask should they use?
Mask attack for 8 lowercase letters.
Why this answer
Brute-force mode (-a 3) with mask ?l?l?l?l?l?l?l?l tries all 8-letter lowercase combinations.
A penetration tester is performing a SQL injection test on a web application. The tester sends the payload ' OR '1'='1 and receives the same response as with a normal request. However, when sending ' OR '1'='2, the response differs. Which type of SQL injection is most likely present?
Boolean-based blind SQL injection uses true/false conditions to infer information.
Why this answer
A difference in responses between a true condition and a false condition indicates blind SQL injection, specifically boolean-based blind.
A penetration tester obtains a meterpreter session on a Windows target. Which command would the tester use to check the current user's privileges and potentially escalate privileges if SeImpersonatePrivilege is enabled?
getsystem attempts to escalate privileges using token impersonation or other methods.
Why this answer
The 'getsystem' command in meterpreter attempts to escalate privileges using various techniques, including token impersonation if SeImpersonatePrivilege is available.
A penetration tester needs to crack a large number of NTLM hashes. They have a wordlist and want to apply common password mutations. Which hashcat option enables the use of a rule file to mutate words?
-r specifies a rule file for rule-based attack.
Why this answer
Hashcat's -r option specifies a rule file that defines transformations (mutation) on dictionary words.
A penetration tester has compromised a Linux server and wants to establish persistence. Which TWO of the following methods are commonly used for persistence on Linux?
This allows persistent SSH access.
Why this answer
Cron jobs and SSH authorized_keys are standard persistence techniques on Linux.
During a penetration test, a tester captures NTLMv2 hashes using Responder. The tester then uses ntlmrelayx to relay the captured hashes to a target server. Which of the following best describes this attack technique?
ntlmrelayx relays captured NTLM authentication to another service, allowing authentication without cracking.
Why this answer
NTLM relay attacks forward captured authentication attempts to other servers, allowing the attacker to authenticate without cracking the hash. This is distinct from pass-the-hash, which requires a hash of the target account for local authentication.
A penetration tester has gained a foothold in a Windows domain and wants to perform lateral movement. Which of the following tools or techniques can be used? (Select THREE.)
Evil-WinRM is a tool for WinRM exploitation.
Why this answer
PsExec, WinRM, and Evil-WinRM are common lateral movement tools in Windows environments.
A penetration tester wants to perform a pass-the-hash attack on a Windows target. Which tools can be used for this purpose? (Choose the best answer.)
pth-winexe allows executing commands on a remote Windows system using an NTLM hash.
Why this answer
pth-winexe is a common tool for pass-the-hash attacks on Windows.
After compromising a Linux host, you want to escalate privileges by exploiting a cron job that runs a script with root privileges. The script references an executable using a relative path. Which attack technique is most appropriate?
Cron jobs that use relative paths can be hijacked via PATH manipulation to run arbitrary commands.
Why this answer
PATH manipulation works by modifying the PATH environment variable so that when the script calls the executable (by name only, no full path), the attacker's malicious version runs with the privileges of the script.
A penetration tester is assessing an Active Directory environment and wants to perform Kerberoasting to obtain service account passwords. Which TWO conditions are required for a successful Kerberoasting attack?
TGS tickets are necessary for offline cracking.
Why this answer
A domain account with a Service Principal Name (SPN) and the ability to request a TGS ticket are required for Kerberoasting.
Which SQL injection technique involves injecting a query that causes a delay in response, allowing the attacker to infer information based on response time?
Time-based uses delays to infer data.
Why this answer
Blind time-based SQL injection uses delays (e.g., WAITFOR DELAY) to infer true/false conditions.
A web application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a token and decodes it to find the header contains "alg":"none". What vulnerability does this indicate, and how can it be exploited?
alg:none accepts tokens without signatures, allowing forgery.
Why this answer
The "alg":"none" vulnerability allows arbitrary token creation without verification.
During a web application test, you find a feature that allows users to export data as PDF. The PDF generation uses user input without sanitization. You inject an XML external entity that reads /etc/passwd and the content appears in the PDF. Which vulnerability is present?
XXE uses external entities to read files.
Why this answer
XXE (XML External Entity) allows reading files via XML entities when the parser is vulnerable.
A tester wants to enumerate SMB shares and execute commands remotely on a Windows target using captured credentials. Which tool is most appropriate?
Correct: CrackMapExec can execute commands via SMB.
Why this answer
CrackMapExec is a versatile tool for SMB enumeration, command execution, and lateral movement with credentials.
A penetration tester has gained access to a Linux server and wants to move laterally to a Windows server. The tester captured a hash of a domain user. Which tool can be used to authenticate to the Windows server using the hash?
evil-winrm can use NTLM hash for authentication via WinRM.
Why this answer
evil-winrm supports pass-the-hash authentication over WinRM, allowing lateral movement.
A tester is targeting a web application that makes server-side requests to internal resources based on user input. The tester attempts to access the AWS metadata endpoint at http://169.254.169.254/latest/meta-data/. The request returns sensitive cloud credentials. Which vulnerability is being exploited?
SSRF allows the server to fetch internal resources, like cloud metadata.
Why this answer
SSRF (Server-Side Request Forgery) allows the attacker to make the server send requests to internal resources. The metadata endpoint is a classic SSRF target. XXE can also access files but typically via entity injection, not direct URL.
After compromising a host, a tester wants to maintain persistence on a Windows system by executing a payload each time a user logs in. Which registry key is commonly used for this?
This key runs programs at startup/logon for all users.
Why this answer
Run keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run execute programs at user logon.
A penetration tester discovers a web application that fetches URLs from user input without proper validation. The tester targets the internal cloud metadata endpoint at 169.254.169.254 to retrieve instance credentials. Which type of attack is this?
SSRF allows the attacker to make requests from the server to internal or external resources.
Why this answer
SSRF (Server-Side Request Forgery) occurs when the server makes requests to internal resources based on user input, and the cloud metadata endpoint is a common target.
During a penetration test, a tester runs the Responder tool on the internal network and captures an NTLMv2 hash. Which type of network attack is being performed?
Responder poisons LLMNR and NBT-NS to capture NTLM hashes.
Why this answer
Responder poisons LLMNR, NBT-NS, and mDNS queries to capture NTLM hashes from systems trying to resolve names.
During a penetration test, the tester gains access to a domain-joined Windows machine and wants to perform Kerberoasting. Which THREE conditions are necessary for a successful Kerberoasting attack?
The attacker must request service tickets.
Why this answer
The user must have domain credentials, there must be service accounts with SPNs, and the attacker must be able to request TGS tickets. Plaintext passwords are not required, and local admin is not needed.
During an internal penetration test, the tester wants to relay captured NTLM authentication to a server to gain access. Which tool from the Impacket suite is specifically designed for NTLM relay attacks?
ntlmrelayx relays NTLM authentication to target servers.
Why this answer
ntlmrelayx is the Impacket tool for relaying NTLM authentication.
During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR responses. Which tool is most commonly used for this purpose?
Responder specifically poisons LLMNR, NBT-NS, and mDNS to capture NTLM hashes.
Why this answer
Responder is the standard tool for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes.
A tester is performing a web application test and finds an endpoint that accepts XML input. The tester sends a payload that includes an external entity referencing a local file. Which vulnerability is being tested?
Correct: XXE exploits XML external entities.
Why this answer
XXE (XML External Entity) injection allows reading local files or performing SSRF via XML parsers.
A tester is performing a Kerberoasting attack. After requesting TGS tickets, which hashcat mode should be used to crack them?
Mode 13100 is for Kerberos 5 TGS-REP.
Why this answer
Kerberoast tickets are TGS-REP hashes, mode 13100.
During a web application penetration test, a tester identifies a SQL injection vulnerability. Which TWO techniques could be used to extract data from the database? (Select TWO.)
Time-based blind uses delays to infer data.
Why this answer
UNION-based and blind time-based are common SQL injection techniques for data extraction.
A tester is performing a web application test and discovers a parameter that seems to reflect input in the response. The tester attempts a reflected XSS payload but the application filters script tags. Which XSS variant should the tester try next?
Event handlers like onerror can bypass script tag filters.
Why this answer
If script tags are filtered, HTML event handlers like onerror can still execute JavaScript.
A penetration tester has successfully compromised a Windows machine and wants to perform lateral movement to another machine using captured NTLM hashes. Which tool would allow the tester to pass the hash and execute commands remotely?
CrackMapExec supports pass-the-hash and execution via SMB, WMI, and other protocols.
Why this answer
CrackMapExec is a popular tool for pass-the-hash and executing commands via SMB or other protocols.
A penetration tester is attempting to exploit a server-side request forgery (SSRF) vulnerability in a cloud-hosted web application to access the cloud metadata service. Which IP address should the tester target?
This is the link-local address used for cloud metadata.
Why this answer
The cloud metadata service for most cloud providers (AWS, GCP, Azure) is accessible via 169.254.169.254.
During a Linux privilege escalation assessment, the tester finds that a binary with SUID root can execute arbitrary commands. Which TWO of the following methods are MOST likely to exploit this?
Some SUID binaries can read files, enabling credential theft.
Why this answer
GTFOBins provides SUID exploitation techniques; many SUID binaries allow command execution. The other options are not directly related to SUID exploitation.
In a web application test, you find a parameter that directly references internal object IDs (e.g., user_id=123) and changing the ID allows access to another user's data. This vulnerability is known as:
IDOR allows unauthorized access to objects by modifying reference values.
Why this answer
IDOR (Insecure Direct Object Reference) occurs when an application exposes internal object references without proper access control checks.
A penetration tester gains a low-privilege shell on a Linux server. The command 'sudo -l' reveals that the user can run /usr/bin/less as root without a password. Which tool would the tester likely use to escalate privileges?
GTFOBins lists binary exploitation techniques for privilege escalation.
Why this answer
GTFOBins documents that less can be used to escalate privileges via the ! command when run with sudo.
You are attacking a web application and notice that it makes requests to internal services. You attempt to access the cloud metadata endpoint at http://169.254.169.254/. Which vulnerability are you most likely exploiting?
SSRF enables the server to make requests to internal resources like the metadata endpoint.
Why this answer
SSRF (Server-Side Request Forgery) allows an attacker to make requests from the server to internal resources, including cloud metadata endpoints.
A tester is performing an SQL injection attack on a login form. The tester inputs a single quote (') and receives a database error. The application returns different responses for true and false conditions. Which type of SQL injection is most likely occurring?
Blind SQL injection uses conditional responses to infer information.
Why this answer
Blind SQL injection occurs when no error messages are shown, but the application behaves differently based on true/false conditions. Error-based injection shows database errors. UNION-based requires visible output.
Time-based uses delays.
A tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should be used for NTLM hashes?
Mode 1000 is for NTLM.
Why this answer
Hashcat mode 1000 corresponds to NTLM hashes.
During a web application test, you discover a parameter that reflects user input in the response without proper encoding. You craft a payload that executes JavaScript in the victim's browser. This vulnerability is best classified as:
Reflected XSS is when the input is included in the response without proper encoding.
Why this answer
Reflected XSS occurs when user input is immediately reflected back in the response without proper sanitization, allowing script execution.
During a penetration test, the tester discovers a Linux binary with the SUID bit set owned by root. The binary is a custom script that executes 'cp' to copy files. The tester can control the source file path via an environment variable. Which privilege escalation technique should the tester attempt?
By altering PATH, the tester can substitute a malicious 'cp' binary.
Why this answer
PATH manipulation involves modifying the PATH environment variable to execute a malicious 'cp' binary instead of the legitimate one.
During a penetration test, a tester wants to crack NTLM hashes captured from a Windows domain. Which hashcat mode should the tester use for NTLM hashes?
Mode 1000 is for NTLM hashes.
Why this answer
Hashcat mode 1000 is for NTLM hashes.
A penetration tester is testing a web application and wants to exploit an XXE vulnerability to read sensitive files. Which TWO payloads could be used?
This performs SSRF to cloud metadata.
Why this answer
XXE can be used to read files via file:// or to perform SSRF to internal resources via http://, including cloud metadata.
A penetration tester has gained a foothold on a Linux server and wants to escalate privileges to root. Which THREE of the following are potential privilege escalation vectors? (Select THREE.)
Exploiting kernel vulnerabilities can grant root.
Why this answer
SUID binaries, writable cron scripts, and kernel exploits are common Linux privilege escalation vectors.
During a penetration test, a tester captures NTLMv2 hashes by spoofing LLMNR and NBT-NS responses on the internal network. Which tool is most commonly used for this type of attack?
Responder is the standard tool for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes.
Why this answer
Responder is a widely used tool for LLMNR/NBT-NS/mDNS poisoning to capture NTLM hashes.
A tester is performing a Cross-Site Request Forgery (CSRF) attack on a web application that uses SameSite cookies. Which SameSite attribute value is most likely to prevent the attack?
Strict prevents cookies in cross-site requests entirely, blocking CSRF.
Why this answer
SameSite=Lax prevents CSRF for state-changing requests from cross-site, while Strict is even more restrictive. None allows third-party cookies.
A penetration tester is performing a Kerberoasting attack. After requesting TGS tickets from a domain controller, which tool would be used to crack the tickets offline?
Hashcat can crack Kerberos TGS tickets with mode 13100.
Why this answer
Hashcat with mode 13100 is used to crack Kerberos 5 TGS-REP etype 23 hashes.
During a penetration test, a tester successfully exploits a web application and gains a foothold. The tester needs to pivot to an internal network segment that is not directly accessible. Which THREE tools can the tester use to create a SOCKS proxy or tunnel for pivoting?
Why this answer
SSH dynamic port forwarding (-D), chisel, and ligolo-ng are all tools for creating SOCKS proxies or tunnels for pivoting.
During a web application test, the tester discovers a parameter that reflects user input in the response without proper encoding. The tester crafts a payload that executes JavaScript when another user views the page. Which type of XSS is this, and what is a primary risk?
Reflected XSS allows attackers to execute scripts in the victim's browser, often to steal cookies/sessions.
Why this answer
Reflected XSS executes in the victim's browser when the malicious link is clicked, allowing session hijacking.
A penetration tester uses Hashcat to crack NTLM hashes captured during a pass-the-hash attack. Which Hashcat mode should the tester use for NTLM hashes?
Mode 1000 is for NTLM.
Why this answer
Hashcat mode -m 1000 is for NTLM hashes. Other modes correspond to different hash types.
A penetration tester needs to perform Kerberoasting against an Active Directory domain. Which step is required after requesting TGS tickets?
The TGS tickets contain hashes that can be cracked offline.
Why this answer
After requesting TGS tickets for service accounts, the tester must crack the hashes offline using a tool like Hashcat.
After gaining initial access to a target, a tester wants to pivot to an internal network that is not directly accessible. Which technique can be used to forward traffic from the tester's machine through the compromised host to reach internal services?
SSH -L forwards traffic from local port to remote host via SSH tunnel.
Why this answer
SSH local port forwarding (-L) allows the tester to access internal services via the compromised host.
A penetration tester wants to perform a pass-the-hash attack against a Windows system. Which tool can be used to authenticate using the NTLM hash instead of a password?
CrackMapExec can use NTLM hashes for authentication via pass-the-hash.
Why this answer
CrackMapExec supports pass-the-hash authentication with NTLM hashes.
During a post-exploitation phase, a tester needs to establish persistence on a Windows target. Which THREE methods are commonly used for persistence on Windows?
Run keys execute programs at user logon.
Why this answer
Scheduled tasks, registry Run keys, and WMI subscriptions are common persistence mechanisms. Pass-the-hash is lateral movement, and cron jobs are Linux-specific.
A penetration tester identifies a Linux binary with the SUID bit set. Which command can find all SUID binaries on a Linux system?
find / -perm /4000 finds all files with SUID bit set.
Why this answer
The find command with -perm /4000 lists files with SUID set.
A tester wants to exploit a Windows service running with SYSTEM privileges that has an unquoted service path containing spaces. Which technique should be used to escalate privileges?
The unquoted path lets an attacker insert a malicious executable that Windows runs as SYSTEM.
Why this answer
An unquoted service path allows placing an executable with the same name as a folder in the path, which Windows will execute with SYSTEM privileges.
During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester intercepts a JWT and changes the algorithm header to 'none' with an empty signature. Which attack is being attempted?
Changing algorithm to none bypasses signature verification.
Why this answer
Setting algorithm to 'none' is a JWT algorithm confusion attack where the server accepts unsigned tokens.
A penetration tester is performing a password attack on a Windows domain and has captured NTLM hashes. Which tool can be used to perform a pass-the-hash attack to gain remote code execution on a target system?
pth-winexe uses NTLM hashes to authenticate and execute commands.
Why this answer
pth-winexe is a tool specifically designed for pass-the-hash attacks to execute commands on remote Windows systems.
Ready to test yourself?
Try a timed practice session using only Ptp Attacks Exploits questions.