CCNA Ptp Attacks Exploits Questions

75 of 181 questions · Page 2/3 · Ptp Attacks Exploits topic · Answers revealed

76
Multi-Selectmedium

A penetration tester is performing post-exploitation on a compromised Linux server and wants to maintain persistence. Which TWO of the following methods are commonly used for Linux persistence?

Select 2 answers
A.Modifying registry Run keys
B.Creating scheduled tasks
C.Creating WMI subscriptions
D.Adding SSH authorized_keys
E.Creating cron jobs
AnswersD, E

Allows persistent SSH access.

Why this answer

Cron jobs and SSH authorized_keys are common persistence techniques. Scheduled tasks are Windows-specific, registry is Windows, WMI is Windows.

77
MCQmedium

A penetration tester needs to escalate privileges on a Linux system and finds that the user can run a script with sudo that has a vulnerable argument. Which resource should the tester consult to find exploitation techniques for common sudo misconfigurations?

A.GTFOBins
B.Exploit-DB
C.Metasploit
D.CVE Details
AnswerA

GTFOBins provides techniques for exploiting sudo misconfigurations and other Unix binaries.

Why this answer

GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions, including sudo misconfigurations.

78
MCQhard

During a post-exploitation phase, a tester has a foothold on a Linux server and wants to pivot to an internal web server that is not directly accessible. The tester has SSH access to the compromised server. Which command would create a local port forward to access the internal web server on port 80?

A.ssh -L 8080:internal_web:80 user@compromised_server
B.ssh -L 8080:compromised_server:80 user@internal_web
C.ssh -D 8080 user@compromised_server
D.ssh -R 8080:internal_web:80 user@compromised_server
AnswerA

This forwards local port 8080 to internal_web:80 via the compromised server.

Why this answer

SSH -L forwards a local port to a remote destination.

79
Multi-Selectmedium

During a Windows privilege escalation attempt, the tester finds that the AlwaysInstallElevated registry key is set to 1. Which TWO actions can the tester perform to escalate privileges?

Select 2 answers
A.Modify the PATH environment variable
B.Use PowerUp to generate a malicious MSI
C.Request a TGS ticket for Kerberoasting
D.Create a new service with sc.exe
E.Execute a malicious MSI file via msiexec
AnswersB, E

PowerUp can generate an MSI that escalates privileges.

Why this answer

AlwaysInstallElevated allows any user to install MSI files with SYSTEM privileges.

80
MCQeasy

A penetration tester wants to crack NTLM hashes obtained from a Windows domain. Which hashcat mode should the tester use?

A.-m 22000
B.-m 13100
C.-m 0
D.-m 1000
AnswerD

Mode 1000 is NTLM.

Why this answer

Hashcat mode 1000 is for NTLM hashes.

81
MCQhard

A penetration tester has compromised a Linux host and wants to use it as a pivot point to access an internal network that is not directly reachable from the attacker's machine. Which tool can create a SOCKS proxy for routing traffic through the compromised host?

A.Responder
B.chisel
C.nmap
D.netcat
AnswerB

Chisel can create a SOCKS proxy via a reverse tunnel.

Why this answer

Chisel is a fast TCP/UDP tunnel over HTTP that can create a SOCKS proxy for pivoting.

82
MCQmedium

A tester runs the following Metasploit commands: ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.0.5 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > run ``` What is the purpose of this configuration?

A.To exploit a remote service directly
B.To receive a reverse shell from a target that already executed the payload
C.To perform a bind shell attack
D.To stage a payload for later execution
AnswerB

Correct: The handler listens for the reverse connection.

Why this answer

The multi/handler is a generic handler used to receive reverse connections from payloads that were delivered separately (e.g., via phishing). It waits for the target to connect back.

83
MCQhard

A penetration tester is performing an internal test and wants to move laterally from a compromised workstation to a domain controller. The tester has obtained NTLM hash for a domain admin. Which of the following tools would allow the tester to authenticate using the hash without cracking it?

A.PsExec
B.Evil-WinRM
C.pth-winexe
D.Responder
AnswerC

pth-winexe is designed for pass-the-hash authentication.

Why this answer

Pass-the-hash tools like pth-winexe or CrackMapExec allow authentication using the hash directly. PsExec requires explicit credentials or service installation, not pass-the-hash natively.

84
Multi-Selectmedium

A penetration tester is conducting a web application test and discovers an XML External Entity (XXE) vulnerability. Which of the following attacks can the tester perform using XXE? (Choose THREE.)

Select 3 answers
A.Read sensitive files from the server
B.Denial of service via entity expansion (billion laughs)
C.Perform Server-Side Request Forgery (SSRF)
D.SQL injection through entity values
E.Remote code execution
AnswersA, B, C

XXE can include external entities to read files.

Why this answer

XXE can be used to read files, perform SSRF, and cause denial of service via entity expansion.

85
MCQmedium

A penetration tester wants to perform a pass-the-hash attack against a Windows target. Which tools can be used to authenticate using an NTLM hash without knowing the plaintext password? (Choose the best option.)

A.Nmap
B.Responder
C.Wireshark
D.CrackMapExec
AnswerD

CrackMapExec can authenticate using NTLM hashes across SMB, WinRM, etc.

Why this answer

CrackMapExec is a popular tool for pass-the-hash attacks across many Windows services.

86
Multi-Selectmedium

A penetration tester is performing a full-scope engagement and needs to identify potential privilege escalation vectors on a Windows system. Which TWO of the following are valid Windows privilege escalation techniques?

Select 2 answers
A.Unquoted service path exploitation
B.Pass-the-hash
C.AlwaysInstallElevated registry key abuse
D.Kerberoasting
E.SUID/SGID binary exploitation
AnswersA, C

Correct: Unquoted service paths can lead to arbitrary code execution.

Why this answer

Unquoted service paths and AlwaysInstallElevated are both valid Windows privilege escalation techniques. Kerberoasting and pass-the-hash are for credential access, not local escalation; SUID/SGID is Linux.

87
Multi-Selecthard

A tester is performing a post-exploitation phase on a compromised Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for Linux persistence? (Choose THREE.)

Select 3 answers
A.Adding a registry Run key
B.Adding an SSH public key to ~/.ssh/authorized_keys
C.Creating a systemd service to start on boot
D.Creating a scheduled task using schtasks
E.Adding a cron job to execute a reverse shell periodically
AnswersB, C, E

Allows persistent SSH access as the compromised user.

Why this answer

Common Linux persistence methods include adding cron jobs (crontab), creating a systemd service that starts on boot, and adding SSH authorized keys for backdoor access. Scheduled tasks are Windows-specific; Registry Run keys are also Windows-only.

88
MCQmedium

You have captured an NTLMv2 hash from a LLMNR poisoning attack using Responder. Which tool and mode would you use to attempt to crack the hash using a dictionary attack?

A.Hashcat -m 5600 -a 0
B.John the Ripper --format=LM --wordlist
C.Hashcat -m 1000 -a 0
D.John the Ripper --format=NT --wordlist
AnswerA

-m 5600 is NTLMv2, -a 0 is dictionary.

Why this answer

Hashcat mode 5600 is for NTLMv2 hashes; -a 0 is dictionary attack.

89
MCQmedium

A tester is exploiting a SQL injection vulnerability in a login form. The application returns different responses for valid and invalid queries. However, the tester cannot see the database output. Which type of SQL injection is most likely?

A.Out-of-band SQL injection
B.Blind SQL injection
C.UNION-based SQL injection
D.Error-based SQL injection
AnswerB

Correct: Blind SQL injection uses boolean or time-based responses.

Why this answer

Blind SQL injection occurs when query results are not directly reflected, but the application behavior changes based on truth values.

90
MCQhard

During a web application test, a tester discovers a JWT token with the following header: {'alg':'HS256','typ':'JWT'}. The token payload contains 'admin':false. The tester attempts to change the algorithm to 'none' and removes the signature. Which vulnerability is being exploited?

A.JWT brute-force
B.JWT algorithm confusion (alg:none)
C.JWT kid injection
D.JWT injection
AnswerB

Setting alg to 'none' bypasses signature verification.

Why this answer

JWT alg:none attack exploits servers that accept unsigned tokens. Other options are different attack types.

91
MCQmedium

A penetration tester is performing an NTLM relay attack against a Windows network. The tester uses ntlmrelayx to relay captured NTLM authentication attempts to a target server. What must be true for this attack to succeed?

A.LLMNR must be enabled
B.The relayed hash must be crackable
C.The target server must have SMB signing enabled
D.SMB signing must be disabled or not enforced
AnswerD

Without SMB signing, relayed credentials are accepted.

Why this answer

SMB signing must be disabled or not enforced on the target server, otherwise the relayed authentication will be rejected.

92
MCQeasy

A penetration tester needs to escalate privileges on a Linux system and finds that the current user can run a specific command with sudo without a password. Which tool should the tester consult to find known exploitation techniques for that command?

A.Exploit-DB
B.HackTricks
C.Metasploit
D.GTFOBins
AnswerD

GTFOBins provides ways to exploit misconfigured sudo permissions.

Why this answer

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions.

93
MCQeasy

A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows domain controller. Which hash mode should the tester specify for NTLM hashes?

A.-m 22000
B.-m 0
C.-m 13100
D.-m 1000
AnswerD

Mode 1000 corresponds to NTLM hashes.

Why this answer

Hashcat uses mode -m 1000 for NTLM hashes. Mode 0 is for MD5, mode 13100 is for Kerberoast, and mode 22000 is for WPA2.

94
MCQmedium

A tester is performing a Kerberoasting attack. After requesting TGS tickets for accounts with SPNs, what is the next step to obtain plaintext credentials?

A.Pass-the-ticket to access services
B.Relay the TGS tickets to another server
C.Use the TGS tickets for silver ticket attacks
D.Crack the TGS tickets using Hashcat or John the Ripper
AnswerD

TGS tickets are encrypted with the service account's NTLM hash, which can be cracked offline.

Why this answer

Kerberoasting involves cracking the TGS tickets offline to recover the service account password.

95
Multi-Selectmedium

A penetration tester is performing a web application test and identifies a potential SQL injection vulnerability. Which TWO methods can the tester use to confirm the vulnerability and extract data?

Select 2 answers
A.XXE injection
B.Command injection
C.Blind time-based SQL injection
D.XSS injection
E.UNION-based SQL injection
AnswersC, E

Uses time delays to infer data.

Why this answer

UNION-based and blind time-based are classic SQL injection techniques. XSS and command injection are different attacks. XXE is also different.

96
Multi-Selectmedium

A penetration tester is exploiting a web application and discovers an XML External Entity (XXE) vulnerability. Which TWO attacks can be performed using XXE?

Select 2 answers
A.Remote code execution
B.Cross-Site Scripting (XSS)
C.Server-Side Request Forgery (SSRF)
D.SQL injection
E.File read
AnswersC, E

XXE can force the server to make HTTP requests to internal systems.

Why this answer

XXE can be used to read local files via external entities and also to perform SSRF by making the server request internal resources.

97
MCQmedium

You are performing a password attack on a Linux system. You have obtained the /etc/shadow file. Which password cracking tool would be most efficient for a rule-based attack using a wordlist?

A.Hashcat -a 0 -r rule.rule
B.John the Ripper --rules
C.Hydra -l root -P wordlist
D.CrackMapExec --hash
AnswerA

Hashcat with -r applies rules, fast on GPU.

Why this answer

Hashcat with rule files is highly efficient for rule-based attacks; John can also do it but Hashcat is GPU-accelerated and commonly preferred.

98
MCQmedium

A penetration tester is performing an ARP spoofing attack using Bettercap to intercept traffic between a client and the gateway. What is the primary goal of this attack?

A.To perform a denial-of-service attack
B.To bypass firewall rules
C.To crack wireless passwords
D.To intercept and manipulate network traffic
AnswerD

ARP spoofing places the attacker in the middle to capture and potentially modify traffic.

Why this answer

ARP spoofing allows the attacker to intercept traffic, enabling man-in-the-middle attacks to capture or modify data.

99
MCQeasy

During a web application test, the tester discovers a parameter that reflects user input in the response without sanitization. Which type of vulnerability is most likely present?

A.DOM-based XSS
B.Stored XSS
C.SQL injection
D.Reflected XSS
AnswerD

Reflected XSS is triggered when the input is immediately echoed back.

Why this answer

Reflected XSS occurs when user input is immediately reflected in the response without proper encoding or sanitization.

100
MCQmedium

After exploiting a Linux server, you need to pivot to a restricted network subnet. You have SSH access to the compromised server. Which command would create a SOCKS proxy on the server to route traffic through it?

A.ssh -L 1080:server:80 user@server
B.ssh -R 1080:server:80 user@server
C.ssh -J user@server:1080
D.ssh -D 1080 user@server
AnswerD

-D creates a SOCKS proxy on local port 1080.

Why this answer

SSH -D creates a SOCKS tunnel for dynamic port forwarding, allowing pivoting.

101
Multi-Selecthard

During a Windows privilege escalation attempt, a penetration tester discovers that the always elevated installation policy is enabled. Which of the following actions can the tester take to exploit this misconfiguration? (Choose TWO.)

Select 2 answers
A.Perform DLL hijacking on a system service
B.Use msiexec to silently install a crafted MSI
C.Exploit a kernel vulnerability
D.Modify the registry key to disable the policy
E.Run a malicious .msi file to execute commands as SYSTEM
AnswersB, E

msiexec can be used to install the malicious MSI with SYSTEM privileges.

Why this answer

AlwaysInstallElevated allows any user to install .msi files with SYSTEM privileges. The tester can create a malicious MSI or use an existing one to execute commands.

102
MCQmedium

A penetration tester is performing a web application test and discovers that the application reflects user input in the response without proper sanitization. However, the tester notices that the input is handled client-side via JavaScript. Which type of XSS is this?

A.Stored XSS
B.DOM-based XSS
C.Reflected XSS
D.Blind XSS
AnswerB

Correct: The vulnerability is in client-side JavaScript.

Why this answer

DOM-based XSS occurs when the vulnerability exists in client-side JavaScript rather than server-side reflection.

103
MCQmedium

During a penetration test, a tester captures NTLM hashes using Responder. Which of the following techniques would allow the tester to authenticate to a remote server without cracking the password?

A.LLMNR poisoning
B.Kerberoasting
C.Pass-the-hash
D.Rainbow table attack
AnswerC

Correct: Pass-the-hash allows authentication using the hash without cracking.

Why this answer

Pass-the-hash uses captured NTLM hashes to authenticate directly, bypassing the need to crack the password.

104
MCQmedium

A tester is exploiting a vulnerable web application and wants to perform a UNION-based SQL injection to extract data. Which condition is necessary for a successful UNION attack?

A.The database must be MySQL
B.The application must use GET parameters
C.The application must display error messages
D.The number of columns in both queries must match
AnswerD

UNION requires matching column counts.

Why this answer

UNION-based injection requires the same number of columns between the original query and the injected SELECT.

105
MCQeasy

Which Metasploit command is used to interact with an established session on a compromised host?

A.use
B.sessions
C.exploit
D.run
AnswerB

'sessions' allows interaction with existing sessions.

Why this answer

The sessions command lists and interacts with active sessions.

106
Multi-Selecteasy

A penetration tester is using Metasploit to exploit a remote Windows service. After a successful exploit, the tester gets a meterpreter session. Which TWO commands can the tester use to gather system information and credentials?

Select 2 answers
A.hashdump
B.shell
C.upload
D.getuid
E.sysinfo
AnswersA, D

Dumps password hashes from the SAM database.

Why this answer

getuid and hashdump are meterpreter commands for user info and credential dumping. sysinfo also works but getuid is more specific to user. The question asks for TWO, so getuid and hashdump are correct.

107
Multi-Selectmedium

A penetration tester is exploiting a web application and discovers an endpoint that allows an attacker to read arbitrary files on the server by manipulating XML input. The application uses an XML parser that does not disable external entities. Which TWO attacks can the tester perform using this vulnerability? (Choose TWO.)

Select 2 answers
A.SSRF via XXE
B.File read via XXE
C.Command injection
D.SQL injection
E.XSS
AnswersA, B

XXE can be used to make server-side requests to internal resources (SSRF).

Why this answer

XXE (XML External Entity) allows file reads and can also lead to SSRF if the entity points to an internal URL. Command injection typically requires different input. SQL injection needs SQL syntax.

XSS is client-side.

108
Multi-Selectmedium

A penetration tester is conducting a web application test and finds a parameter that is vulnerable to XXE. Which THREE of the following actions can the tester perform using XXE?

Select 3 answers
A.Execute SQL injection
B.Cause a denial of service
C.Read sensitive files from the server
D.Perform SSRF to internal services
E.Bypass authentication
AnswersB, C, D

XXE can be used for billion laughs attack or other DoS.

Why this answer

XXE can read files, perform SSRF, and cause denial of service. SQL injection is not typically a direct result of XXE.

109
MCQeasy

A penetration tester wants to crack NTLM hashes obtained from a Windows system. Which Hashcat mode should be used?

A.-m 1000
B.-m 22000
C.-m 0
D.-m 13100
AnswerA

Mode 1000 corresponds to NTLM.

Why this answer

Hashcat mode 1000 is for NTLM hashes.

110
MCQhard

During a penetration test, a tester uses Metasploit to exploit a Windows service and gets a meterpreter session. The tester wants to dump hashes from the compromised system. Which meterpreter command should be used?

A.hashdump
B.shell
C.sysinfo
D.getsystem
AnswerA

hashdump extracts password hashes from the SAM.

Why this answer

The hashdump command in meterpreter dumps the SAM database hashes.

111
MCQmedium

During a penetration test, the tester discovers a JWT token that uses the 'alg:none' header. Which attack does this vulnerability enable?

A.Key confusion attack
B.Signature bypass using alg:none
C.Algorithm substitution attack
D.Timing attack
AnswerB

alg:none means no signature is required.

Why this answer

JWT with 'alg:none' allows an attacker to forge tokens without any signature, bypassing verification.

112
MCQeasy

A penetration tester wants to use Metasploit to exploit a remote service. After selecting an exploit module, which command is used to set the remote host IP address?

A.set LHOST
B.set RHOSTS
C.set TARGET
D.set LPORT
AnswerB

RHOSTS sets the remote host(s) for exploitation.

Why this answer

In Metasploit, 'set RHOSTS' is used to specify the target IP address.

113
MCQeasy

A tester wants to crack a password hash using a wordlist combined with rules to generate variations. Which hashcat attack mode should be used?

A.-a 0 with -r
B.-a 3
C.-a 6
D.-a 1
AnswerA

-a 0 is dictionary attack; -r applies rules.

Why this answer

Mode 0 with rule files applies rules to a wordlist.

114
MCQmedium

After gaining a foothold on a Windows server, a tester wants to laterally move to another machine. The tester has obtained NTLM hashes and wants to execute commands remotely. Which tool is specifically designed for remote command execution using hashes via WMI?

A.evil-winrm
B.wmiexec
C.psexec
D.CrackMapExec
AnswerB

wmiexec uses WMI and supports pass-the-hash.

Why this answer

wmiexec.py (from Impacket) allows executing commands via WMI using NTLM hashes.

115
Multi-Selectmedium

A penetration tester has obtained a set of NTLM hashes from a Windows domain. The tester wants to perform lateral movement to other systems. Which TWO tools can be used for this purpose? (Select TWO.)

Select 2 answers
A.pth-winexe
B.CrackMapExec
C.Responder
D.Nmap
E.Hashcat
AnswersA, B

pth-winexe executes commands on remote Windows systems using pass-the-hash.

Why this answer

CrackMapExec and pth-winexe both support pass-the-hash for lateral movement.

116
MCQmedium

A penetration tester gains a low-privilege shell on a Linux server. Using 'sudo -l', the tester finds that they can run '/usr/bin/vi' as root without a password. Which technique would the tester MOST likely use to escalate privileges?

A.Exploit a kernel vulnerability
B.Use vi to execute a shell as root
C.Modify a cron script
D.Perform PATH hijacking
AnswerB

vi can spawn a shell via ':!/bin/bash' when run with sudo.

Why this answer

GTFOBins lists vi as having a sudo escape, allowing privilege escalation by spawning a root shell. Other options are not directly applicable.

117
MCQmedium

While exploiting a Windows machine, a tester gains a shell with limited privileges. They attempt to escalate privileges using a tool that exploits the SeImpersonatePrivilege. Which tool is specifically designed for this purpose on modern Windows versions?

A.Mimikatz
B.JuicyPotato
C.PrintSpoofer
D.PowerUp
AnswerC

PrintSpoofer is designed for Windows 10/2016+ using the print spooler bug.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege on Windows 10/Server 2016+ to gain SYSTEM.

118
MCQhard

A penetration tester has gained a low-privilege shell on a Windows server and discovered that the SeImpersonatePrivilege is enabled. Which of the following tools would be most appropriate to escalate privileges to SYSTEM-level access?

A.pth-winexe
B.PrintSpoofer
C.Responder
D.CrackMapExec
AnswerB

PrintSpoofer leverages SeImpersonatePrivilege to spawn a SYSTEM shell.

Why this answer

SeImpersonatePrivilege allows token impersonation. Tools like PrintSpoofer exploit this to gain SYSTEM privileges. Potato attacks (JuicyPotato) also work, but PrintSpoofer is more modern and reliable.

119
Multi-Selectmedium

A penetration tester is conducting an internal network assessment. The tester wants to perform a man-in-the-middle attack to capture credentials. Which TWO tools can be used for ARP spoofing?

Select 2 answers
A.Ettercap
B.Responder
C.Nmap
D.Bettercap
E.Hashcat
AnswersA, D

Ettercap is a classic ARP spoofing tool.

Why this answer

Bettercap and Ettercap are both capable of ARP spoofing.

120
MCQeasy

A penetration tester is performing a network attack and wants to intercept traffic between two hosts on the same local network. Which technique should the tester use to redirect traffic through their machine?

A.DNS poisoning
B.LLMNR poisoning
C.ARP spoofing
D.SSL stripping
AnswerC

ARP spoofing is used to intercept traffic on a local network by sending forged ARP replies.

Why this answer

ARP spoofing allows an attacker to associate their MAC address with the IP address of another host, intercepting traffic intended for that host.

121
MCQmedium

After gaining initial access to a Windows host, you want to escalate privileges by exploiting a service that runs as SYSTEM but has an unquoted service path. What is the attack vector?

A.Token impersonation
B.AlwaysInstallElevated
C.Unquoted service path
D.DLL hijacking
AnswerC

If the path to the service binary is not quoted, Windows will interpret spaces as separators, allowing execution of a malicious binary placed earlier in the path.

Why this answer

Unquoted service path vulnerability allows an attacker to place an executable in a path that the service will execute due to ambiguous path parsing.

122
MCQeasy

During an internal penetration test, a tester wants to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic. Which tool should the tester use?

A.ntlmrelayx
B.Bettercap
C.Hashcat
D.Responder
AnswerD

Responder is the standard tool for LLMNR/NBT-NS/mDNS poisoning to capture hashes.

Why this answer

Responder is specifically designed to respond to LLMNR and NBT-NS queries and capture NetNTLM hashes.

123
MCQeasy

A tester has exploited a Linux system and gained a low-privilege shell. The tester runs 'sudo -l' and sees that the current user can run /usr/bin/find as root without a password. Which privilege escalation technique should the tester use?

A.SUID binary exploitation
B.PATH manipulation
C.Kernel exploit
D.GTFOBins technique for find
AnswerD

GTFOBins lists commands that can be abused via sudo, and find with -exec is one.

Why this answer

The find command can be used to execute other commands via its -exec parameter, allowing privilege escalation.

124
MCQeasy

A penetration tester wants to crack NTLM hashes captured during an internal test. Which hashcat mode should the tester use for NTLM hashes?

A.0
B.22000
C.1000
D.13100
AnswerC

Mode 1000 is NTLM.

Why this answer

Hashcat mode 1000 is specifically for NTLM hashes.

125
MCQhard

During a penetration test, a tester gains access to a Linux system and runs 'sudo -l', which reveals that the user can run /usr/bin/python with root privileges without a password. Which resource should the tester consult to find a method to escalate privileges using this configuration?

A.PayloadsAllTheThings
B.GTFOBins
C.HackTricks
D.Exploit-DB
AnswerB

GTFOBins lists techniques for abusing binaries to escalate privileges.

Why this answer

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions. It provides techniques for privilege escalation using binaries like python. GTFOBins is specifically for Unix privilege escalation.

126
Multi-Selectmedium

You are enumerating a Linux system for privilege escalation vectors. Which TWO conditions below could be exploited to escalate privileges? (Select TWO.)

Select 2 answers
A.Unquoted service path
B.User has SeImpersonatePrivilege
C.SUID binary owned by root
D.AlwaysInstallElevated registry key set to 1
E.World-writable script executed by a cron job
AnswersC, E

SUID binaries run with the owner's privileges, often root.

Why this answer

Writable cron scripts and SUID binaries are common Linux privesc vectors.

127
MCQmedium

A penetration tester gains a shell on a Linux server and needs to pivot to an internal network. The tester's attack machine can reach the compromised server but not the internal network. Which tool can create a SOCKS proxy on the compromised server?

A.Chisel
B.SSH -L
C.Meterpreter
D.Netcat
AnswerA

Chisel creates SOCKS proxies or tunnels for pivoting.

Why this answer

Chisel can create a SOCKS proxy over SSH or TCP tunneling.

128
MCQmedium

During a penetration test, the tester captured an NTLM hash using Responder and wants to pass the hash to gain access to a remote Windows system. Which tool would be most appropriate to perform a pass-the-hash attack?

A.John the Ripper
B.CrackMapExec
C.pth-winexe
D.Hashcat
AnswerC

pth-winexe enables pass-the-hash authentication to Windows.

Why this answer

pth-winexe allows authenticating to Windows systems using an NTLM hash without the plaintext password.

129
Multi-Selectmedium

A penetration tester has obtained a meterpreter session on a Windows target. The tester wants to escalate privileges to SYSTEM and then dump password hashes. Which two meterpreter commands should the tester use in sequence? (Choose TWO.)

Select 2 answers
A.getuid
B.getsystem
C.shell
D.hashdump
E.sysinfo
AnswersB, D

getsystem attempts to elevate to SYSTEM privileges.

Why this answer

First, use getsystem to attempt privilege escalation to SYSTEM (via token stealing or other techniques). Then, use hashdump to dump the SAM database hashes. getuid shows current user, sysinfo shows system info.

130
Multi-Selecthard

A penetration tester has gained initial access to a Linux server and wants to establish persistence. Which THREE of the following methods are commonly used for persistence on Linux systems?

Select 3 answers
A.Installing an SSH authorized_key for the attacker
B.Adding a cron job that executes a reverse shell
C.Using schtasks to create a scheduled task
D.Modifying the Windows Registry Run key
E.Creating a systemd service that runs on boot
AnswersA, B, E

SSH keys allow persistent remote access.

Why this answer

Cron jobs, SSH authorized_keys, and systemd services are common persistence mechanisms.

131
Multi-Selectmedium

A penetration tester is using Metasploit to pivot from a compromised host to an internal network. Which THREE Metasploit features can facilitate pivoting?

Select 3 answers
A.Exploit/multi/handler
B.Metasploit route command
C.SSH local port forwarding
D.Autoroute post module
E.Metasploit socks proxy
AnswersB, D, E

Adds routing through a compromised host.

Why this answer

The 'route' command adds routes through a session, and Metasploit's socks proxy (auxiliary/server/socks4a) can be used. Autoroute is a post module. Exploit/multi/handler is for reverse shells, not directly for pivoting.

Port forwarding via SSH is external to Metasploit.

132
Multi-Selecteasy

A penetration tester is using Hashcat to crack password hashes. Which TWO attack modes are commonly used?

Select 2 answers
A.Brute-force attack (-a 3)
B.Dictionary attack (-a 0)
C.Rule-based attack (-a 0 with rules)
D.Mask attack (-a 6)
E.Rainbow table attack
AnswersA, B

Tries all combinations.

Why this answer

Dictionary attack (-a 0) and brute-force (-a 3) are standard modes. Hybrid (-a 6) is also common, but only TWO are asked. The question asks for two, so dictionary and brute-force are correct.

133
MCQmedium

A tester finds a Linux binary with the SUID bit set. The binary is owned by root and executes a shell command. The tester runs the binary and gets a root shell. Which command would the tester likely have used to discover this SUID binary?

A.find / -perm -u=s
B.find / -type f -perm /4000
C.which suid
D.ls -laR / | grep SUID
AnswerB

This finds files with SUID bit set (4000).

Why this answer

The command 'find / -perm /4000' finds files with SUID bit set. The /4000 syntax searches for exactly SUID. Using -u=s is incorrect.

134
MCQmedium

During a web application test, a tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester attempts to modify the 'alg' header to 'none' and sends the token. The server accepts the forged token. Which vulnerability is being exploited?

A.kid injection
B.alg:none attack
C.Algorithm confusion
D.Weak signing secret
AnswerB

Setting alg to none bypasses signature verification.

Why this answer

The 'alg:none' attack exploits JWT libraries that accept tokens without verifying signatures. This allows an attacker to forge tokens. Weak secret brute-force would crack the signing key; kid injection manipulates the key ID.

135
MCQmedium

A penetration tester is exploiting a SQL injection vulnerability in a web application. They want to extract data from the database without displaying it on the page. Which SQL injection technique should they use?

A.Blind time-based SQL injection
B.Stacked queries
C.UNION-based SQL injection
D.Error-based SQL injection
AnswerA

Time-based blind SQL injection uses conditional time delays to extract data bit by bit.

Why this answer

Blind SQL injection techniques like time-based or boolean-based are used when data is not returned directly in the response. Time-based uses delays to infer information.

136
Multi-Selectmedium

During a web application penetration test, a tester wants to identify vulnerabilities that allow unauthorized access to internal resources. Which TWO of the following are commonly exploited to access internal services?

Select 2 answers
A.Server-side request forgery (SSRF)
B.Cross-site scripting (XSS)
C.SQL injection (SQLi)
D.Command injection
E.XML external entity (XXE) injection
AnswersA, E

Correct: SSRF allows accessing internal resources.

Why this answer

SSRF can be used to access internal services by making the server request internal IPs. XXE can also be used for SSRF by using external entities to make HTTP requests. XSS is client-side, SQLi is database, command injection is OS commands.

137
MCQmedium

A tester identifies a SQL injection vulnerability in a login form. The application responds with different error messages for valid and invalid queries. Which type of SQL injection is most likely present, and what tool could automate exploitation?

A.UNION-based SQLi; sqlmap
B.Time-based blind SQLi; nmap
C.Error-based SQLi; Burp Suite
D.Blind SQLi; sqlmap
AnswerD

Blind SQLi relies on boolean or time-based responses; sqlmap can automate it.

Why this answer

Blind boolean-based SQL injection infers data based on true/false responses; sqlmap automates exploitation.

138
MCQmedium

A penetration tester is exploiting a SQL injection vulnerability in a login page. The tester wants to extract data from another table without returning data in the original query. Which SQL injection technique should the tester use?

A.Out-of-band SQL injection
B.Error-based SQL injection
C.UNION-based SQL injection
D.Blind time-based SQL injection
AnswerC

UNION-based allows retrieving data from other tables by appending a SELECT.

Why this answer

Union-based SQL injection combines results from multiple SELECT statements into a single output. Blind time-based injection uses conditional delays to infer data bit by bit.

139
MCQmedium

A tester finds that a web application is vulnerable to Server-Side Request Forgery (SSRF). The tester wants to access the cloud metadata endpoint to obtain instance credentials. Which IP address is commonly used for the cloud metadata service?

A.127.0.0.1
B.10.0.0.1
C.192.168.1.1
D.169.254.169.254
AnswerD

This is the link-local address for cloud metadata.

Why this answer

The cloud metadata endpoint is typically at 169.254.169.254 for AWS, GCP, and Azure.

140
Multi-Selectmedium

A penetration tester has compromised a Windows machine and wants to perform lateral movement to another machine on the same network. The tester has obtained NTLM hashes, but not plaintext passwords. Which TWO tools can be used for pass-the-hash attacks?

Select 2 answers
A.SSH
B.WinRM
C.CrackMapExec
D.PsExec
E.pth-winexe
AnswersC, E

CrackMapExec supports pass-the-hash with NTLM hashes.

Why this answer

pth-winexe and CrackMapExec support pass-the-hash by using NTLM hashes directly. PsExec and WinRM require plaintext credentials unless modified.

141
MCQhard

A penetration tester is assessing a web application that uses JSON Web Tokens (JWT) for authentication. The tester discovers that the server does not validate the signature algorithm properly. Which attack should the tester attempt to forge a valid token?

A.Brute-force the secret key
B.KID injection
C.Use 'alg:none'
D.Algorithm confusion attack
AnswerC

Setting algorithm to 'none' bypasses signature verification.

Why this answer

If the server accepts 'none' algorithm, the token can be forged without a signature.

142
MCQeasy

A penetration tester runs the following command: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. What type of attack is being performed?

A.Brute-force attack
B.Hybrid attack
C.Rule-based attack
D.Dictionary attack
AnswerD

Correct: -a 0 is dictionary attack.

Why this answer

The command uses mode 1000 (NTLM) and attack mode 0 (dictionary) with rockyou.txt wordlist. This is a dictionary attack.

143
Multi-Selectmedium

During a web application penetration test, you find that the application is vulnerable to CSRF. Which TWO factors could prevent exploitation even if a CSRF vulnerability exists? (Select TWO.)

Select 2 answers
A.Application uses JSON content type
B.SameSite cookie attribute set to Lax
C.Custom request header that is checked by the server
D.Presence of a CSRF token that is validated server-side
E.Application uses HTTPS
AnswersB, C

SameSite Lax prevents cookies from being sent on cross-site POST requests.

Why this answer

SameSite Lax strict prevents cross-site requests; custom headers can be used to validate origin.

144
MCQeasy

A penetration tester is conducting a network attack and wants to intercept traffic between two hosts on the same local network by spoofing ARP responses. Which tool is specifically designed for this purpose?

A.Bettercap
B.Responder
C.Hashcat
D.John the Ripper
AnswerA

Bettercap supports ARP spoofing and other MITM techniques.

Why this answer

Bettercap is a powerful tool that includes ARP spoofing capabilities for man-in-the-middle attacks on local networks.

145
MCQhard

During a web application test, a tester discovers a parameter that appears to be vulnerable to SQL injection. They want to extract data from a database using a technique that does not rely on visible output. Which type of SQL injection is most appropriate?

A.UNION-based SQL injection
B.Blind time-based SQL injection
C.Out-of-band SQL injection
D.Error-based SQL injection
AnswerB

Time-based injects SQL delays to infer true/false conditions when no visible output is available.

Why this answer

Blind SQL injection, specifically time-based, is used when no error or data is returned, allowing inference via time delays.

146
Multi-Selectmedium

During a penetration test of a web application, you want to test for Cross-Site Request Forgery (CSRF) vulnerabilities. Which TWO conditions are necessary for a CSRF attack to succeed?

Select 2 answers
A.The application validates the Referer header
B.The application uses SameSite cookies set to Lax or Strict
C.The request performs a state-changing action (e.g., password change)
D.The application relies on cookies for session authentication
E.The application uses anti-CSRF tokens in forms
AnswersC, D

State-changing actions have impact; read-only requests are less relevant.

Why this answer

CSRF requires the application to rely solely on cookies for authentication and lack anti-CSRF tokens, and the requests must trigger state changes.

147
MCQeasy

During a penetration test, a tester uses Responder to capture NTLM hashes from a Windows network. Which of the following protocols is MOST commonly targeted by Responder for poisoning?

A.LLMNR
B.DNS
AnswerA

LLMNR is a common target for poisoning to capture NTLM hashes.

Why this answer

Responder poisons LLMNR, NBT-NS, and mDNS to capture NTLM hashes. The other options are not primary targets.

148
Multi-Selecthard

A penetration tester is performing lateral movement in a Windows domain after compromising a workstation. Which THREE techniques can be used to move to another machine?

Select 3 answers
A.ARP spoofing
B.Evil-WinRM
C.WMIExec
D.SSH with captured credentials
E.PsExec
AnswersB, C, E

Evil-WinRM uses WinRM for remote PowerShell.

Why this answer

PsExec, WMIExec, and Evil-WinRM are common tools for lateral movement in Windows environments.

149
Multi-Selectmedium

During a Linux privilege escalation attempt, a tester checks for misconfigurations that could allow running commands as root. Which of the following are potential vectors? (Select THREE.)

Select 3 answers
A.Unquoted service paths
B.Sudo misconfigurations
C.Writable scripts in cron jobs
D.DLL hijacking
E.SUID/SGID binaries
AnswersB, C, E

Sudo entries allowing arbitrary commands.

Why this answer

SUID/SGID binaries, sudo misconfigurations, and writable cron scripts are common escalation vectors.

150
Multi-Selecthard

You have gained a foothold on a Linux server and identified a SUID binary that can be exploited to read arbitrary files. Which THREE techniques could be used to escalate privileges or gather sensitive information?

Select 3 answers
A.Leveraging the binary's ability to write to arbitrary files (if present)
B.Using the binary to read /etc/shadow
C.Using PATH manipulation if the binary calls other commands
D.Performing a DLL hijacking attack
E.Exploiting a kernel vulnerability
AnswersA, B, C

If the binary can write files, you could overwrite system files or add a user.

Why this answer

SUID binaries with file read capabilities can be used to read sensitive files, and when combined with other techniques like PATH manipulation or exploiting the binary's functionality, can lead to privilege escalation.

← PreviousPage 2 of 3 · 181 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ptp Attacks Exploits questions.