"},{"@type":"Answer","text":"' OR '1'='1' --"},{"@type":"Answer","text":"../../../../etc/passwd%00"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester completes an authenticated scan of a client's environment and must prioritize remediation guidance. Four validated (non-false-positive) findings remain. Given the tester's goal of prioritizing by real-world exploitability and business impact, which finding should be ranked highest?","acceptedAnswer":{"@type":"Answer","text":"A CVSS 8.1 deserialization vulnerability on an internet-facing web server that processes payment transactions, with a weaponized Metasploit module publicly available"},"suggestedAnswer":[{"@type":"Answer","text":"A CVSS 9.8 remote code execution flaw on an internal database server that is not reachable from the internet and requires VPN access, with no public exploit code available"},{"@type":"Answer","text":"A CVSS 7.5 information-disclosure issue on a public marketing site that exposes server version banners"},{"@type":"Answer","text":"A CVSS 6.5 stored XSS vulnerability in an internal HR portal accessible only to authenticated employees"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm has completed a web application assessment for a healthcare client subject to HIPAA. During testing, the team captured screenshots and database extracts containing protected health information (PHI) to demonstrate exploit impact. As the engagement closes, the client's compliance officer asks how the firm will handle the sensitive data it collected. Which action BEST satisfies the firm's obligations at engagement closeout?","acceptedAnswer":{"@type":"Answer","text":"Follow the data retention and secure destruction procedures defined in the rules of engagement, then provide the client a certificate of destruction"},"suggestedAnswer":[{"@type":"Answer","text":"Retain the captured PHI indefinitely on the firm's servers so it can be referenced if the client disputes any finding"},{"@type":"Answer","text":"Immediately delete all evidence, including the final report, to eliminate any liability for holding PHI"},{"@type":"Answer","text":"Upload the collected PHI to the client's public ticketing system so their staff can independently verify each finding"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?","acceptedAnswer":{"@type":"Answer","text":"Run a DCSync attack using mimikatz 'lsadump::dcsync /user:krbtgt' from your foothold to request replication of the account's secrets"},"suggestedAnswer":[{"@type":"Answer","text":"Upload and run secretsdump against the local SAM hive of the compromised workstation to extract the KRBTGT hash"},{"@type":"Answer","text":"Deploy Mimikatz directly on the domain controller and run 'sekurlsa::logonpasswords' against LSASS memory"},{"@type":"Answer","text":"Perform Kerberoasting against the KRBTGT SPN and crack the resulting ticket offline"}]},{"@context":"https://schema.org","@type":"Question","text":"During a kickoff call, a client's IT manager verbally provides a list of IP ranges and web application URLs that are in scope for an upcoming external penetration test. The engagement is scheduled to begin in two days. Which action should the lead tester take BEFORE any active testing to ensure the scope is properly authorized and defensible?","acceptedAnswer":{"@type":"Answer","text":"Obtain a documented, signed scope definition and authorization that explicitly lists the approved IP ranges and URLs"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the provided ranges immediately since the IT manager confirmed them during the kickoff call"},{"@type":"Answer","text":"Run a broad discovery scan across the client's entire public ASN to identify any additional assets that might belong in scope"},{"@type":"Answer","text":"Email the IT manager asking them to forward the ranges to the tester's personal mailbox for record keeping"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have permission to map a target's 10.20.30.0/24 subnet. You want to passively correlate live IP addresses with meaningful hostnames without sending traffic to each host directly. Which technique best supports building this network map by leveraging the organization's own DNS infrastructure?","acceptedAnswer":{"@type":"Answer","text":"Run reverse DNS (PTR) lookups against the organization's DNS server for each IP in the range"},"suggestedAnswer":[{"@type":"Answer","text":"Perform an Nmap SYN scan (-sS) across all 254 hosts to identify open ports"},{"@type":"Answer","text":"Send ICMP echo requests to the broadcast address to enumerate responding hosts"},{"@type":"Answer","text":"Query crt.sh certificate transparency logs for the internal subnet"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?","acceptedAnswer":{"@type":"Answer","text":"Use a DNS rebinding attack: return a public IP on the first resolution (validation) and an internal IP with a very low TTL on the second resolution (fetch)"},"suggestedAnswer":[{"@type":"Answer","text":"Encode the internal IP address in hexadecimal or octal notation within the URL to evade the string-based blocklist"},{"@type":"Answer","text":"Submit a URL with an @ symbol so the application parses the internal host as credentials rather than the destination"},{"@type":"Answer","text":"Send the request over HTTPS so the TLS layer prevents the application from inspecting the destination IP address"}]},{"@context":"https://schema.org","@type":"Question","text":"During the passive reconnaissance phase of an external assessment, a penetration tester wants to identify as many subdomains and internal hostnames as possible for the target domain example.com. The tester notices the authoritative name server ns1.example.com responds to queries. Which command is MOST likely to reveal a complete list of the organization's DNS records if the server is misconfigured?","acceptedAnswer":{"@type":"Answer","text":"dig axfr @ns1.example.com example.com"},"suggestedAnswer":[{"@type":"Answer","text":"dig +short A example.com @8.8.8.8"},{"@type":"Answer","text":"nslookup -type=mx example.com"},{"@type":"Answer","text":"nmap -sU -p 53 ns1.example.com"}]},{"@context":"https://schema.org","@type":"Question","text":"During the reconnaissance phase of an authorized physical and social-engineering assessment, a penetration tester reviews recovered documents from an unsecured recycling bin behind the client's corporate office. Among the papers are internal org charts, a printout of a project schedule with employee names and phone extensions, and an expired network diagram. Which conclusion best describes the value of this discovery to the engagement?","acceptedAnswer":{"@type":"Answer","text":"The documents provide OSINT that can be used to craft targeted pretexts and improve the credibility of social-engineering attacks against named employees."},"suggestedAnswer":[{"@type":"Answer","text":"The documents constitute an immediate critical vulnerability that must be reported as a CVE with a CVSS base score."},{"@type":"Answer","text":"The expired network diagram is worthless because it no longer reflects the current environment and should be discarded without analysis."},{"@type":"Answer","text":"The find proves the recycling vendor is out of scope, so all further physical testing must stop until a new authorization is signed."}]},{"@context":"https://schema.org","@type":"Question","text":"During pre-engagement planning for a black-box external penetration test, the client asks how the testing team will handle situations where a discovered vulnerability could lead to accidental service disruption or evidence of a prior compromise. The lead penetration tester wants to formally document who must be notified, under what conditions, and through which channels before defining these details in the rules of engagement. Which pre-engagement element most directly addresses this requirement?","acceptedAnswer":{"@type":"Answer","text":"A communication and escalation plan defining points of contact and notification triggers"},"suggestedAnswer":[{"@type":"Answer","text":"A signed authorization letter granting permission to test in-scope systems"},{"@type":"Answer","text":"A statement of work listing deliverables and the assessment timeline"},{"@type":"Answer","text":"A non-disclosure agreement protecting confidential client information"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have anonymous (null session) access to a Windows Server that appears to be a domain member. You need to enumerate valid domain user accounts to build a target list for later password spraying. RestrictAnonymous is set such that direct user listing via a null session returns no results, but you can still query the SAM/LSA over SMB. Which technique is MOST likely to yield a list of valid domain usernames in this situation?","acceptedAnswer":{"@type":"Answer","text":"Use RID cycling to enumerate accounts by resolving sequential relative identifiers appended to the domain SID via SID-to-name lookups"},"suggestedAnswer":[{"@type":"Answer","text":"Perform an Nmap SYN scan of port 445 and read the service banner to extract account names"},{"@type":"Answer","text":"Run an SMTP VRFY/EXPN enumeration against the mail service to reveal domain accounts"},{"@type":"Answer","text":"Initiate a DNS zone transfer against the domain controller to list user records"}]},{"@context":"https://schema.org","@type":"Question","text":"During analysis of a large scan report, a penetration tester must recommend which vulnerability to prioritize for remediation. Two findings stand out: Finding X has a CVSS base score of 9.8 but an EPSS (Exploit Prediction Scoring System) score of 0.4% and no public exploit; Finding Y has a CVSS base score of 7.5, an EPSS score of 92%, and is actively being weaponized in the wild against internet-facing hosts identical to the client's exposed web server. Which recommendation best reflects risk-based prioritization?","acceptedAnswer":{"@type":"Answer","text":"Prioritize Finding Y first because its high EPSS score and active exploitation against exposed assets indicate a far greater likelihood of near-term compromise"},"suggestedAnswer":[{"@type":"Answer","text":"Prioritize Finding X first because its higher CVSS base score indicates greater severity"},{"@type":"Answer","text":"Prioritize both equally since CVSS is the only authoritative severity metric for remediation ordering"},{"@type":"Answer","text":"Defer both findings until a temporal CVSS score is manually recalculated for each"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm based in the United States is contracted to test a web application for a client headquartered in Germany. During pre-engagement scoping, the tester discovers the application processes personal data of EU residents, and captured test artifacts may include this data. What is the MOST important legal consideration the tester must address before beginning the engagement?","acceptedAnswer":{"@type":"Answer","text":"Ensure the rules of engagement specify GDPR-compliant handling, storage, and cross-border transfer requirements for any personal data encountered"},"suggestedAnswer":[{"@type":"Answer","text":"Confirm that the testing window falls within German business hours to avoid disrupting operations"},{"@type":"Answer","text":"Require the client to obtain PCI DSS certification before the assessment can proceed"},{"@type":"Answer","text":"Limit the assessment to a black-box methodology so no personal data is ever accessed"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester is midway through a two-week engagement for a healthcare client. The client's CISO requests that the team stop testing the legacy billing application and instead focus remaining hours on a newly deployed patient portal that was not in the original scope document. The tester wants to accommodate the request while remaining compliant with the engagement's governance requirements. What should the tester do FIRST?","acceptedAnswer":{"@type":"Answer","text":"Obtain a written scope change (change request/amendment) authorizing the patient portal before testing it"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the patient portal immediately, since the CISO has authority over the client's security program"},{"@type":"Answer","text":"Continue testing the billing application as originally scoped and note the CISO's request in the final report"},{"@type":"Answer","text":"Perform a quick vulnerability scan of the patient portal to confirm it is worth including, then request authorization"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have compromised a domain controller and extracted the KRBTGT account's NTLM hash using DCSync. The client asks you to demonstrate a persistence technique that would let you impersonate any user in the domain—including nonexistent accounts—without relying on the DC to validate account existence, and that would survive individual user password resets. Which technique should you demonstrate?","acceptedAnswer":{"@type":"Answer","text":"Forge a Golden Ticket by crafting a Kerberos TGT signed with the KRBTGT hash"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a Silver Ticket attack using a captured service account hash"},{"@type":"Answer","text":"Conduct an overpass-the-hash attack with a standard user's NTLM hash"},{"@type":"Answer","text":"Execute a Kerberoasting attack against service principal names"}]},{"@context":"https://schema.org","@type":"Question","text":"During a password-cracking phase, you have captured a large set of NTLM hashes. The client's documented password policy requires exactly 8 characters: one uppercase letter, followed by five lowercase letters, followed by two digits. A straight dictionary attack has yielded few results. Which hashcat approach best leverages this known policy to efficiently recover the remaining hashes?","acceptedAnswer":{"@type":"Answer","text":"A mask attack using the pattern ?u?l?l?l?l?l?d?d"},"suggestedAnswer":[{"@type":"Answer","text":"A pure brute-force attack across the full keyspace with -a 3 and no mask"},{"@type":"Answer","text":"A straight (dictionary) attack with the rockyou.txt wordlist and no rules"},{"@type":"Answer","text":"A combinator attack merging two copies of the same wordlist"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover a GraphQL API endpoint at /graphql. The application does not appear to expose its schema in any documentation. You want to map every available query, mutation, and type before attempting authorization bypass testing. Which technique should you use first to enumerate the full API structure?","acceptedAnswer":{"@type":"Answer","text":"Send an introspection query (e.g., the __schema and __type meta-fields) to the endpoint to retrieve the complete type system"},"suggestedAnswer":[{"@type":"Answer","text":"Fuzz the endpoint with a wordlist of common REST paths such as /api/v1/users to discover hidden resources"},{"@type":"Answer","text":"Submit a batched array of aliased queries to trigger a denial-of-service and reveal error stack traces"},{"@type":"Answer","text":"Perform a SQL injection test against the id parameter to enumerate backend database tables"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a hospital network. During testing, the team will access servers that store and process electronic protected health information (ePHI). The hospital's compliance officer wants to ensure the firm is legally bound to safeguard this data and to specify permitted uses, breach notification obligations, and safeguards. Which document must be executed to satisfy this HIPAA requirement before testing begins?","acceptedAnswer":{"@type":"Answer","text":"A Business Associate Agreement (BAA) between the hospital and the testing firm"},"suggestedAnswer":[{"@type":"Answer","text":"A mutual non-disclosure agreement (NDA) covering both organizations"},{"@type":"Answer","text":"A statement of work (SOW) detailing the testing deliverables and timeline"},{"@type":"Answer","text":"A signed authorization ('get-out-of-jail') letter from the hospital's CISO"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, a penetration tester finds that submitting `role=user` in a POST request is enforced server-side, but the backend framework processes duplicate parameters by concatenating or selecting the last value. The tester crafts a request with `role=user&role=admin` and observes that the application grants administrative access. Which attack technique did the tester successfully exploit?","acceptedAnswer":{"@type":"Answer","text":"HTTP parameter pollution (HPP)"},"suggestedAnswer":[{"@type":"Answer","text":"HTTP request smuggling (CL.TE desync)"},{"@type":"Answer","text":"Mass assignment via JSON body injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF)"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?","acceptedAnswer":{"@type":"Answer","text":"HTTP request smuggling using a CL.TE desynchronization"},"suggestedAnswer":[{"@type":"Answer","text":"Server-side request forgery (SSRF) via header injection"},{"@type":"Answer","text":"HTTP response splitting through CRLF injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF) using a malicious form"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authenticated vulnerability scan of a Debian-based web server, the scanner flags OpenSSH as vulnerable to a critical CVE, citing the reported version banner of 8.4p1. The client insists the system is fully patched via their standard apt update process. Before including this finding in the report, what is the MOST accurate way for you to determine whether this is a false positive?","acceptedAnswer":{"@type":"Answer","text":"Check the installed package changelog with 'dpkg -l openssh-server' and 'apt changelog openssh-server' to confirm whether the vendor backported the security fix without changing the version banner"},"suggestedAnswer":[{"@type":"Answer","text":"Run the exploit proof-of-concept against the SSH service in production to see if it succeeds"},{"@type":"Answer","text":"Trust the scanner's CVSS score and version match, and include the finding as critical since the banner clearly shows 8.4p1"},{"@type":"Answer","text":"Re-run the scan with an unauthenticated profile to compare the two banner results"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?","acceptedAnswer":{"@type":"Answer","text":"Insecure Direct Object Reference (IDOR) due to missing object-level authorization"},"suggestedAnswer":[{"@type":"Answer","text":"Reflected cross-site scripting (XSS) in the invoice parameter"},{"@type":"Answer","text":"Server-side request forgery (SSRF) against the billing backend"},{"@type":"Answer","text":"SQL injection in the invoice ID path parameter"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?","acceptedAnswer":{"@type":"Answer","text":"Craft a malicious serialized Java object using a gadget chain (e.g., via ysoserial) and submit it in the parameter"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a UNION-based SQL injection by appending crafted SQL to the decoded parameter"},{"@type":"Answer","text":"Inject a stored XSS payload into the parameter to execute JavaScript in the admin's browser"},{"@type":"Answer","text":"Use HTTP parameter pollution to duplicate the parameter and bypass server-side validation"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a client that operates a legacy manufacturing control system. The client is concerned that active testing could inadvertently disrupt production equipment or cause physical damage. The lead tester wants to ensure the firm is financially protected if such an incident occurs during authorized testing. Which contractual element should the firm confirm is in place before starting the engagement?","acceptedAnswer":{"@type":"Answer","text":"Errors and omissions / professional liability insurance coverage referenced in the contract"},"suggestedAnswer":[{"@type":"Answer","text":"A non-disclosure agreement signed by all testers"},{"@type":"Answer","text":"A detailed scope statement listing target IP ranges"},{"@type":"Answer","text":"A rules-of-engagement document defining testing hours"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you notice the target Windows environment has IPv6 enabled on all workstations but no DHCPv6 server is deployed. You want to become the primary DNS server for these hosts to capture and relay authentication traffic to a domain controller. Which technique should you use to exploit this misconfiguration?","acceptedAnswer":{"@type":"Answer","text":"Use mitm6 to spoof DHCPv6 replies and advertise your host as the IPv6 DNS server, then relay captured credentials with ntlmrelayx"},"suggestedAnswer":[{"@type":"Answer","text":"Launch an ARP cache poisoning attack with Ettercap to redirect IPv4 traffic through your host"},{"@type":"Answer","text":"Perform an SLAAC-only router advertisement flood to exhaust the IPv4 DHCP scope"},{"@type":"Answer","text":"Run Responder in analyze-only mode to passively fingerprint LLMNR broadcasts without responding"}]},{"@context":"https://schema.org","@type":"Question","text":"During an API assessment, you capture a JSON Web Token (JWT) used for authentication. Decoding it reveals a header of {\"alg\":\"HS256\",\"typ\":\"JWT\"} and a payload containing {\"user\":\"analyst\",\"role\":\"user\"}. You want to escalate to an administrative role. Which technique should you attempt FIRST to test for a common JWT verification flaw?","acceptedAnswer":{"@type":"Answer","text":"Modify the payload to \"role\":\"admin\", change the header algorithm to \"none\", and remove the signature to test whether the server validates signatures"},"suggestedAnswer":[{"@type":"Answer","text":"Brute-force the HS256 secret with a full 256-bit keyspace using a GPU cluster before making any request"},{"@type":"Answer","text":"Base64-encode a new random signature and append it, expecting the server to accept any well-formed token"},{"@type":"Answer","text":"Replay the original unmodified token repeatedly to trigger a session fixation vulnerability"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal Active Directory assessment, you have valid low-privileged domain user credentials. You want to obtain credentials for service accounts without triggering account lockouts or interacting directly with the target service hosts. You run a tool that requests Kerberos service tickets for accounts with an SPN set and exports the ticket hashes. What is the primary reason this technique is effective, and what must you do next?","acceptedAnswer":{"@type":"Answer","text":"TGS-REP tickets are encrypted with the service account's password hash, so you can crack them offline to recover the plaintext password"},"suggestedAnswer":[{"@type":"Answer","text":"AS-REP responses are returned without pre-authentication, so you replay the ticket directly to authenticate as the service account"},{"@type":"Answer","text":"The KDC returns the NTLM hash of the service account in cleartext, so you pass the hash to move laterally immediately"},{"@type":"Answer","text":"The service tickets contain the KRBTGT hash, so you forge a golden ticket to impersonate any domain user"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have obtained valid low-privilege domain credentials for an Active Directory environment. You want to enumerate all domain user accounts, their group memberships, and account attributes such as description fields that may contain plaintext passwords. Which approach will most efficiently gather this information directly from the domain controller?","acceptedAnswer":{"@type":"Answer","text":"Query the domain controller over LDAP (port 389) using authenticated queries with a tool such as ldapsearch or the PowerShell ADSI/Get-ADUser cmdlets"},"suggestedAnswer":[{"@type":"Answer","text":"Run an Nmap TCP SYN scan against port 445 on the domain controller to enumerate user accounts via SMB"},{"@type":"Answer","text":"Perform a DNS zone transfer against the domain controller to list all user principal names"},{"@type":"Answer","text":"Use an anonymous SMB null session to enumerate the RID cycle and dump the full user attribute set"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized engagement, a penetration tester has interactive shell access to a compromised Linux server using a shared service account. Before disconnecting for the day, the tester wants to prevent the commands run during this session from being written to the account's ~/.bash_history file when the shell exits, without altering historical entries that existed before the session began. Which action best accomplishes this goal?","acceptedAnswer":{"@type":"Answer","text":"Run 'unset HISTFILE' in the current shell before logging out"},"suggestedAnswer":[{"@type":"Answer","text":"Delete ~/.bash_history entirely with 'rm ~/.bash_history'"},{"@type":"Answer","text":"Run 'history -c' immediately after each command executes"},{"@type":"Answer","text":"Overwrite ~/.bash_history with 'echo \"\" > ~/.bash_history' before logging out"}]},{"@context":"https://schema.org","@type":"Question","text":"During post-exploitation on a compromised Linux web server, you have a low-privileged shell as the user 'www-data'. You run 'getcap -r / 2>/dev/null' and notice that '/usr/bin/python3.9' has 'cap_setuid+ep' set. What is the most effective next step to escalate to root?","acceptedAnswer":{"@type":"Answer","text":"Execute python3.9 with a one-liner that calls os.setuid(0) followed by spawning a shell, e.g. python3.9 -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'"},"suggestedAnswer":[{"@type":"Answer","text":"Add the www-data user to the sudoers file by editing /etc/sudoers directly with a text editor"},{"@type":"Answer","text":"Run 'python3.9 -c \"import pty; pty.spawn(\\'/bin/bash\\')\"' to upgrade to a fully interactive TTY session"},{"@type":"Answer","text":"Replace /usr/bin/python3.9 with a malicious binary that runs a reverse shell to your attacker machine"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you have a low-privileged shell as user 'webapp'. Enumeration reveals a root-owned cron entry running '/opt/scripts/backup.sh' every five minutes. The script file has permissions '-rwxrwxrwx' and is owned by root. Which action most directly leads to privilege escalation?","acceptedAnswer":{"@type":"Answer","text":"Append a reverse shell or command that copies bash and sets the SUID bit into backup.sh, then wait for the next cron execution"},"suggestedAnswer":[{"@type":"Answer","text":"Replace /etc/crontab entirely to schedule your own root job every minute"},{"@type":"Answer","text":"Run the backup.sh script manually as the webapp user to trigger elevated execution"},{"@type":"Answer","text":"Add the webapp user to the /etc/cron.allow file to gain scheduling privileges"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a low-privilege account on a Linux web server during an internal engagement, you want to identify additional systems and data that may extend your reach. You run 'mount' and 'cat /etc/fstab' and notice an NFS export from 10.10.20.50 mounted at /mnt/backup with 'rw' access and no root_squash restriction visible. What is the MOST useful next action to leverage this discovery for lateral movement?","acceptedAnswer":{"@type":"Answer","text":"Write a SUID-root binary onto the NFS share from a system where you have root, then execute it on the web server to escalate and pivot toward 10.10.20.50"},"suggestedAnswer":[{"@type":"Answer","text":"Immediately delete the /mnt/backup mount point to prevent the file server from logging your access"},{"@type":"Answer","text":"Run a full Nmap SYN scan of the entire 10.10.20.0/24 range from the web server to map every host before touching the share"},{"@type":"Answer","text":"Encrypt the contents of /mnt/backup to demonstrate ransomware impact to the client"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you gain a shell on a compromised Linux web server in a DMZ. Before attempting lateral movement, you want to identify which internal networks this host can reach so you can plan a pivot. The host has no GUI and limited installed tooling. Which command output would MOST directly reveal additional internal subnets the compromised host is configured to route to?","acceptedAnswer":{"@type":"Answer","text":"ip route (or route -n) to display the host's routing table and configured gateways"},"suggestedAnswer":[{"@type":"Answer","text":"cat /etc/passwd to list local user accounts and their home directories"},{"@type":"Answer","text":"netstat -tulpn to list listening services on the local host"},{"@type":"Answer","text":"uname -a to display the kernel version and architecture"}]},{"@context":"https://schema.org","@type":"Question","text":"After gaining a low-privilege shell on a Linux web server, a penetration tester wants to identify locally running network services and internal listening ports that are not exposed externally, in order to plan lateral movement. Which command provides the most relevant information for this specific goal?","acceptedAnswer":{"@type":"Answer","text":"ss -tulpn to list listening TCP/UDP sockets and the associated processes"},"suggestedAnswer":[{"@type":"Answer","text":"getcap -r / 2>/dev/null to enumerate binaries with file capabilities"},{"@type":"Answer","text":"find / -perm -4000 2>/dev/null to locate SUID binaries"},{"@type":"Answer","text":"cat /etc/crontab to review scheduled tasks"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you gained root on an application server and, to maintain access, appended your public key to /root/.ssh/authorized_keys, added a systemd service that spawns a reverse shell on boot, and modified /etc/sudoers to grant a low-privilege service account NOPASSWD access. The engagement is now ending and the rules of engagement require you to restore the environment to its pre-test state. Which action is MOST important to include in your cleanup so the environment is not left in a weakened security posture?","acceptedAnswer":{"@type":"Answer","text":"Remove the injected SSH key, delete and disable the systemd service, and revert the /etc/sudoers modification, documenting each change"},"suggestedAnswer":[{"@type":"Answer","text":"Leave the persistence mechanisms in place but notify the client so their blue team can practice detecting them"},{"@type":"Answer","text":"Overwrite the entire /etc directory with a fresh copy from another server to guarantee no artifacts remain"},{"@type":"Answer","text":"Clear the bash history and auth logs so the client cannot trace the persistence artifacts back to the test"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you have root on a production application server and need durable persistence that survives reboots but remains low-profile. The client's rules of engagement require that all persistence mechanisms be documented and cleanly removable at engagement end. You are considering an LD_PRELOAD-based technique. Which approach best balances persistence, stealth, and the ability to fully restore the environment during cleanup?","acceptedAnswer":{"@type":"Answer","text":"Append a malicious shared object path to /etc/ld.so.preload, logging the original file state (or its absence) so it can be reverted exactly during cleanup"},"suggestedAnswer":[{"@type":"Answer","text":"Recompile every system binary to statically link a backdoor, ensuring persistence even if libraries change"},{"@type":"Answer","text":"Replace /bin/bash with a wrapper script that spawns a reverse shell on each login and delete the original binary"},{"@type":"Answer","text":"Set an LD_PRELOAD variable in your current shell session only and rely on it for reboot persistence"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement you gained a Meterpreter session on a dual-homed Linux host (10.0.10.5). This host also has an interface on 192.168.50.0/24, a subnet your Kali attack box cannot reach directly. You want to run additional Metasploit modules against hosts in the 192.168.50.0/24 range through the compromised host without setting up separate port forwards for each target port. Which action best achieves this?","acceptedAnswer":{"@type":"Answer","text":"Run 'run autoroute -s 192.168.50.0/24' from the Meterpreter session so subsequent Metasploit modules route through the compromised host"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on the Kali box with 'ip route add 192.168.50.0/24 via 10.0.10.5' so traffic reaches the internal subnet"},{"@type":"Answer","text":"Use 'portfwd add -l 4444 -p 445 -r 192.168.50.20' to expose the single SMB service you need to reach"},{"@type":"Answer","text":"Enable IP forwarding on the compromised host with 'echo 1 > /proc/sys/net/ipv4/ip_forward' and rescan from Kali"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have a Meterpreter session on a dual-homed Linux host (10.0.5.20). This host also has an interface on 172.16.30.0/24, a segment your attack machine cannot reach directly. You need to connect your local RDP client to a Windows server at 172.16.30.15 on TCP 3389 through the compromised host. Which action most directly accomplishes this?","acceptedAnswer":{"@type":"Answer","text":"Run 'portfwd add -l 3389 -p 3389 -r 172.16.30.15' from the Meterpreter session, then point your RDP client at 127.0.0.1:3389"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on your attack machine to 172.16.30.0/24 via 10.0.5.20 using the OS route command"},{"@type":"Answer","text":"Run 'run autoroute -s 172.16.30.0/24' and connect your RDP client directly to 172.16.30.15"},{"@type":"Answer","text":"Start an ARP spoofing module on 10.0.5.20 to redirect 172.16.30.15 traffic back to your attack machine"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you created a persistence mechanism by copying /bin/bash to /tmp/.sysd and setting the SUID bit so you could regain root access. The engagement is now complete, and the rules of engagement require you to restore the environment to its original state. Which action MUST be documented and performed to properly clean up this specific artifact?","acceptedAnswer":{"@type":"Answer","text":"Remove the /tmp/.sysd file and note the removal, timestamp, and hash in the cleanup log"},"suggestedAnswer":[{"@type":"Answer","text":"Reset the SUID bit on the original /bin/bash to restore default permissions"},{"@type":"Answer","text":"Clear the /var/log/auth.log entries that recorded the copy command"},{"@type":"Answer","text":"Reboot the host to flush the SUID binary from memory"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, a penetration tester gains root access to a web server through a kernel exploit. The tester wants to maintain reliable access that survives reboots and does not depend on the current vulnerable process, while blending in with normal administrative activity. The server exposes SSH to a management VLAN the tester can reach through an established pivot. Which persistence technique BEST meets these requirements?","acceptedAnswer":{"@type":"Answer","text":"Append the tester's public key to the root account's ~/.ssh/authorized_keys file"},"suggestedAnswer":[{"@type":"Answer","text":"Keep the interactive shell from the kernel exploit open in a screen session"},{"@type":"Answer","text":"Re-run the same kernel exploit each time access is needed"},{"@type":"Answer","text":"Bind a Netcat listener to a high port using a foreground shell process"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase on a Linux server, you have a low-privileged shell as the user 'svc-app'. Running 'sudo -l' returns that the user may run '/usr/bin/find' as root without a password. Which action MOST directly leverages this misconfiguration to obtain a root shell?","acceptedAnswer":{"@type":"Answer","text":"Execute 'sudo find . -exec /bin/sh \\; -quit' to spawn a shell running with root privileges"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'sudo find / -perm -4000' to locate all SUID binaries and manually replace one with a payload"},{"@type":"Answer","text":"Add the 'svc-app' account to the sudo group by editing /etc/group after re-authenticating"},{"@type":"Answer","text":"Use 'find' to search for readable SSH private keys in /home and reuse them against other hosts"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have gained a low-privileged shell on a Linux web server as the user 'www-data'. Your goal is to escalate to root. As part of enumerating the host, you want to identify locally installed binaries that could be abused to run commands with elevated privileges due to misconfigured file permissions. Which command should you run first to surface the most likely privilege-escalation candidates?","acceptedAnswer":{"@type":"Answer","text":"find / -perm -4000 -type f 2>/dev/null"},"suggestedAnswer":[{"@type":"Answer","text":"cat /etc/shadow | grep root"},{"@type":"Answer","text":"netstat -tulpn | grep LISTEN"},{"@type":"Answer","text":"crontab -l -u www-data"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation engagement, you dropped a compiled binary into /usr/local/bin and modified /etc/systemd/system/backup.service to establish persistence. Before disengaging, the rules of engagement require you to minimize forensic artifacts while documenting all changes for the client. You already removed the persistence files. The blue team uses a file-integrity monitoring tool that alerts on modification timestamps deviating from the package baseline. Which action best addresses the timestamp artifact left by your file operations in the directory?","acceptedAnswer":{"@type":"Answer","text":"Use touch with the -r flag to reference a legitimate neighboring file's timestamps and apply them to the directory metadata, then record the original and altered values in your report"},"suggestedAnswer":[{"@type":"Answer","text":"Run shred on the parent directory to overwrite all inode metadata and prevent the FIM tool from reading any timestamps"},{"@type":"Answer","text":"Reboot the host so systemd regenerates the directory metadata with fresh, non-suspicious timestamps"},{"@type":"Answer","text":"Clear /var/log/audit/audit.log entirely to remove any record of the file creation and directory modification events"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you have a low-privilege shell on a build server via a reverse shell that dies whenever your SSH client disconnects or the parent process is reaped. You need your running enumeration tools and callback to survive session termination without installing new packages or triggering the host's file-integrity monitoring, which alerts on new files in /etc, /usr, and cron directories. Which approach best maintains your access under these constraints?","acceptedAnswer":{"@type":"Answer","text":"Detach the reverse shell into a backgrounded session using an already-present terminal multiplexer (tmux/screen) or wrap it with nohup and disown so it is not tied to the controlling terminal"},"suggestedAnswer":[{"@type":"Answer","text":"Add a new SSH public key to /root/.ssh/authorized_keys so you can reconnect at will"},{"@type":"Answer","text":"Create a cron entry in /etc/cron.d that re-launches the reverse shell every minute"},{"@type":"Answer","text":"Write a systemd service unit under /etc/systemd/system that restarts the payload on boot"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you have a low-privilege shell on a dual-homed Linux host (eth0 on 10.10.10.0/24, eth1 on 172.16.5.0/24). You lack root and cannot install tools or run a network scanner. Before setting up a pivot, you want to quickly identify which hosts on the internal 172.16.5.0/24 segment this box has recently communicated with, without generating noisy new traffic. Which action best accomplishes this?","acceptedAnswer":{"@type":"Answer","text":"Read the ARP cache with 'ip neighbor show' (or 'arp -a') to list recently contacted hosts on eth1"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'nmap -sn 172.16.5.0/24' to ping-sweep the internal segment"},{"@type":"Answer","text":"Enable IP forwarding via 'echo 1 > /proc/sys/net/ipv4/ip_forward' and passively wait for traffic"},{"@type":"Answer","text":"Execute 'tcpdump -i eth1' to capture live packets on the internal interface"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised a Linux jump host (10.10.1.5) that has SSH access to a second Linux host (10.10.2.9) in a segmented subnet. From 10.10.2.9 you can reach a database server (10.10.3.20) that is unreachable from both your attack box and the jump host. You need your attack box's tools to scan and interact with 10.10.3.20. Which approach correctly establishes reachability to the deepest target?","acceptedAnswer":{"@type":"Answer","text":"Set up an SSH dynamic (SOCKS) proxy from your attack box to 10.10.1.5, then chain a second SSH dynamic proxy from 10.10.1.5 to 10.10.2.9, and route tools through the final SOCKS proxy with proxychains"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on your attack box for 10.10.3.0/24 pointing to 10.10.1.5 as the gateway"},{"@type":"Answer","text":"Run an Nmap scan of 10.10.3.20 directly from your attack box using fragmented packets to bypass the segmentation"},{"@type":"Answer","text":"Establish a single SSH local port forward from your attack box to 10.10.1.5 mapping port 3306 and connect directly to 10.10.3.20:3306"}]},{"@context":"https://schema.org","@type":"Question","text":"During post-exploitation on a Linux web server, a penetration tester has a shell as the low-privileged 'www-data' account. Enumeration shows that /etc/passwd is world-writable (permissions 666), while /etc/shadow remains root-owned and inaccessible. The tester has access to the 'openssl' binary. Which technique will most reliably escalate privileges to root using this misconfiguration?","acceptedAnswer":{"@type":"Answer","text":"Generate a password hash with 'openssl passwd', append a new root-equivalent entry (UID 0) to /etc/passwd, and log in as that account with the known password"},"suggestedAnswer":[{"@type":"Answer","text":"Overwrite /etc/shadow with a crafted hash for the root user, then use 'su root' with the corresponding password"},{"@type":"Answer","text":"Edit /etc/passwd to change the shell of the root account to /bin/bash and run 'su root' without a password"},{"@type":"Answer","text":"Add the www-data user to the sudo group by editing /etc/passwd and immediately run 'sudo su -'"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have gained an initial foothold and want to generate a standalone Windows executable payload that connects back to your Metasploit listener. Your first payload was immediately quarantined by the target's signature-based antivirus. Which msfvenom approach BEST improves the chance the new payload evades detection while maintaining a working reverse connection?","acceptedAnswer":{"@type":"Answer","text":"Use msfvenom with multiple iterations of an encoder (e.g., -e x86/shikata_ga_nai -i 10) and embed the shellcode into a legitimate template executable using -x"},"suggestedAnswer":[{"@type":"Answer","text":"Generate the payload with a staged reverse_tcp handler but omit the LHOST parameter so no signature can be built"},{"@type":"Answer","text":"Increase the payload size by padding with NOP sleds using the -n flag until the file exceeds the AV scan limit"},{"@type":"Answer","text":"Switch the output format to raw shellcode with -f raw and deliver it directly, since AV cannot scan raw binary data"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a client. During scoping, the client's IT manager verbally authorizes testing of a marketing web application that is hosted and fully managed by a separate managed service provider (MSSP). The IT manager insists this asset is 'in scope' and asks the testers to begin immediately. What is the tester's most appropriate action before testing that application?","acceptedAnswer":{"@type":"Answer","text":"Obtain written authorization from a party with the legal authority to permit testing of the MSSP-managed asset before including it in scope"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing immediately since the IT manager has operational responsibility for the marketing application"},{"@type":"Answer","text":"Add the application to the scope document and note the IT manager's verbal approval in the final report"},{"@type":"Answer","text":"Exclude the application from all testing and reporting because MSSP-hosted assets can never be tested"}]},{"@context":"https://schema.org","@type":"Question","text":"During pre-engagement discussions, a penetration testing firm will be given access to a client's proprietary network diagrams, source code repositories, and internal credentials. The client is concerned that sensitive information gathered during testing could be disclosed to competitors, and the testing firm equally wants to protect its proprietary tooling and methodology from being shared. Which document should be executed FIRST to address both parties' confidentiality concerns before any sensitive information is exchanged?","acceptedAnswer":{"@type":"Answer","text":"A mutual non-disclosure agreement (NDA)"},"suggestedAnswer":[{"@type":"Answer","text":"A statement of work (SOW) defining deliverables and timeline"},{"@type":"Answer","text":"A rules of engagement (ROE) document listing in-scope targets"},{"@type":"Answer","text":"A signed authorization (get-out-of-jail) letter"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run a credentialed Nessus scan against a Windows server. The report lists a plugin flagged as 'Critical' with a CVSS base score of 9.8, but the plugin output notes 'This is a potential vulnerability — the affected service was detected but the patch level could not be confirmed remotely.' Your client wants to prioritize remediation efficiently. What is the most appropriate next step before reporting this as a confirmed critical finding?","acceptedAnswer":{"@type":"Answer","text":"Manually verify the finding by checking the installed patch level and version on the host, then attempt to confirm exploitability"},"suggestedAnswer":[{"@type":"Answer","text":"Report the finding as a confirmed Critical based on the CVSS 9.8 score to ensure the client patches quickly"},{"@type":"Answer","text":"Immediately re-run the scan with all safe checks disabled to force exploitation of the service"},{"@type":"Answer","text":"Downgrade the finding to Informational because Nessus could not confirm the patch level"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services client requires that a penetration testing firm follow a formally recognized, government-published framework so the assessment maps cleanly to the client's existing security control audits. The client specifically wants the technical testing to align with a structured four-phase process (planning, discovery, attack, and reporting) that their internal auditors already reference. Which methodology should the testing firm adopt to best satisfy this requirement?","acceptedAnswer":{"@type":"Answer","text":"NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment"},"suggestedAnswer":[{"@type":"Answer","text":"OWASP Web Security Testing Guide (WSTG)"},{"@type":"Answer","text":"MITRE ATT&CK framework"},{"@type":"Answer","text":"PCI DSS Penetration Testing Guidance"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you are connected directly to the 192.168.50.0/24 subnet via an authorized drop. You need to build an accurate inventory of live hosts on this local segment, but several hosts have host-based firewalls that drop ICMP echo requests. Which Nmap command will most reliably discover live hosts on this segment?","acceptedAnswer":{"@type":"Answer","text":"nmap -sn -PR 192.168.50.0/24"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sn -PE 192.168.50.0/24"},{"@type":"Answer","text":"nmap -sn -Pn 192.168.50.0/24"},{"@type":"Answer","text":"nmap -sS -p- 192.168.50.0/24"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you connect to a jump host where you only have a standard (non-root) user account. You attempt to run 'nmap -sS 10.10.5.0/24' to perform a SYN scan across the subnet, but Nmap warns it is falling back to a different scan type. Which explanation best describes what is happening and how to proceed effectively?","acceptedAnswer":{"@type":"Answer","text":"SYN scanning requires raw packet (root/CAP_NET_RAW) privileges; without them Nmap falls back to a TCP connect scan (-sT), which completes the full three-way handshake and is noisier but still valid"},"suggestedAnswer":[{"@type":"Answer","text":"The subnet is being blocked by a firewall, so Nmap automatically switches to a UDP scan to bypass the filtering rules"},{"@type":"Answer","text":"SYN scans only work against Windows hosts, so Nmap detected Linux targets and downgraded to an ICMP-only ping sweep"},{"@type":"Answer","text":"Nmap requires the -Pn flag to run a SYN scan, and adding it will restore raw SYN scanning without elevated privileges"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized external assessment, a penetration tester wants to enumerate open ports on a target host while making it difficult for the target's SOC to identify which source IP is the true origin of the scan. The tester decides to use a zombie host with predictable IP ID sequence numbers to bounce the scan off of, so the target never receives packets directly from the tester's real address. Which Nmap technique should the tester use?","acceptedAnswer":{"@type":"Answer","text":"Idle scan using -sI with a suitable zombie host"},"suggestedAnswer":[{"@type":"Answer","text":"Decoy scan using -D with multiple spoofed source addresses"},{"@type":"Answer","text":"Fragmentation scan using -f to split packets"},{"@type":"Answer","text":"Source port manipulation using --source-port 53"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run Nmap against a /24 subnet and export the results with the -oX flag to results.xml. Your team lead asks you to quickly produce a clean list of only the hosts that have TCP port 3389 open, so it can be fed into a follow-up RDP audit script. Which approach most efficiently produces this filtered list from the existing scan output?","acceptedAnswer":{"@type":"Answer","text":"Convert the XML output to a grepable format (or parse it) and extract addresses where port 3389 shows state 'open', for example using nmap -oG or a script that reads the XML and filters on port/state"},"suggestedAnswer":[{"@type":"Answer","text":"Re-run Nmap with -p 3389 --open across the subnet and manually copy the results into a text file"},{"@type":"Answer","text":"Open results.xml in a browser and visually scan each host block for the 3389 entry, pasting matches by hand"},{"@type":"Answer","text":"Import results.xml into Nessus and rely on its RDP plugin to regenerate the host list"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have identified a web server running on 10.0.5.22 over ports 80 and 443. The client has authorized active enumeration of exposed web content. You want to use Nmap to discover common web directories, application paths, and interesting files on the host before launching a dedicated web scanner. Which Nmap command best supports this goal?","acceptedAnswer":{"@type":"Answer","text":"nmap -p 80,443 --script http-enum 10.0.5.22"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -p 80,443 -sV --version-intensity 9 10.0.5.22"},{"@type":"Answer","text":"nmap -p 80,443 --script ssl-cert 10.0.5.22"},{"@type":"Answer","text":"nmap -p 80,443 -O --osscan-guess 10.0.5.22"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have identified several Windows hosts with TCP port 445 open. Before attempting exploitation, you want to safely check whether these hosts are vulnerable to known SMB flaws (such as MS17-010) and gather additional SMB configuration details using Nmap. Which command best accomplishes this enumeration goal?","acceptedAnswer":{"@type":"Answer","text":"nmap -p445 --script smb-vuln-ms17-010,smb-os-discovery,smb-security-mode 10.10.5.0/24"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=pass.txt 10.10.5.0/24"},{"@type":"Answer","text":"nmap -sU -p445 -A 10.10.5.0/24"},{"@type":"Answer","text":"nmap -p445 --script vuln --min-rate 10000 -T5 10.10.5.0/24"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, a penetration tester needs to identify the operating system running on a target host at 10.10.5.20 to tailor subsequent exploitation. The tester wants Nmap to perform TCP/IP stack fingerprinting and report a best-guess OS even if the results are not definitive. Which command should the tester run?","acceptedAnswer":{"@type":"Answer","text":"nmap -O --osscan-guess 10.10.5.20"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sV --version-intensity 9 10.10.5.20"},{"@type":"Answer","text":"nmap -sn 10.10.5.20"},{"@type":"Answer","text":"nmap -sU -p 137 --script smb-os-discovery 10.10.5.20"}]},{"@context":"https://schema.org","@type":"Question","text":"During an external assessment, you run 'nmap -sS -p- 203.0.113.45' and receive results showing port 443 as 'open', ports 22 and 3389 as 'filtered', and all other ports as 'closed'. The client insists SSH (22) is running and reachable internally. Which conclusion best explains the 'filtered' state for ports 22 and 3389?","acceptedAnswer":{"@type":"Answer","text":"A firewall or packet filter is dropping the SYN probes without returning a response, so Nmap cannot determine if the ports are open or closed"},"suggestedAnswer":[{"@type":"Answer","text":"The services on ports 22 and 3389 have crashed and are no longer listening on the target host"},{"@type":"Answer","text":"The target host sent a RST packet for ports 22 and 3389, indicating no service is bound to them"},{"@type":"Answer","text":"Nmap identified the service versions but could not fingerprint them, marking the ports as filtered"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have identified a host at 10.10.5.42 with several open TCP ports. Your goal now is to determine the exact software and version running on each open port so you can cross-reference them against known vulnerability databases. Which Nmap command best accomplishes this enumeration objective?","acceptedAnswer":{"@type":"Answer","text":"nmap -sV --version-intensity 9 10.10.5.42"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sn 10.10.5.42"},{"@type":"Answer","text":"nmap -sS -Pn 10.10.5.42"},{"@type":"Answer","text":"nmap -O 10.10.5.42"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized internal penetration test, a tester notices that a mid-range Nmap scan against a /24 subnet is triggering the client's IDS, generating alerts that flood the SOC. The engagement rules require the tester to reduce the likelihood of detection while still completing the enumeration within the testing window. Which Nmap timing option should the tester use to slow the scan enough to evade signature-based rate thresholds while remaining faster than the most conservative setting?","acceptedAnswer":{"@type":"Answer","text":"-T2 (polite)"},"suggestedAnswer":[{"@type":"Answer","text":"-T0 (paranoid)"},{"@type":"Answer","text":"-T4 (aggressive)"},{"@type":"Answer","text":"-T5 (insane)"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal assessment, a penetration tester wants to enumerate network management services that are commonly overlooked by TCP-only scans. The tester suspects several devices are running SNMP with default community strings. Which Nmap command best supports discovering and enumerating these SNMP services?","acceptedAnswer":{"@type":"Answer","text":"nmap -sU -p 161 --script snmp-brute,snmp-info 10.0.0.0/24"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sS -p 161 --script snmp-info 10.0.0.0/24"},{"@type":"Answer","text":"nmap -sT -p 162 --script banner 10.0.0.0/24"},{"@type":"Answer","text":"nmap -sU -p 53 --script dns-recursion 10.0.0.0/24"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase on a compromised Windows Server 2019 host, a penetration tester wants to store a secondary payload on disk in a way that keeps it out of casual directory listings and standard file browsing, while still allowing it to be executed later. The tester decides to hide the executable behind a legitimate log file already present in C:\\Logs\\system.log. Which technique achieves this goal?","acceptedAnswer":{"@type":"Answer","text":"Append the payload to an NTFS Alternate Data Stream, e.g. type payload.exe > C:\\Logs\\system.log:update.exe"},"suggestedAnswer":[{"@type":"Answer","text":"Set the payload file's attributes to hidden and system using attrib +h +s payload.exe"},{"@type":"Answer","text":"Compress the payload into a password-protected ZIP archive and place it in the Recycle Bin"},{"@type":"Answer","text":"Rename the payload with a .log extension and move it into C:\\Logs\\"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester examines an OAuth 2.0 authorization code flow. The authorization server validates the redirect_uri parameter using only a prefix match (it checks that the value begins with https://app.example.com). The tester notices the client application also hosts an open redirect at https://app.example.com/go?url=. Which attack does this combination most directly enable?","acceptedAnswer":{"@type":"Answer","text":"Stealing the authorization code by chaining the open redirect to forward the code to an attacker-controlled host"},"suggestedAnswer":[{"@type":"Answer","text":"Downgrading the flow to the implicit grant to expose the client secret"},{"@type":"Answer","text":"Forging a JWT by exploiting the 'none' algorithm during token issuance"},{"@type":"Answer","text":"Performing a CSRF attack against the token revocation endpoint"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run both an unauthenticated and a credentialed OpenVAS scan against the same Windows workstation. The unauthenticated scan reports a critical remote code execution vulnerability in an outdated version of a service, but the credentialed scan does not list that finding at all. Local patch records confirm the relevant update was installed last month. Which conclusion best explains the discrepancy, and what should you do?","acceptedAnswer":{"@type":"Answer","text":"The unauthenticated finding is likely a false positive based on a stale service banner; correlate with the patch-level data from the credentialed scan and manually verify before reporting."},"suggestedAnswer":[{"@type":"Answer","text":"The credentialed scan missed the vulnerability due to insufficient privileges; report the critical RCE from the unauthenticated scan as confirmed."},{"@type":"Answer","text":"Both results are valid; report the vulnerability twice, once as critical and once as informational, to reflect each scan perspective."},{"@type":"Answer","text":"The patch records are unreliable; escalate to the client immediately and recommend re-imaging the workstation before continuing testing."}]},{"@context":"https://schema.org","@type":"Question","text":"A client contracts a penetration testing firm to assess a customer-facing web application built on a modern JavaScript framework with a REST API backend. The client's primary concern is coverage of application-layer vulnerabilities such as injection, broken authentication, and business logic flaws. The lead tester must select a methodology that provides a structured, repeatable framework specifically tailored to web application security testing so the engagement can be defended as thorough and standards-aligned. Which methodology should the tester adopt as the primary framework for this assessment?","acceptedAnswer":{"@type":"Answer","text":"OWASP Web Security Testing Guide (WSTG)"},"suggestedAnswer":[{"@type":"Answer","text":"NIST SP 800-115 as the sole testing framework"},{"@type":"Answer","text":"MITRE ATT&CK adversary emulation matrix"},{"@type":"Answer","text":"PCI DSS Requirement 11 testing procedures"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester notices that an authentication token is passed in a cookie as a base64-encoded, AES-CBC-encrypted blob. When the tester submits a token with a slightly altered final block, the server returns a distinct '500 Internal Server Error' (invalid padding), whereas a semantically invalid but well-padded token returns a '403 Forbidden'. The tester wants to recover the plaintext of the token without knowing the encryption key. Which attack should the tester perform?","acceptedAnswer":{"@type":"Answer","text":"A padding oracle attack, using the differing server responses to decrypt the ciphertext byte-by-byte"},"suggestedAnswer":[{"@type":"Answer","text":"A length extension attack to append forged data to the encrypted token"},{"@type":"Answer","text":"A brute-force attack against the AES key using a GPU cracking rig"},{"@type":"Answer","text":"A birthday attack to find a hash collision in the token generation function"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you dump the local SAM database on a compromised Windows workstation and recover the NTLM hash for a local administrator account. You discover that this same local admin account and password are reused across many hosts in the environment. The target hosts require NTLM authentication and you do not have the cleartext password. Which technique lets you authenticate to the other hosts and move laterally using only the recovered hash?","acceptedAnswer":{"@type":"Answer","text":"Pass-the-hash using a tool such as impacket-psexec or CrackMapExec with the NTLM hash"},"suggestedAnswer":[{"@type":"Answer","text":"Kerberoasting to request and crack the service account TGS ticket offline"},{"@type":"Answer","text":"Perform an LLMNR/NBT-NS poisoning attack with Responder to relay credentials"},{"@type":"Answer","text":"Run a brute-force attack with Hydra against RDP using the hash as the password"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester has completed the fieldwork for an engagement and drafted the final report. Before the report is delivered to the client, the consulting firm's internal process requires the lead tester to have a colleague independently review the document. The reviewer checks that each finding maps to supporting evidence, that risk ratings are consistent with the firm's scoring methodology, and that recommendations are technically accurate. What is the PRIMARY purpose of this step?","acceptedAnswer":{"@type":"Answer","text":"Peer review (quality assurance) to validate accuracy, consistency, and evidentiary support before client delivery"},"suggestedAnswer":[{"@type":"Answer","text":"Client acceptance testing to confirm the remediation was successful"},{"@type":"Answer","text":"Obtaining written authorization to begin the testing engagement"},{"@type":"Answer","text":"Performing threat modeling to determine which assets are in scope"}]},{"@context":"https://schema.org","@type":"Question","text":"During the social-engineering discovery phase of an authorized engagement, a penetration tester is preparing a spear-phishing campaign against a company's finance department. The tester has already collected employee names, job titles, and email addresses. To maximize the credibility of the pretext before launching the campaign, which additional discovery activity provides the MOST value?","acceptedAnswer":{"@type":"Answer","text":"Research the target's recent press releases, vendor relationships, and internal terminology from public sources to craft a contextually believable lure"},"suggestedAnswer":[{"@type":"Answer","text":"Run a full credentialed Nessus scan of the finance department's workstations to identify missing patches"},{"@type":"Answer","text":"Perform an Nmap SYN scan against the company's external mail gateway to map open ports"},{"@type":"Answer","text":"Attempt SMTP VRFY commands against the mail server to validate that each address exists"}]},{"@context":"https://schema.org","@type":"Question","text":"During a physical security assessment of a corporate headquarters, a penetration tester observes that employees enter the building by tapping proximity badges against a reader near an unmonitored side entrance. The tester wants to identify a low-cost attack vector that would let them gain unauthorized entry while gathering intelligence for the report. Which discovery activity BEST supports identifying an exploitable physical weakness at this entrance?","acceptedAnswer":{"@type":"Answer","text":"Positioning a long-range RFID reader near the walkway to capture badge credential data from passing employees"},"suggestedAnswer":[{"@type":"Answer","text":"Running an Nmap SYN scan against the building's HVAC control network to find open ports"},{"@type":"Answer","text":"Sending a phishing email to reception staff asking them to disable the door alarm"},{"@type":"Answer","text":"Reviewing the organization's public financial filings for evidence of security budget cuts"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal assessment, you gain access to a low-privilege domain user account on a Windows workstation. You want to enumerate all computer objects in the Active Directory domain without dropping additional tools or triggering AV that flags known binaries. Which approach best supports this goal using native capabilities already present on the host?","acceptedAnswer":{"@type":"Answer","text":"Use the PowerShell ADSISearcher accelerator to query the domain for objects where objectCategory equals computer"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'net view /domain' repeatedly against each subnet to broadcast for available hosts"},{"@type":"Answer","text":"Upload and execute BloodHound's SharpHound collector to ingest the full domain graph"},{"@type":"Answer","text":"Perform an Nmap ping sweep of the local /24 to identify live Windows hosts"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network assessment, you produce four validated findings: (1) an unauthenticated remote code execution vulnerability on an isolated lab host with no network route to production, (2) a stored XSS on the internal HR portal used by 400 employees, (3) a plaintext credential set found in a world-readable file share that includes a domain administrator password, and (4) a missing HTTP security header on a public marketing site. Management asks you to rank the single finding that should be remediated first based on realistic exploitability and business impact. Which finding do you place at the top?","acceptedAnswer":{"@type":"Answer","text":"The plaintext domain administrator credentials on the world-readable share"},"suggestedAnswer":[{"@type":"Answer","text":"The unauthenticated RCE on the isolated lab host"},{"@type":"Answer","text":"The stored XSS on the internal HR portal"},{"@type":"Answer","text":"The missing HTTP security header on the public marketing site"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network assessment, your credentialed scan returns four confirmed findings. Management asks which one to remediate first based on real-world risk, not just base score. Given the following, which vulnerability should be prioritized for immediate exploitation and remediation?","acceptedAnswer":{"@type":"Answer","text":"A CVSS 8.1 unauthenticated deserialization flaw on an internal application server, with a public Metasploit module and reachable from the tester's subnet"},"suggestedAnswer":[{"@type":"Answer","text":"A CVSS 9.8 RCE in a library that is installed but the vulnerable function is never called, and the service is bound to localhost only"},{"@type":"Answer","text":"A CVSS 9.1 flaw in a workstation OS component that requires local physical access and a rebooted machine to trigger"},{"@type":"Answer","text":"A CVSS 7.5 information-disclosure issue that leaks server version banners over the network"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, a penetration tester used a PsExec-style tool to execute commands on several Windows servers via SMB. The tool created and started a temporary service that copied an executable into the C:\\Windows directory on each target. Now that testing on those hosts is complete, which cleanup action most directly addresses the artifacts left by this specific technique?","acceptedAnswer":{"@type":"Answer","text":"Delete the dropped service binary from C:\\Windows and remove the temporary service entry created during execution on each affected host"},"suggestedAnswer":[{"@type":"Answer","text":"Reboot each affected server so that in-memory service handles are flushed automatically"},{"@type":"Answer","text":"Clear the Security event log on the domain controller to remove authentication records"},{"@type":"Answer","text":"Rotate the local administrator password used for the SMB connections on each host"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester is following the Penetration Testing Execution Standard (PTES) for a new engagement with a retail client. Before any scanning or exploitation begins, the tester and client need to formally agree on the systems in scope, the testing timeframe, acceptable techniques, and communication procedures. According to PTES, which phase encompasses these activities?","acceptedAnswer":{"@type":"Answer","text":"Pre-engagement Interactions"},"suggestedAnswer":[{"@type":"Answer","text":"Intelligence Gathering"},{"@type":"Answer","text":"Threat Modeling"},{"@type":"Answer","text":"Vulnerability Analysis"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have a file named hosts.txt containing one IP address per line. You need a quick Python script to identify which hosts respond to a single ICMP echo request so you can prioritize them for deeper enumeration. Which approach BEST accomplishes this while producing a clean list of only the responsive hosts?","acceptedAnswer":{"@type":"Answer","text":"Read each line from hosts.txt, invoke the system ping command via subprocess with a single-count flag, and append the IP to a results list only when the return code is 0."},"suggestedAnswer":[{"@type":"Answer","text":"Open hosts.txt and print every line to stdout, relying on the operator to visually confirm which addresses are reachable."},{"@type":"Answer","text":"Use socket.connect() on TCP port 80 for each IP and treat any successful connection as proof the host is up."},{"@type":"Answer","text":"Import the requests library and send an HTTP GET to each IP, logging any response as a live host."}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester notices that a search feature validates user input against a regular expression on the server side. When the tester submits a long string of repeated characters ending in a non-matching character (e.g., 'aaaaaaaaaaaaaaaaaaaa!'), the server takes over 30 seconds to respond and CPU utilization spikes to 100%. Submitting shorter inputs returns instantly. Which vulnerability is the tester most likely exploiting?","acceptedAnswer":{"@type":"Answer","text":"Regular Expression Denial of Service (ReDoS) via catastrophic backtracking"},"suggestedAnswer":[{"@type":"Answer","text":"Server-Side Request Forgery (SSRF) through the search parameter"},{"@type":"Answer","text":"SQL injection causing a full table scan and query delay"},{"@type":"Answer","text":"XML External Entity (XXE) billion-laughs entity expansion"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester is finalizing the report for a mid-sized retail client. The document must serve two very different readers: the board of directors, who approved the engagement budget and want a high-level view of business risk, and the IT operations team, who must remediate each issue. Which approach best structures the report to meet both audiences' needs?","acceptedAnswer":{"@type":"Answer","text":"Include a concise executive summary focused on business risk and remediation priorities, followed by detailed technical findings with reproduction steps and evidence for the operations team."},"suggestedAnswer":[{"@type":"Answer","text":"Write a single technical narrative with full command output and CVSS vectors, since providing all raw data lets each reader extract what they need."},{"@type":"Answer","text":"Deliver only the executive summary to the client and provide technical findings verbally during a debrief call to avoid exposing sensitive data in writing."},{"@type":"Answer","text":"Send the board a spreadsheet of all raw scanner output and give the IT team a one-page bullet list of the most severe findings."}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network penetration test, you have no valid domain credentials. You notice that hosts on the local subnet frequently broadcast LLMNR and NBT-NS name resolution requests for mistyped or unresolved hostnames. You want to capture credential material and then use it to authenticate to another host that has SMB signing disabled. Which combination of techniques best achieves this?","acceptedAnswer":{"@type":"Answer","text":"Use Responder to poison LLMNR/NBT-NS responses and capture NetNTLMv2 hashes, then relay them with ntlmrelayx to the target with SMB signing disabled"},"suggestedAnswer":[{"@type":"Answer","text":"Use Responder to capture NetNTLMv2 hashes, then pass-the-hash directly with the captured NetNTLMv2 value using CrackMapExec"},{"@type":"Answer","text":"Run an ARP spoofing attack with Ettercap to intercept Kerberos tickets and replay them against the target host"},{"@type":"Answer","text":"Perform a DNS cache poisoning attack to redirect SMB traffic, then extract cleartext NTLM credentials from the captured packets"}]},{"@context":"https://schema.org","@type":"Question","text":"During contract negotiations for a web application penetration test, the client asks that any remediation validation (retesting) of previously reported findings be included in the engagement terms. The penetration testing firm wants to ensure the retest is properly bounded and does not become an open-ended obligation. Which document and provision should the firm use to define the timing, scope, and cost of the retest?","acceptedAnswer":{"@type":"Answer","text":"The statement of work (SOW), by specifying the retest window, its limited scope, and associated fees"},"suggestedAnswer":[{"@type":"Answer","text":"The rules of engagement (ROE), by adding the retest target IP addresses to the authorized asset list"},{"@type":"Answer","text":"The non-disclosure agreement (NDA), by extending its confidentiality period to cover retest results"},{"@type":"Answer","text":"The master service agreement (MSA), by defining the general liability terms between the two parties"}]},{"@context":"https://schema.org","@type":"Question","text":"During pre-engagement planning for an external penetration test, the client's operations manager expresses concern that scanning could degrade performance of a customer-facing e-commerce platform during peak sales periods. The penetration testing team needs to formally address this concern before work begins. Which document and specific element should capture the agreed-upon constraint that active testing may only occur between 1:00 AM and 5:00 AM on weekdays?","acceptedAnswer":{"@type":"Answer","text":"The rules of engagement, specifying the authorized testing window"},"suggestedAnswer":[{"@type":"Answer","text":"The master service agreement, defining the retesting fee structure"},{"@type":"Answer","text":"The statement of work, listing the total number of billable hours"},{"@type":"Answer","text":"The authorization letter, naming the individual who signed off on the assessment"}]},{"@context":"https://schema.org","@type":"Question","text":"During an external network penetration test, the client's IT director calls the lead tester and verbally asks them to also assess a newly deployed VPN concentrator that was not listed in the signed scope document. The director insists it is urgent and 'part of the same network anyway.' What is the MOST appropriate action for the tester to take?","acceptedAnswer":{"@type":"Answer","text":"Pause and route the request through the formal change-control process to obtain written authorization and update the scope before testing the new asset"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the VPN concentrator immediately since a senior client stakeholder authorized it verbally"},{"@type":"Answer","text":"Decline the request outright and refuse any further discussion until the current engagement ends"},{"@type":"Answer","text":"Add the concentrator to the report as an untested in-scope asset and note that the client requested coverage"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, your version scan reveals a host running vsftpd 2.3.4 on TCP 21. Before attempting any exploitation, you want to determine whether a public exploit exists for this exact software version and understand the attack vector it uses. Which action most directly accomplishes this research step?","acceptedAnswer":{"@type":"Answer","text":"Run searchsploit vsftpd 2.3.4 to query the local Exploit-DB copy for matching entries, then read the exploit source to confirm the version and vector"},"suggestedAnswer":[{"@type":"Answer","text":"Re-run the Nmap version scan with -sV --version-intensity 9 to confirm the banner is not a false positive before doing anything else"},{"@type":"Answer","text":"Launch the exploit immediately with Metasploit's vsftpd_234_backdoor module and observe whether a session opens"},{"@type":"Answer","text":"Query the NVD CVSS calculator to compute a base score for the finding and record it in the report"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester notices that the application assigns a session identifier in the URL before login and continues to use that same identifier after the user authenticates. The tester sends a victim a crafted link containing a session ID the tester already knows, waits for the victim to log in, and then reuses the same session ID to access the victim's authenticated session. Which vulnerability did the tester exploit?","acceptedAnswer":{"@type":"Answer","text":"Session fixation"},"suggestedAnswer":[{"@type":"Answer","text":"Cross-site request forgery (CSRF)"},{"@type":"Answer","text":"Session hijacking via packet sniffing"},{"@type":"Answer","text":"Insecure direct object reference (IDOR)"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester has completed the assessment and is preparing the final report for a mid-sized financial services client. During the closeout meeting, the client's CISO asks how the tester's findings should be integrated into the organization's existing governance framework so that remediation efforts can be tracked over time and prioritized against other operational threats. Which action BEST supports this request?","acceptedAnswer":{"@type":"Answer","text":"Map each finding to entries in the client's risk register with severity ratings and recommended remediation timelines"},"suggestedAnswer":[{"@type":"Answer","text":"Provide the client with the raw scanner output files so their team can re-run the tools independently"},{"@type":"Answer","text":"Recommend the client purchase a continuous automated scanning subscription to replace the risk register"},{"@type":"Answer","text":"Deliver only the executive summary since detailed findings are the tester's proprietary methodology"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester is beginning an on-site engagement at a client's regional office. The building's physical security guard challenges the tester, who is attempting a social engineering entry as part of the agreed scope. To immediately prove the activity is sanctioned and avoid being detained or having law enforcement called, which document should the tester carry?","acceptedAnswer":{"@type":"Answer","text":"The signed authorization letter (\"get-out-of-jail-free\" card) naming the tester and authorized activities"},"suggestedAnswer":[{"@type":"Answer","text":"The master service agreement (MSA) outlining the ongoing business relationship"},{"@type":"Answer","text":"The statement of work (SOW) describing deliverables and timelines"},{"@type":"Answer","text":"The non-disclosure agreement (NDA) protecting confidential information"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you capture NTLMv2 authentication attempts using Responder but need to escalate beyond offline cracking, which is too slow given weak-password policy is enforced. You enumerate the domain and identify several hosts where SMB signing is not required. You want to leverage the captured authentication to gain command execution on one of these hosts. What is the MOST effective next step?","acceptedAnswer":{"@type":"Answer","text":"Configure Responder to disable its SMB and HTTP servers, then use ntlmrelayx.py to relay the incoming authentication to a target host with SMB signing disabled"},"suggestedAnswer":[{"@type":"Answer","text":"Feed the captured NTLMv2 hashes into hashcat with a larger wordlist and rule set to speed up cracking"},{"@type":"Answer","text":"Perform a pass-the-hash attack using the NTLMv2 hash directly against the target host with impacket's psexec"},{"@type":"Answer","text":"Use the captured hash to request a Kerberos TGT and forge a golden ticket for domain-wide access"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network penetration test, you discover a Windows file server at 10.10.5.20 with TCP port 445 open. You want to enumerate the available network shares and identify any that permit anonymous access without providing valid domain credentials. Which command is the MOST appropriate to accomplish this?","acceptedAnswer":{"@type":"Answer","text":"smbclient -L //10.10.5.20 -N"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sn 10.10.5.20"},{"@type":"Answer","text":"hydra -l administrator -P wordlist.txt smb://10.10.5.20"},{"@type":"Answer","text":"dig @10.10.5.20 -x 10.10.5.20"}]},{"@context":"https://schema.org","@type":"Question","text":"During an external assessment, a penetration tester connects to a target's mail server on TCP port 25 and manually issues SMTP commands. The tester wants to confirm whether specific usernames exist as valid local mailboxes without sending any messages. Which SMTP command sequence is MOST appropriate for enumerating valid user accounts?","acceptedAnswer":{"@type":"Answer","text":"Issue VRFY and observe whether the server returns a 250/252 (valid) versus a 550 (unknown user) response"},"suggestedAnswer":[{"@type":"Answer","text":"Issue DATA followed by the message body and check for a 354 response to confirm the mailbox"},{"@type":"Answer","text":"Issue STARTTLS and inspect the certificate common name for embedded account names"},{"@type":"Answer","text":"Issue HELO followed by QUIT and parse the 221 closing banner for a user list"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, a penetration tester discovers that several network switches respond to SNMP requests. Using a common read-only community string, the tester wants to pull the full device configuration, interface tables, and running processes to map the network. Which tool and approach will most effectively walk the entire SNMP MIB tree from these devices?","acceptedAnswer":{"@type":"Answer","text":"Run snmpwalk with the read-only community string against each device to recursively enumerate the OID subtree"},"suggestedAnswer":[{"@type":"Answer","text":"Use snmpset to write new OID values so the device returns its configuration in the response"},{"@type":"Answer","text":"Perform an Nmap TCP connect scan on port 161 to retrieve the MIB data in the banner"},{"@type":"Answer","text":"Send an ICMP echo sweep to the switches and parse the SNMP data from the reply payload"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm has an existing Master Service Agreement (MSA) with a client that establishes general legal terms, liability limits, and confidentiality obligations. Midway through planning a new web application assessment, the client asks to add two additional subdomains and extend the testing window by three days. The lead tester wants to formalize these specific changes without renegotiating the overarching legal relationship. Which document should be used to capture these engagement-specific details?","acceptedAnswer":{"@type":"Answer","text":"A new Statement of Work (SOW) or change order referencing the existing MSA"},"suggestedAnswer":[{"@type":"Answer","text":"An amended Master Service Agreement that replaces the original"},{"@type":"Answer","text":"A non-disclosure agreement covering the new subdomains"},{"@type":"Answer","text":"A verbal authorization from the client's project manager documented in meeting notes"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you confirm a SQL injection vulnerability in a Microsoft SQL Server backend. However, the application returns no error messages, no visible query output, and no measurable time delays when you inject boolean or time-based payloads. Outbound TCP to the internet is blocked, but the database server is permitted to make outbound DNS queries. Which technique is most appropriate to extract data from this database?","acceptedAnswer":{"@type":"Answer","text":"Trigger an out-of-band DNS exfiltration using xp_dirtree to a UNC path containing subqueried data"},"suggestedAnswer":[{"@type":"Answer","text":"Use a UNION-based injection to append the target columns to the visible result set"},{"@type":"Answer","text":"Perform a heavy time-based blind extraction using WAITFOR DELAY on each character"},{"@type":"Answer","text":"Force verbose SQL error messages with a CAST conversion to leak data in the response body"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you identify a product-listing page with a parameter (?id=12) that appears vulnerable to SQL injection. Before extracting data via a UNION-based attack, you need to determine the number of columns returned by the original query. Which technique should you use FIRST to reliably enumerate the correct column count?","acceptedAnswer":{"@type":"Answer","text":"Inject sequential 'ORDER BY n--' statements, incrementing n until the application returns an error"},"suggestedAnswer":[{"@type":"Answer","text":"Inject 'UNION SELECT NULL-- ' and immediately attempt to read table names from information_schema"},{"@type":"Answer","text":"Append 'AND 1=1--' and 'AND 1=2--' to confirm boolean-based blind injection timing differences"},{"@type":"Answer","text":"Submit 'WAITFOR DELAY '0:0:10'--' to measure response latency and infer column structure"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you compromise a dual-homed Linux jump host at 10.10.5.20. It has a second interface (192.168.50.5) connected to a segmented database VLAN that your Kali box cannot reach directly. You hold valid SSH credentials on the jump host and want to run your local tools against a MySQL server at 192.168.50.40:3306 without installing any binaries on the jump host. Which technique best accomplishes this?","acceptedAnswer":{"@type":"Answer","text":"Establish an SSH local port forward (ssh -L 3306:192.168.50.40:3306 user@10.10.5.20) and point your local MySQL client at 127.0.0.1:3306"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on Kali (ip route add 192.168.50.0/24 via 10.10.5.20) so traffic is routed through the jump host automatically"},{"@type":"Answer","text":"Upload a full port scanner to the jump host and run all enumeration from there, exfiltrating results back to Kali"},{"@type":"Answer","text":"Use an SSH remote port forward (ssh -R) so the jump host initiates the connection back to your Kali listener"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover that a PDF-generation feature accepts a user-supplied URL and fetches it server-side to render into a document. The application is hosted on an AWS EC2 instance. You submit a URL pointing to an internal address and confirm the server returns the content. Which follow-up request most directly demonstrates the highest-impact exploitation of this flaw?","acceptedAnswer":{"@type":"Answer","text":"Request http://169.254.169.254/latest/meta-data/iam/security-credentials/ to retrieve the instance role's temporary IAM credentials"},"suggestedAnswer":[{"@type":"Answer","text":"Request http://127.0.0.1:8080/admin to test whether the internal admin panel is reachable"},{"@type":"Answer","text":"Request file:///etc/passwd to enumerate local user accounts on the host"},{"@type":"Answer","text":"Request http://169.254.169.254/latest/meta-data/instance-id to confirm the instance identifier"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover that a comment field on a product review page reflects unsanitized input that persists and executes for every visitor who loads the page. Your goal is to demonstrate impact by capturing authenticated user session tokens. However, testing reveals that the application sets its session cookie with the HttpOnly flag. Which technique should you use to still demonstrate meaningful session-related impact from this stored XSS?","acceptedAnswer":{"@type":"Answer","text":"Use the XSS to force victims' authenticated browsers to perform sensitive actions or proxy requests through them (session riding)"},"suggestedAnswer":[{"@type":"Answer","text":"Inject a script that reads document.cookie and exfiltrates the session token to your listener"},{"@type":"Answer","text":"Switch to a reflected XSS payload since HttpOnly does not apply to reflected contexts"},{"@type":"Answer","text":"Report the finding as informational only because HttpOnly makes stored XSS non-exploitable"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester notices that a 'greeting name' parameter is reflected directly in a rendered page. To test for server-side template injection, the tester submits the payload {{7*7}} and the response body displays '49'. Which follow-up action best confirms the vulnerability can be leveraged for remote code execution on the Flask/Jinja2 backend?","acceptedAnswer":{"@type":"Answer","text":"Submit a payload that traverses Python object attributes, such as {{''.__class__.__mro__[1].__subclasses__()}}, to reach a class capable of executing OS commands"},"suggestedAnswer":[{"@type":"Answer","text":"Submit ${7*7} and observe whether the response returns 49, confirming Java Expression Language evaluation"},{"@type":"Answer","text":"Submit to determine whether the parameter is also vulnerable to reflected cross-site scripting"},{"@type":"Answer","text":"Submit ' OR '1'='1 to check whether the template engine passes input directly into a backend SQL query"}]},{"@context":"https://schema.org","@type":"Question","text":"During the passive reconnaissance phase of an external engagement, you must build a list of employee email addresses and associated hostnames for a target company without sending any packets to the client's infrastructure. You want a tool that aggregates results from public search engines, PGP key servers, and certificate sources. Which tool BEST fits this requirement?","acceptedAnswer":{"@type":"Answer","text":"theHarvester"},"suggestedAnswer":[{"@type":"Answer","text":"Responder"},{"@type":"Answer","text":"Hydra"},{"@type":"Answer","text":"Nikto"}]},{"@context":"https://schema.org","@type":"Question","text":"During pre-engagement scoping, a client provides a target IP range for an external penetration test. While reviewing the assets, the tester discovers that several in-scope web applications are hosted on infrastructure owned and operated by a third-party managed hosting provider, not the client. The client insists they own the applications and that this is sufficient authorization. What is the MOST appropriate action for the tester to take before beginning active testing against those systems?","acceptedAnswer":{"@type":"Answer","text":"Obtain written authorization from the third-party hosting provider before testing the shared infrastructure"},"suggestedAnswer":[{"@type":"Answer","text":"Proceed with testing, since the client owns the applications and has authorized the engagement in the signed contract"},{"@type":"Answer","text":"Test only the application layer and avoid any activity that could affect the underlying hosting infrastructure"},{"@type":"Answer","text":"Exclude the hosted applications from scope entirely, since only client-owned infrastructure can be legally tested"}]},{"@context":"https://schema.org","@type":"Question","text":"A client requests a penetration test but is unsure of the full extent of their externally facing infrastructure, and they anticipate that new assets may be discovered during reconnaissance that could expand the effort. They want a contract structure that fairly accommodates this uncertainty while still allowing them to control overall spend. Which contract type should the penetration testing firm recommend during pre-engagement negotiations?","acceptedAnswer":{"@type":"Answer","text":"A time-and-materials contract with a not-to-exceed cap"},"suggestedAnswer":[{"@type":"Answer","text":"A firm fixed-price contract based on the client's initial asset estimate"},{"@type":"Answer","text":"A non-disclosure agreement in place of a formal services contract"},{"@type":"Answer","text":"A master service agreement with no accompanying statement of work"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal assessment, your automated scanner reports that a web server on port 8443 is vulnerable to a critical POODLE (CVE-2014-3566) SSLv3 downgrade attack. The client is skeptical because they claim SSLv3 was disabled last year. Before including this in the report, which action MOST reliably confirms whether the finding is a genuine vulnerability or a false positive?","acceptedAnswer":{"@type":"Answer","text":"Manually negotiate a connection to the service using an SSLv3-forced handshake (e.g., openssl s_client -ssl3 -connect host:8443) to verify whether the protocol is actually accepted"},"suggestedAnswer":[{"@type":"Answer","text":"Re-run the same scanner with the plugin severity threshold raised so the finding is filtered out of the report"},{"@type":"Answer","text":"Search Exploit-DB for a working POODLE proof-of-concept and note its availability in the report"},{"@type":"Answer","text":"Compare the reported CVSS base score against the client's asserted patch date and drop the finding if the dates conflict"}]},{"@context":"https://schema.org","@type":"Question","text":"During a social engineering engagement, you have already harvested a target employee's corporate credentials but cannot log in because the organization enforces push-based MFA. You decide to call the employee while repeatedly triggering authentication requests, posing as IT support and instructing them to \"approve the prompt to clear the error.\" Which attack technique are you executing?","acceptedAnswer":{"@type":"Answer","text":"MFA fatigue (push bombing) reinforced with vishing"},"suggestedAnswer":[{"@type":"Answer","text":"SIM swapping combined with SS7 interception"},{"@type":"Answer","text":"Adversary-in-the-middle (AiTH) session token theft"},{"@type":"Answer","text":"Golden SAML forgery against the identity provider"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network penetration test, you are connected to a switch port on the native VLAN (VLAN 1). Your goal is to send traffic to a workstation on VLAN 20, which is normally segmented from your VLAN. You confirm the switch uses 802.1Q trunking and has not disabled dynamic trunking or changed the native VLAN. Which technique will allow you to forward crafted frames into VLAN 20 from your access port?","acceptedAnswer":{"@type":"Answer","text":"Double-tagging: craft frames with an outer 802.1Q tag matching the native VLAN and an inner tag for VLAN 20"},"suggestedAnswer":[{"@type":"Answer","text":"Send a gratuitous ARP reply advertising your MAC as the VLAN 20 gateway"},{"@type":"Answer","text":"Flood the CAM table with random MAC addresses until the switch fails open"},{"@type":"Answer","text":"Perform a DHCP starvation attack to exhaust the VLAN 20 address pool"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester notices that several probes return generic 403 responses and that requests containing SQL-like syntax are dropped inconsistently. Before continuing active testing, the tester wants to identify whether a web application firewall is present and, if so, which product it is, so evasion techniques can be planned. Which tool is BEST suited to fingerprint the protective technology in front of the web application?","acceptedAnswer":{"@type":"Answer","text":"wafw00f"},"suggestedAnswer":[{"@type":"Answer","text":"dirb"},{"@type":"Answer","text":"sqlmap"},{"@type":"Answer","text":"whatweb"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester notices that the application reflects the value of the X-Forwarded-Host header into an absolute URL used to load a JavaScript file, and that responses are served through a CDN. The tester crafts a request with a malicious X-Forwarded-Host value and observes that subsequent requests from other clients (without the malicious header) receive the poisoned response containing the attacker-controlled script source. Which attack has the tester successfully demonstrated?","acceptedAnswer":{"@type":"Answer","text":"Web cache poisoning via an unkeyed input"},"suggestedAnswer":[{"@type":"Answer","text":"Server-side request forgery through the Host header"},{"@type":"Answer","text":"HTTP response splitting via CRLF injection"},{"@type":"Answer","text":"Reflected cross-site scripting requiring a phishing lure"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal assessment, your web vulnerability scanner reports \"Directory Listing Enabled\" as a Medium-severity finding on an intranet Apache server at /uploads/. Before including it in the report, you must determine its real risk to the organization. Which action most effectively validates the finding's actual impact and helps you assign an accurate priority?","acceptedAnswer":{"@type":"Answer","text":"Browse to /uploads/ manually and enumerate the exposed files to determine whether any contain sensitive or exploitable content"},"suggestedAnswer":[{"@type":"Answer","text":"Immediately mark the finding as a confirmed high-severity data exposure because directory listing always leaks confidential data"},{"@type":"Answer","text":"Re-run the same scanner with a more aggressive plugin set to see if the severity rating increases"},{"@type":"Answer","text":"Discard the finding as a false positive since directory listing is only an informational misconfiguration with no impact"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, your vulnerability scanner flags a Linux web server as vulnerable to a critical Apache HTTP Server remote code execution CVE. The scan is unauthenticated and matched the vulnerability solely on the Server response header showing 'Apache/2.4.29'. Before adding this to the report, what is the BEST way to determine whether this finding is a false positive?","acceptedAnswer":{"@type":"Answer","text":"Perform a credentialed check of the installed package version and applied distribution backport patches to verify the actual patch level"},"suggestedAnswer":[{"@type":"Answer","text":"Immediately run the public proof-of-concept exploit against the production server to confirm code execution"},{"@type":"Answer","text":"Increase the scanner's severity threshold so lower-confidence findings are suppressed in future scans"},{"@type":"Answer","text":"Report the finding as confirmed critical because the banner version matches the vulnerable release in the NVD entry"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal assessment, your automated scanner flags a web application server as vulnerable to the POODLE attack (CVE-2014-3566) with a HIGH severity rating. Before including this finding in your report, you want to eliminate the possibility of a false positive. Which action most directly confirms whether this vulnerability is genuinely present?","acceptedAnswer":{"@type":"Answer","text":"Manually negotiate a connection using openssl s_client with the -ssl3 flag to verify the server actually accepts an SSLv3 handshake"},"suggestedAnswer":[{"@type":"Answer","text":"Re-run the same scanner with credentialed access to increase the accuracy of the plugin output"},{"@type":"Answer","text":"Check the server's HTTP response headers for a Server banner indicating an old web server version"},{"@type":"Answer","text":"Search Exploit-DB for a public proof-of-concept and confirm one exists for CVE-2014-3566"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, your automated scanner flags two findings on the same target: (1) a reflected XSS in a search parameter rated Medium, and (1) 'Apache HTTP Server 2.4.29 - Multiple Vulnerabilities' rated Critical, based solely on the Server response header. The client's change records show the web tier was migrated to Nginx six months ago, sitting behind a reverse proxy. What is the most appropriate next step before including these in the report?","acceptedAnswer":{"@type":"Answer","text":"Manually confirm the reflected XSS by crafting a proof-of-concept payload, and investigate the Apache banner finding as a likely false positive caused by a misleading or spoofed header"},"suggestedAnswer":[{"@type":"Answer","text":"Report both findings at their scanner-assigned severities, since the tool correlated them to known CVEs"},{"@type":"Answer","text":"Discard the XSS as a false positive because reflected XSS requires user interaction, and escalate the Apache Critical immediately"},{"@type":"Answer","text":"Rescan the target with a different tool and report only findings that appear in both scanners' output"}]},{"@context":"https://schema.org","@type":"Question","text":"During the passive reconnaissance phase of an external penetration test, you must gather information about the target organization without generating any traffic to the client's production infrastructure. You want to identify the domain registration date, the registrar, the abuse contact email, and the authoritative name servers listed for the target domain. Which tool or technique BEST satisfies this requirement while remaining strictly passive?","acceptedAnswer":{"@type":"Answer","text":"Query public WHOIS registration records for the target domain"},"suggestedAnswer":[{"@type":"Answer","text":"Run an Nmap SYN scan against the target's published name servers"},{"@type":"Answer","text":"Attempt a DNS zone transfer (AXFR) against the authoritative name servers"},{"@type":"Answer","text":"Use Nikto to crawl the target's public website for metadata"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized wireless assessment of a corporate office, you observe that the guest SSID 'Corp-Guest' uses no encryption and redirects clients to a captive portal for authentication. You want to capture guest credentials by tricking users into connecting to a rogue access point that mimics the legitimate network. Which technique BEST accomplishes this goal?","acceptedAnswer":{"@type":"Answer","text":"Deploy an evil twin AP broadcasting the same SSID with a cloned captive portal to harvest submitted credentials"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a WPA2 handshake capture with a deauthentication attack and crack the pre-shared key offline"},{"@type":"Answer","text":"Use MAC address spoofing to bypass the captive portal's client isolation"},{"@type":"Answer","text":"Launch a KRACK attack to force nonce reuse during the four-way handshake"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you notice that an API endpoint at https://app.corp.com/api/profile returns sensitive user data and includes the response header 'Access-Control-Allow-Origin: *' along with 'Access-Control-Allow-Credentials: true'. The application uses session cookies for authentication. Which conclusion is most accurate about exploiting this configuration?","acceptedAnswer":{"@type":"Answer","text":"The combination is invalid per the CORS spec, so browsers will not send credentials, and the data cannot be stolen cross-origin this way."},"suggestedAnswer":[{"@type":"Answer","text":"The configuration is exploitable as-is; a malicious site can read the credentialed response from any authenticated victim's browser."},{"@type":"Answer","text":"The wildcard origin fully protects the endpoint because it prevents any specific origin from being trusted."},{"@type":"Answer","text":"Exploitation requires first bypassing the HttpOnly flag on the session cookie before any cross-origin read is possible."}]},{"@context":"https://schema.org","@type":"Question","text":"During a host-based assessment on a Windows 10 workstation, you have a low-privileged user shell. You enumerate the registry and find that both HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated and HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated are set to 0x1. Which technique will most reliably escalate your privileges given this specific misconfiguration?","acceptedAnswer":{"@type":"Answer","text":"Craft a malicious MSI package with msfvenom and install it with msiexec, which runs the installer with SYSTEM privileges"},"suggestedAnswer":[{"@type":"Answer","text":"Replace the binary path of an unquoted service with a payload and restart the service"},{"@type":"Answer","text":"Abuse SeImpersonatePrivilege with a potato-style attack to steal a SYSTEM token"},{"@type":"Answer","text":"Modify the PATH environment variable to hijack a DLL loaded by a scheduled task"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a low-privileged domain account on an internal Windows network, a penetration tester collects Active Directory data with SharpHound and imports it into BloodHound. The tester's goal is to find the most efficient route to Domain Admin without launching noisy brute-force or exploitation attempts against every host. Which BloodHound capability best supports this objective?","acceptedAnswer":{"@type":"Answer","text":"Running the 'Shortest Paths to Domain Admins from Owned Principals' query to visualize existing ACL, group, and session-based attack paths"},"suggestedAnswer":[{"@type":"Answer","text":"Using the built-in password-spraying module to test the compromised credential against all discovered accounts"},{"@type":"Answer","text":"Exporting the graph to CSV and manually deploying a Metasploit exploit against each computer object"},{"@type":"Answer","text":"Enabling BloodHound's live packet-capture feature to sniff NTLMv2 hashes during collection"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you have SYSTEM-level access on a domain-joined Windows workstation that is currently disconnected from the corporate network. The domain controller is unreachable, so you cannot perform an LSASS dump against a live authentication session or query the DC directly. You want to recover domain credentials for lateral movement once connectivity is restored. Which technique is MOST appropriate given these constraints?","acceptedAnswer":{"@type":"Answer","text":"Extract cached domain logon hashes (MSCACHEv2/DCC2) from the SECURITY registry hive and crack them offline"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a DCSync attack to replicate credential material from the domain controller"},{"@type":"Answer","text":"Run Responder to poison LLMNR/NBT-NS and capture NetNTLMv2 hashes from other hosts"},{"@type":"Answer","text":"Use pass-the-hash with the local Administrator hash to authenticate directly to the domain controller"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Windows engagement, you established persistence using a scheduled task, a Run registry key, and a WMI event subscription. The engagement is ending and the client requires the environment restored to its pre-test state. Which approach best ensures complete cleanup of your persistence mechanisms?","acceptedAnswer":{"@type":"Answer","text":"Consult the activity log you maintained throughout testing to identify each artifact created, then systematically remove the scheduled task, the registry Run key value, and the WMI event subscription, verifying each removal"},"suggestedAnswer":[{"@type":"Answer","text":"Delete only the scheduled task, since it is the most easily detected mechanism, and leave the others for the client's blue team to find as a detection exercise"},{"@type":"Answer","text":"Run a commercial anti-malware scan on the host and assume it will remove all traces of your implants automatically"},{"@type":"Answer","text":"Reboot the host to clear all in-memory implants and consider the persistence removed"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a Windows workstation and gaining a foothold in the user's context, you want to recover the user's saved credentials from the Windows Credential Manager without cracking any hashes offline. The account is a standard domain user, and you already have an interactive session running as that user. Which post-exploitation approach will allow you to decrypt and recover these stored secrets?","acceptedAnswer":{"@type":"Answer","text":"Use the user's DPAPI master key, which is unlocked in the current logon session, to decrypt the Credential Manager blobs while running in the victim's context"},"suggestedAnswer":[{"@type":"Answer","text":"Extract the SAM and SYSTEM registry hives and crack the local account NTLM hashes with a wordlist"},{"@type":"Answer","text":"Perform a DCSync against the domain controller to replicate the user's stored plaintext credentials"},{"@type":"Answer","text":"Dump LSASS and pass the recovered Kerberos TGT to a remote host to read the vault"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase on a compromised Windows workstation joined to CORP.LOCAL, you have local admin and a domain user context. Your goal is to identify whether other Active Directory domains or forests are reachable so you can plan lateral movement beyond the current domain. Which command most directly enumerates the trust relationships available from this domain?","acceptedAnswer":{"@type":"Answer","text":"nltest /domain_trusts /all_trusts"},"suggestedAnswer":[{"@type":"Answer","text":"net localgroup administrators"},{"@type":"Answer","text":"ipconfig /displaydns"},{"@type":"Answer","text":"whoami /priv"}]},{"@context":"https://schema.org","@type":"Question","text":"After gaining a foothold on a Windows workstation with a domain user's cached credentials, you want to identify which other machines this compromised user has active sessions on, so you can prioritize lateral movement targets where their token or credentials may be reusable. You have BloodHound-collected data available. Which enumeration approach most directly reveals where the compromised user is currently logged on across the domain?","acceptedAnswer":{"@type":"Answer","text":"Query the SessionInfo/HasSession relationships collected from remote hosts to map where the user account has active logon sessions"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'net user /domain' to list all domain accounts and their group memberships"},{"@type":"Answer","text":"Enumerate SPNs with 'setspn -Q' to find service accounts tied to the user"},{"@type":"Answer","text":"Use 'nltest /dclist' to enumerate all domain controllers in the environment"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you have SYSTEM-level access on a Windows 10 workstation belonging to a domain user. You want to harvest plaintext credentials and NTLM hashes of accounts that have recently authenticated interactively on this host, without triggering a domain-wide replication event. Which technique best meets this goal?","acceptedAnswer":{"@type":"Answer","text":"Dump the contents of LSASS process memory on the local host and parse it for cached credential material"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a DCSync against the domain controller to request replication of all account secrets"},{"@type":"Answer","text":"Forge a golden ticket using the krbtgt hash to impersonate any domain user"},{"@type":"Answer","text":"Run RID cycling against the local SAM to enumerate all domain accounts"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you have compromised a Windows workstation and obtained a domain user's NTLM hash. You want to move laterally to a file server that requires Kerberos authentication, but you do not have the user's cleartext password and cannot yet elevate to domain admin. Which technique lets you use the captured hash to obtain a Kerberos TGT and authenticate to the file server?","acceptedAnswer":{"@type":"Answer","text":"Overpass-the-hash (pass-the-key) to request a TGT using the NTLM hash, then use the ticket to access the file server"},"suggestedAnswer":[{"@type":"Answer","text":"Forge a golden ticket using the krbtgt hash and inject it into the current session"},{"@type":"Answer","text":"Perform an SMB relay attack against the file server using the captured hash"},{"@type":"Answer","text":"Run a DCSync against the domain controller to replicate the target user's credentials"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have obtained an unprivileged shell on a Windows 10 workstation joined to CORP.LOCAL. Your goal is lateral movement, but first you must understand the environment from this foothold. You want to identify which other hosts the current user can already authenticate to without cracking or capturing new credentials, so you can pivot immediately. Which enumeration action provides the MOST direct answer to that specific question?","acceptedAnswer":{"@type":"Answer","text":"Run 'cmdkey /list' to display stored credentials and saved network authentication targets available to the current user"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'net view /domain' to list all computers registered in the domain browser service"},{"@type":"Answer","text":"Run 'nltest /dclist:corp.local' to enumerate every domain controller in the environment"},{"@type":"Answer","text":"Run 'ipconfig /all' to review DNS suffixes and the configured domain controllers"}]},{"@context":"https://schema.org","@type":"Question","text":"During post-exploitation on a Windows 2019 server, you have a Meterpreter session running as a local service account (NT SERVICE\\MSSQLSERVER) that holds the SeImpersonatePrivilege but not SeDebugPrivilege. You want to escalate to SYSTEM without dropping additional binaries to disk and without triggering a new process creation event that the SOC is monitoring. Which technique best fits these constraints?","acceptedAnswer":{"@type":"Answer","text":"Use a named-pipe impersonation potato-style attack (e.g., RoguePotato/PrintSpoofer) that coerces a SYSTEM service to authenticate to a pipe the session controls, then impersonates the resulting token"},"suggestedAnswer":[{"@type":"Answer","text":"Dump LSASS memory with Mimikatz to recover the local Administrator NTLM hash, then pass-the-hash back to the same host"},{"@type":"Answer","text":"Enumerate unquoted service paths and plant a malicious executable in a writable directory, then restart the affected service"},{"@type":"Answer","text":"Modify the HKLM Run key to add a SYSTEM-level payload that executes at the next reboot"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a standard domain user's workstation during an internal engagement, you have an unprivileged shell and want to identify which accounts belong to the Domain Admins group so you can prioritize lateral movement targets. You want to use only built-in Windows tooling to avoid dropping additional binaries. Which command returns the membership of the Domain Admins group by querying the domain controller?","acceptedAnswer":{"@type":"Answer","text":"net group \"Domain Admins\" /domain"},"suggestedAnswer":[{"@type":"Answer","text":"net localgroup Administrators"},{"@type":"Answer","text":"net user /domain"},{"@type":"Answer","text":"net accounts /domain"}]},{"@context":"https://schema.org","@type":"Question","text":"After gaining an initial foothold on a Windows workstation as a standard domain user during an internal engagement, you want to determine whether the compromised account already has administrative rights on the local machine before attempting any privilege escalation exploits. Which command provides this information most directly?","acceptedAnswer":{"@type":"Answer","text":"net localgroup administrators"},"suggestedAnswer":[{"@type":"Answer","text":"net group \"Domain Admins\" /domain"},{"@type":"Answer","text":"net user %USERNAME% /domain"},{"@type":"Answer","text":"netstat -ano"}]},{"@context":"https://schema.org","@type":"Question","text":"During post-exploitation on a compromised Windows workstation, a penetration tester has obtained a standard domain user's context. Before attempting privilege escalation, the tester wants to enumerate what other systems and file shares this user can already reach with existing credentials — without dropping additional tools or triggering AV. Which built-in command approach BEST accomplishes this initial lateral-movement reconnaissance?","acceptedAnswer":{"@type":"Answer","text":"Use 'net view /domain' and 'net use' to list domain hosts and map accessible shares using the current user's cached credentials"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'mimikatz sekurlsa::logonpasswords' to dump credentials from LSASS before enumerating anything"},{"@type":"Answer","text":"Execute 'psexec \\\\target cmd.exe' against every host in the subnet to test remote code execution"},{"@type":"Answer","text":"Launch a full 'nmap -sS -p-' TCP SYN scan of the entire internal /16 from the compromised host"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a standard user workstation in a Windows domain, a penetration tester wants to enumerate other hosts and identify which remote systems expose accessible file shares to plan lateral movement. The tester wants to avoid dropping additional tooling on the host and prefers living-off-the-land binaries. Which built-in command sequence BEST accomplishes discovering domain hosts and then enumerating their shared resources?","acceptedAnswer":{"@type":"Answer","text":"Use 'net view /domain' to list domain hosts, then 'net view \\\\' against discovered systems to enumerate their shared resources"},"suggestedAnswer":[{"@type":"Answer","text":"Run 'ipconfig /all' to identify the local subnet, then 'arp -a' to list every share on the network"},{"@type":"Answer","text":"Execute 'net user /domain' to list all domain accounts, then 'net accounts' to reveal each host's mounted shares"},{"@type":"Answer","text":"Use 'nslookup -type=SRV _ldap._tcp' to locate shares and 'whoami /priv' to map them to hostnames"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have dumped an NTLM hash for a domain user from a compromised Windows workstation but cannot crack the password offline. Kerberos authentication is enforced across the environment, and you want to move laterally to a file server that only accepts Kerberos, not NTLM. Which technique lets you leverage the NTLM hash to obtain a Kerberos TGT for that user?","acceptedAnswer":{"@type":"Answer","text":"Overpass-the-hash (pass-the-key) to request a TGT using the NTLM hash as the Kerberos key"},"suggestedAnswer":[{"@type":"Answer","text":"Standard pass-the-hash over SMB directly against the file server"},{"@type":"Answer","text":"ASREP-roasting the target user to extract a crackable ticket"},{"@type":"Answer","text":"Kerberoasting the file server's machine account to obtain a service ticket"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised a dual-homed Windows host (10.0.5.12) that also connects to an isolated 192.168.30.0/24 segment your Kali box cannot reach directly. You have a Meterpreter session on the compromised host. You need to run Nmap and other tools from your Kali box against hosts in the 192.168.30.0/24 network. Which approach best enables this?","acceptedAnswer":{"@type":"Answer","text":"Add a route to the 192.168.30.0/24 network through the Meterpreter session, start a SOCKS proxy server module, and configure proxychains on Kali to tunnel Nmap traffic through it"},"suggestedAnswer":[{"@type":"Answer","text":"Enable IP forwarding on the Kali box and add a static route pointing 192.168.30.0/24 directly to the compromised host's external IP"},{"@type":"Answer","text":"Run an Nmap ping sweep from Kali against 192.168.30.0/24 using the -Pn flag to bypass the network isolation"},{"@type":"Answer","text":"Upload Nmap to the compromised Windows host and disable the Windows firewall so scan results are reachable from Kali"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you compromise a dual-homed Windows workstation that sits on both the 10.10.5.0/24 user VLAN and the 10.10.50.0/24 restricted server VLAN. Your attack host cannot route directly to 10.10.50.0/24, and outbound firewall rules from the workstation allow only TCP/443 to your attack host's public IP. You want to run Nmap and Metasploit modules from your attack host against multiple hosts and ports in the server VLAN, tunneling through the compromised workstation. Which approach best meets these constraints?","acceptedAnswer":{"@type":"Answer","text":"Use plink.exe on the workstation to create a reverse SSH connection over port 443 back to your attack host, establish a dynamic (SOCKS) port forward, and run your tools through proxychains"},"suggestedAnswer":[{"@type":"Answer","text":"Configure a static local port forward on the workstation for each individual server IP and port you want to reach, then connect to those forwarded ports directly"},{"@type":"Answer","text":"Add a persistent static route on your attack host pointing 10.10.50.0/24 to the workstation's user-VLAN IP so traffic routes automatically"},{"@type":"Answer","text":"Enable IP forwarding on the workstation and run an ARP-spoofing MITM to relay your attack host's traffic into the server VLAN"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have valid low-privileged domain user credentials on a fully patched-except-one Windows Server 2019 domain controller. The host exposes the MS-RPRN and MS-PAR interfaces, and the Print Spooler service is running. Your goal is to gain SYSTEM-level code execution on the DC by abusing a known CVE. Which technique should you use?","acceptedAnswer":{"@type":"Answer","text":"Exploit PrintNightmare (CVE-2021-34527) by using the authenticated RpcAddPrinterDriverEx call to load a malicious driver DLL from a remote share, executing it as SYSTEM"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a Kerberoasting attack against the spooler service account and crack the resulting TGS ticket offline"},{"@type":"Answer","text":"Use the PrinterBug (MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx) to coerce the DC into authenticating back to your host, then replay the hash"},{"@type":"Answer","text":"Abuse an unquoted service path in the Print Spooler binary to drop a payload that runs at service startup"}]},{"@context":"https://schema.org","@type":"Question","text":"During a penetration test, you have SYSTEM-level access on a Windows Server 2019 host that has RDP enabled and internet-facing. The client wants to evaluate persistence techniques that survive user logins but do not require valid credentials. You replace sethc.exe with cmd.exe so that pressing SHIFT five times at the login screen spawns a SYSTEM command prompt. Which category of post-exploitation activity does this technique BEST represent?","acceptedAnswer":{"@type":"Answer","text":"Establishing persistence via an accessibility feature (image file execution / binary replacement) backdoor"},"suggestedAnswer":[{"@type":"Answer","text":"Privilege escalation from a standard user to SYSTEM using an unquoted service path"},{"@type":"Answer","text":"Lateral movement to adjacent hosts using pass-the-hash over SMB"},{"@type":"Answer","text":"Covering tracks by clearing the Windows Security event log after access"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Windows post-exploitation phase, a penetration tester has obtained a standard user shell on a workstation and wants to ensure their beacon relaunches automatically whenever the compromised user logs in, without requiring administrative privileges. Which persistence technique best meets this requirement?","acceptedAnswer":{"@type":"Answer","text":"Add a value pointing to the payload under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"},"suggestedAnswer":[{"@type":"Answer","text":"Register a new Windows service with sc.exe set to start automatically at boot"},{"@type":"Answer","text":"Modify HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to load the payload for all users"},{"@type":"Answer","text":"Install a WMI event subscription filtered on system startup in the root\\subscription namespace"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase on a compromised Windows workstation, you have a low-privileged foothold as a domain user. You want to enumerate other systems the current user can reach without triggering noisy network scans. You run 'cmdkey /list' and discover several stored credential entries, including one labeled 'Domain:target=TERMSRV/fileserver01'. What is the MOST useful next action this finding enables?","acceptedAnswer":{"@type":"Answer","text":"Use the saved credential to launch an RDP session to fileserver01 via 'runas /savecred' or mstsc without re-entering the password, enabling lateral movement"},"suggestedAnswer":[{"@type":"Answer","text":"Extract the plaintext password directly from the cmdkey output shown in the terminal"},{"@type":"Answer","text":"Dump LSASS memory because cmdkey entries are always stored there in cleartext"},{"@type":"Answer","text":"Immediately clear the credential vault to remove artifacts before continuing enumeration"}]},{"@context":"https://schema.org","@type":"Question","text":"During a red team engagement, you have gained a low-privileged foothold on a Windows 10 workstation via a compromised standard domain user account. You cannot write to system directories or create services because you lack administrative rights, but you need to maintain access that survives reboots and user logoffs. Which technique will most reliably establish persistence given your current privilege level?","acceptedAnswer":{"@type":"Answer","text":"Create a scheduled task registered under the current user's context that runs your beacon at logon"},"suggestedAnswer":[{"@type":"Answer","text":"Install a new Windows service pointing to your payload binary in C:\\Windows\\System32"},{"@type":"Answer","text":"Replace the local Administrator account's NTLM hash to guarantee future logons"},{"@type":"Answer","text":"Add your payload path to the HKLM\\SYSTEM\\CurrentControlSet Services registry hive"}]},{"@context":"https://schema.org","@type":"Question","text":"During a red-team engagement, you have gained SYSTEM privileges on a Windows Server 2019 domain member. The client's rules of engagement require that any persistence mechanism survive a reboot but be trivial to enumerate and remove during cleanup. You want a mechanism that runs your beacon automatically at every system startup, independent of any user logging in, and that is documented in your report for straightforward removal. Which technique BEST meets these requirements?","acceptedAnswer":{"@type":"Answer","text":"Create a new Windows service configured with Start=auto that launches your beacon executable"},"suggestedAnswer":[{"@type":"Answer","text":"Add your beacon path to the HKCU\\...\\Run registry key for the currently logged-in user"},{"@type":"Answer","text":"Inject your beacon into an existing lsass.exe process using reflective DLL injection"},{"@type":"Answer","text":"Place a shortcut to your beacon in the current user's Startup folder"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have obtained a low-privileged shell as a service account on a Windows Server 2019 host. Running 'whoami /priv' shows that SeImpersonatePrivilege is enabled for your current context. Local exploit suggesters indicate the host is unpatched. Which privilege escalation technique most directly leverages this specific privilege to obtain SYSTEM?","acceptedAnswer":{"@type":"Answer","text":"Run a potato-style attack (e.g., PrintSpoofer/JuicyPotato) to coerce a SYSTEM token and impersonate it"},"suggestedAnswer":[{"@type":"Answer","text":"Abuse an unquoted service path by planting a malicious executable in a writable parent directory"},{"@type":"Answer","text":"Dump LSASS with Mimikatz to extract cleartext credentials for a domain administrator"},{"@type":"Answer","text":"Modify the registry AlwaysInstallElevated keys to install a malicious MSI as SYSTEM"}]},{"@context":"https://schema.org","@type":"Question","text":"During a host-based assessment of a Windows server, you obtain a low-privileged shell. Enumerating services, you find one running as LocalSystem with the following configuration:\n\n BINARY_PATH_NAME : C:\\Program Files\\Acme Data\\Sync Agent\\agent.exe\n\nThe service path is not enclosed in quotation marks. You also confirm you have write access to C:\\Program Files\\Acme Data\\. Which action most directly exploits this misconfiguration to escalate privileges?","acceptedAnswer":{"@type":"Answer","text":"Place a malicious executable named Sync.exe in C:\\Program Files\\Acme Data\\ and restart the service so it runs as SYSTEM"},"suggestedAnswer":[{"@type":"Answer","text":"Place a malicious executable named Acme.exe in C:\\Program Files\\ so Windows executes it before resolving the full path"},{"@type":"Answer","text":"Replace agent.exe directly with a payload since the service already runs as LocalSystem"},{"@type":"Answer","text":"Modify the service's BINARY_PATH_NAME with sc config to point to your payload"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised a workstation and recovered valid domain administrator credentials. You want to execute a payload on a remote server (10.10.5.20) to move laterally, but the client's SOC is actively monitoring for new service creation events (Event ID 7045) generated by tools like PsExec. Which technique allows you to execute commands remotely while avoiding the creation of a new Windows service on the target?","acceptedAnswer":{"@type":"Answer","text":"Use wmic /node:10.10.5.20 to invoke process creation remotely via WMI"},"suggestedAnswer":[{"@type":"Answer","text":"Use PsExec with the -r flag to rename the remote service before execution"},{"@type":"Answer","text":"Copy the payload to the ADMIN$ share and register it as a new scheduled task service"},{"@type":"Answer","text":"Establish an RDP session and manually create a Windows service through services.msc"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover a WordPress site running a 'Media Manager Pro' plugin that allows authenticated contributors to upload files. The upload validation only checks the Content-Type header sent by the browser and the file extension against a blocklist that includes .php and .phtml. You have valid contributor credentials. Which technique is MOST likely to result in remote code execution?","acceptedAnswer":{"@type":"Answer","text":"Upload a file named shell.php5 (or shell.pHP) with a spoofed image/jpeg Content-Type header, then request the uploaded file to trigger PHP execution"},"suggestedAnswer":[{"@type":"Answer","text":"Submit a reflected XSS payload in the file's description field to steal the administrator's session cookie"},{"@type":"Answer","text":"Use SQL injection in the upload metadata form to dump the wp_users table and crack the admin password hash"},{"@type":"Answer","text":"Perform a brute-force attack against wp-login.php to escalate the contributor account to an administrator role"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized web application assessment, you identify a WordPress site running a plugin that matches a known RCE CVE. You load the corresponding Metasploit exploit module and want to safely determine whether the target is actually vulnerable before firing the exploit, minimizing the chance of crashing the production service. What is the most appropriate next step?","acceptedAnswer":{"@type":"Answer","text":"Run the module's 'check' command to validate exploitability without delivering the full payload"},"suggestedAnswer":[{"@type":"Answer","text":"Set PAYLOAD to a Meterpreter reverse shell and run 'exploit' immediately to confirm the finding"},{"@type":"Answer","text":"Increase the module's brute-force thread count to speed up target verification"},{"@type":"Answer","text":"Disable the target's WAF using an auxiliary DoS module before running the exploit"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you access https://target.example.com/wp-json/wp/v2/users on a WordPress-based marketing site and receive a JSON array containing objects with 'id', 'name', and 'slug' fields for several accounts. Which follow-up action most directly leverages this finding to advance the engagement?","acceptedAnswer":{"@type":"Answer","text":"Use the disclosed 'slug' values as valid usernames to conduct a targeted password-spraying attack against the wp-login.php endpoint"},"suggestedAnswer":[{"@type":"Answer","text":"Submit the JSON response to the client as a critical remote code execution vulnerability requiring immediate patching"},{"@type":"Answer","text":"Attempt an XML external entity (XXE) injection using the returned JSON structure to read local files"},{"@type":"Answer","text":"Replay the same request over the XML-RPC interface to trigger a server-side request forgery against the metadata endpoint"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you observe that a custom login endpoint returns the response 'Invalid password for user' when a valid username is submitted with a wrong password, but returns 'Unknown account' when the username does not exist. Additionally, requests for valid usernames take noticeably longer to process. Which vulnerability class does this behavior most directly represent, and how would you leverage it?","acceptedAnswer":{"@type":"Answer","text":"Username enumeration via differential error messages and response timing, which you can use to build a validated list of accounts for a targeted password-spraying attack"},"suggestedAnswer":[{"@type":"Answer","text":"SQL injection in the authentication query, which you can exploit by inserting a UNION-based payload into the username field to dump the user table"},{"@type":"Answer","text":"Session fixation, which you can exploit by forcing a known session identifier onto the victim before they authenticate"},{"@type":"Answer","text":"Insecure direct object reference, which you can exploit by incrementing a numeric account ID to access other users' profiles"}]},{"@context":"https://schema.org","@type":"Question","text":"During a black-box web assessment, you discover a WordPress site with /xmlrpc.php accessible and responding to POST requests. Standard login attempts against /wp-login.php are being rate-limited and account-locked after 5 failed tries. You want to test a list of 200 candidate credentials against several usernames while minimizing the number of HTTP requests and avoiding the login lockout controls. Which technique should you use?","acceptedAnswer":{"@type":"Answer","text":"Send system.multicall requests to xmlrpc.php, batching many wp.getUsersBlogs authentication attempts into a single HTTP request"},"suggestedAnswer":[{"@type":"Answer","text":"Continue spraying /wp-login.php but rotate the X-Forwarded-For header on each request to evade the lockout counter"},{"@type":"Answer","text":"Use WPScan's --enumerate vp flag to identify vulnerable plugins and pivot to an authentication bypass CVE"},{"@type":"Answer","text":"Perform a deauthentication attack to force administrators to re-authenticate and capture the session cookie"}]},{"@context":"https://schema.org","@type":"Question","text":"During a wireless assessment, you identify a WPA2-PSK network in scope. You have positioned a monitor-mode adapter within range and confirmed the target BSSID and connected clients. Your goal is to recover the pre-shared key offline. Which sequence of actions correctly achieves this?","acceptedAnswer":{"@type":"Answer","text":"Capture the 4-way handshake by sending targeted deauthentication frames to a connected client to force reassociation, then run a dictionary attack against the captured handshake with a tool like hashcat or aircrack-ng."},"suggestedAnswer":[{"@type":"Answer","text":"Send an EAPOL start flood to the access point to disclose the PSK in cleartext, then decode it from the capture with Wireshark."},{"@type":"Answer","text":"Associate to the network with a null password to trigger the AP to return the PSK hash, then submit that hash to an online rainbow-table service."},{"@type":"Answer","text":"Perform an ARP replay attack to generate IVs, then statistically recover the PSK once enough unique IVs are collected."}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you notice Windows clients attempting to resolve the hostname 'wpad' via broadcast because DNS lookups fail. You want to intercept their proxy configuration requests to force NTLM authentication that you can then relay to a target server with SMB signing disabled. Which technique most directly enables this attack chain?","acceptedAnswer":{"@type":"Answer","text":"Poison the WPAD hostname resolution to serve a malicious proxy auto-config file that prompts clients for authentication, capturing NTLM credentials for relay"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a Kerberoasting attack against the proxy service account to extract an offline-crackable TGS ticket"},{"@type":"Answer","text":"Launch a DHCP starvation attack to exhaust the address pool and force clients onto a rogue gateway"},{"@type":"Answer","text":"Send crafted ICMP redirect packets to reroute client HTTP traffic through your attacker host"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover an XML-based file upload feature that parses invoice documents server-side. You want to test whether the parser is vulnerable to reading local files. Which payload construction is most appropriate to confirm this vulnerability?","acceptedAnswer":{"@type":"Answer","text":"Inject a DOCTYPE declaration defining an external entity referencing file:///etc/passwd and reference that entity in an element the response echoes back"},"suggestedAnswer":[{"@type":"Answer","text":"Append a UNION SELECT statement to an XML attribute value to extract database rows"},{"@type":"Answer","text":"Insert a tag inside an XML element to trigger client-side execution"},{"@type":"Answer","text":"Base64-encode a serialized Java object and place it in the XML body to achieve deserialization RCE"}]}]}
CompTIA · Intermediate
CompTIA PenTest+ (PT0-003) (PT0-003) practice exam & study guide
The CompTIA PenTest+ (PT0-003) is CompTIA’s intermediate penetration-testing certification. It validates the ability to plan and scope an engagement, perform reconnaissance and enumeration, discover and analyze vulnerabilities, execute attacks and exploits, and carry out post-exploitation and lateral movement — the offensive side of security.
PenTest+ is a hands-on, offensive-security exam covering the full penetration-testing lifecycle. Questions test how you find and exploit weaknesses and operate within an authorized engagement, including performance-based questions.
This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic scenario-style practice questions with teacher-style explanations, a glossary of the penetration-testing concepts the exam relies on, and full-length timed mock exams that mirror the real testing experience.
90
Questions
165 min
Time limit
75%
Mock pass %
5
Domains
Start studying PT0-003
New here? Follow the three steps below in order. Everything is free and needs no account.
A sample of the PT0-003 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
CompTIA positions PenTest+ as validating the skills of a penetration tester — planning engagements, testing networks, applications, and cloud, and reporting findings responsibly.
It is vendor-neutral and hands-on: you are expected to use real tools, adapt exploit code and scripts, and reason about attack paths rather than only recognize terms.
What topics are on the PT0-003 exam?+
The PT0-003 exam is organised into five weighted domains. The percentages below are CompTIA’s published weightings. Attacks and exploits alone is more than a third of the exam.
Engagement Management (13%)
Covers pre-engagement activities such as scope, rules of engagement, contracts, and authorization, governance, risk, and compliance, testing methodologies and standards, and reporting and communication throughout an engagement.
Reconnaissance and Enumeration (21%)
Covers passive and active reconnaissance including OSINT, DNS, and network mapping, enumeration of hosts, services, users, shares, web, and cloud, scanning tools such as Nmap, and scripting in Python, Bash, and PowerShell to support recon.
Vulnerability Discovery and Analysis (17%)
Covers vulnerability scanning and manual discovery, analyzing results and removing false positives, prioritizing vulnerabilities by exploitability and impact, and researching exploits and attack vectors.
Attacks and Exploits (35%)
The heaviest domain. It covers network, wireless, and host-based attacks, web application and API attacks such as injection and SSRF, cloud attacks, social engineering and physical attacks, password and credential attacks, and using exploitation frameworks such as Metasploit and Burp Suite.
Post-exploitation and Lateral Movement (14%)
Covers establishing persistence and maintaining access, privilege escalation on Windows and Linux, lateral movement and pivoting, enumerating a compromised environment, and cleanup and restoring the environment after testing.
Is the PT0-003 hard?+
PenTest+ is an intermediate, hands-on exam that is more demanding than Security+ because it expects you to actually reason about exploitation, not just recognize concepts, and its performance-based questions require applying tools.
The difficulty comes from the breadth of attack techniques and tooling, and from choosing the right technique for a target under engagement constraints. Practising realistic attack scenarios and knowing your tools is the key.
How many questions are on the PT0-003 exam and how long is it?+
The PT0-003 exam contains a maximum of 90 questions and allows 165 minutes. It mixes multiple-choice with performance-based questions (PBQs) — interactive tasks such as analyzing tool output or completing an exploit — which are the main reason the exam feels dense.
Our full-length practice mock uses a 90-question, 165-minute session so you can rehearse pacing under realistic time pressure before test day.
What score do you need to pass the PT0-003?+
CompTIA scores PT0-003 on a scale of 100 to 900, and you need 750 to pass — well above a simple 70%, so it leaves little room for weak areas. Because it is scaled, questions are not all worth the same, and there is no penalty for guessing, so answer everything. Our practice mock uses a 75% threshold as a study checkpoint; aim comfortably beyond it before test day.
How much does the PT0-003 exam cost?+
The PT0-003 exam fee is set by CompTIA — historically around $404 USD, but check the official CompTIA page for current pricing and bundles. The certification is valid for three years and can be renewed through continuing education. Everything on this hub is free.
Who should take the PT0-003?+
PenTest+ is aimed at penetration testers, red-team members, security consultants, and vulnerability analysts who assess and exploit weaknesses in authorized engagements.
CompTIA recommends Network+ and Security+ (or equivalent knowledge) and around three to four years of hands-on security experience, though there is no formal prerequisite.
What jobs and salaries can the PT0-003 lead to?+
PenTest+ maps to roles such as penetration tester, red-team operator, security consultant, and vulnerability analyst, where finding and exploiting weaknesses is the core of the job.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. PenTest+ is best viewed as validation of offensive-security skill rather than a guaranteed raise on its own.
How long does it take to study for the PT0-003?+
Candidates with security experience often need eight to twelve weeks; those newer to offensive security should plan longer. The most efficient path is to study each domain while practising in a lab with real tools, then drill scenario and performance-based questions.
Review every explanation, including for questions you answered correctly, because PT0-003 distractors are built from plausible but incorrect techniques or tools. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.
How should you prepare for the PT0-003?+
Study the five domains above, giving the most time to attacks and exploits, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an offensive exam whose wrong options are plausible attack choices.
When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on lab practice with Nmap, Metasploit, and Burp Suite. Use the glossary to keep the tools and techniques straight, and aim to score consistently above the pass mark before you book.
Can you take the PT0-003 exam online?+
Yes. CompTIA delivers PT0-003 through Pearson VUE, both at test centers and online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, CompTIA lets you retake immediately for a second attempt, but a 14-day wait applies before a third and any subsequent attempts. Each attempt needs its own registration and fee.
What certification should you take after the PT0-003?+
After PenTest+, common next steps include CompTIA’s advanced security credential (SecurityX/CASP+) or specialized offensive certifications from other vendors, plus deeper red-team and exploit-development training.
For many, the real next step is working as a penetration tester or red-teamer. Pairing PenTest+ with hands-on engagement experience is what turns the certificate into a career.