"},{"@type":"Answer","text":"' OR '1'='1' --"},{"@type":"Answer","text":"../../../../etc/passwd%00"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester completes an authenticated scan of a client's environment and must prioritize remediation guidance. Four validated (non-false-positive) findings remain. Given the tester's goal of prioritizing by real-world exploitability and business impact, which finding should be ranked highest?","acceptedAnswer":{"@type":"Answer","text":"A CVSS 8.1 deserialization vulnerability on an internet-facing web server that processes payment transactions, with a weaponized Metasploit module publicly available"},"suggestedAnswer":[{"@type":"Answer","text":"A CVSS 9.8 remote code execution flaw on an internal database server that is not reachable from the internet and requires VPN access, with no public exploit code available"},{"@type":"Answer","text":"A CVSS 7.5 information-disclosure issue on a public marketing site that exposes server version banners"},{"@type":"Answer","text":"A CVSS 6.5 stored XSS vulnerability in an internal HR portal accessible only to authenticated employees"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm has completed a web application assessment for a healthcare client subject to HIPAA. During testing, the team captured screenshots and database extracts containing protected health information (PHI) to demonstrate exploit impact. As the engagement closes, the client's compliance officer asks how the firm will handle the sensitive data it collected. Which action BEST satisfies the firm's obligations at engagement closeout?","acceptedAnswer":{"@type":"Answer","text":"Follow the data retention and secure destruction procedures defined in the rules of engagement, then provide the client a certificate of destruction"},"suggestedAnswer":[{"@type":"Answer","text":"Retain the captured PHI indefinitely on the firm's servers so it can be referenced if the client disputes any finding"},{"@type":"Answer","text":"Immediately delete all evidence, including the final report, to eliminate any liability for holding PHI"},{"@type":"Answer","text":"Upload the collected PHI to the client's public ticketing system so their staff can independently verify each finding"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?","acceptedAnswer":{"@type":"Answer","text":"Run a DCSync attack using mimikatz 'lsadump::dcsync /user:krbtgt' from your foothold to request replication of the account's secrets"},"suggestedAnswer":[{"@type":"Answer","text":"Upload and run secretsdump against the local SAM hive of the compromised workstation to extract the KRBTGT hash"},{"@type":"Answer","text":"Deploy Mimikatz directly on the domain controller and run 'sekurlsa::logonpasswords' against LSASS memory"},{"@type":"Answer","text":"Perform Kerberoasting against the KRBTGT SPN and crack the resulting ticket offline"}]},{"@context":"https://schema.org","@type":"Question","text":"During a kickoff call, a client's IT manager verbally provides a list of IP ranges and web application URLs that are in scope for an upcoming external penetration test. The engagement is scheduled to begin in two days. Which action should the lead tester take BEFORE any active testing to ensure the scope is properly authorized and defensible?","acceptedAnswer":{"@type":"Answer","text":"Obtain a documented, signed scope definition and authorization that explicitly lists the approved IP ranges and URLs"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the provided ranges immediately since the IT manager confirmed them during the kickoff call"},{"@type":"Answer","text":"Run a broad discovery scan across the client's entire public ASN to identify any additional assets that might belong in scope"},{"@type":"Answer","text":"Email the IT manager asking them to forward the ranges to the tester's personal mailbox for record keeping"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have permission to map a target's 10.20.30.0/24 subnet. You want to passively correlate live IP addresses with meaningful hostnames without sending traffic to each host directly. Which technique best supports building this network map by leveraging the organization's own DNS infrastructure?","acceptedAnswer":{"@type":"Answer","text":"Run reverse DNS (PTR) lookups against the organization's DNS server for each IP in the range"},"suggestedAnswer":[{"@type":"Answer","text":"Perform an Nmap SYN scan (-sS) across all 254 hosts to identify open ports"},{"@type":"Answer","text":"Send ICMP echo requests to the broadcast address to enumerate responding hosts"},{"@type":"Answer","text":"Query crt.sh certificate transparency logs for the internal subnet"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?","acceptedAnswer":{"@type":"Answer","text":"Use a DNS rebinding attack: return a public IP on the first resolution (validation) and an internal IP with a very low TTL on the second resolution (fetch)"},"suggestedAnswer":[{"@type":"Answer","text":"Encode the internal IP address in hexadecimal or octal notation within the URL to evade the string-based blocklist"},{"@type":"Answer","text":"Submit a URL with an @ symbol so the application parses the internal host as credentials rather than the destination"},{"@type":"Answer","text":"Send the request over HTTPS so the TLS layer prevents the application from inspecting the destination IP address"}]},{"@context":"https://schema.org","@type":"Question","text":"During the passive reconnaissance phase of an external assessment, a penetration tester wants to identify as many subdomains and internal hostnames as possible for the target domain example.com. The tester notices the authoritative name server ns1.example.com responds to queries. Which command is MOST likely to reveal a complete list of the organization's DNS records if the server is misconfigured?","acceptedAnswer":{"@type":"Answer","text":"dig axfr @ns1.example.com example.com"},"suggestedAnswer":[{"@type":"Answer","text":"dig +short A example.com @8.8.8.8"},{"@type":"Answer","text":"nslookup -type=mx example.com"},{"@type":"Answer","text":"nmap -sU -p 53 ns1.example.com"}]},{"@context":"https://schema.org","@type":"Question","text":"During the reconnaissance phase of an authorized physical and social-engineering assessment, a penetration tester reviews recovered documents from an unsecured recycling bin behind the client's corporate office. Among the papers are internal org charts, a printout of a project schedule with employee names and phone extensions, and an expired network diagram. Which conclusion best describes the value of this discovery to the engagement?","acceptedAnswer":{"@type":"Answer","text":"The documents provide OSINT that can be used to craft targeted pretexts and improve the credibility of social-engineering attacks against named employees."},"suggestedAnswer":[{"@type":"Answer","text":"The documents constitute an immediate critical vulnerability that must be reported as a CVE with a CVSS base score."},{"@type":"Answer","text":"The expired network diagram is worthless because it no longer reflects the current environment and should be discarded without analysis."},{"@type":"Answer","text":"The find proves the recycling vendor is out of scope, so all further physical testing must stop until a new authorization is signed."}]},{"@context":"https://schema.org","@type":"Question","text":"During pre-engagement planning for a black-box external penetration test, the client asks how the testing team will handle situations where a discovered vulnerability could lead to accidental service disruption or evidence of a prior compromise. The lead penetration tester wants to formally document who must be notified, under what conditions, and through which channels before defining these details in the rules of engagement. Which pre-engagement element most directly addresses this requirement?","acceptedAnswer":{"@type":"Answer","text":"A communication and escalation plan defining points of contact and notification triggers"},"suggestedAnswer":[{"@type":"Answer","text":"A signed authorization letter granting permission to test in-scope systems"},{"@type":"Answer","text":"A statement of work listing deliverables and the assessment timeline"},{"@type":"Answer","text":"A non-disclosure agreement protecting confidential client information"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have anonymous (null session) access to a Windows Server that appears to be a domain member. You need to enumerate valid domain user accounts to build a target list for later password spraying. RestrictAnonymous is set such that direct user listing via a null session returns no results, but you can still query the SAM/LSA over SMB. Which technique is MOST likely to yield a list of valid domain usernames in this situation?","acceptedAnswer":{"@type":"Answer","text":"Use RID cycling to enumerate accounts by resolving sequential relative identifiers appended to the domain SID via SID-to-name lookups"},"suggestedAnswer":[{"@type":"Answer","text":"Perform an Nmap SYN scan of port 445 and read the service banner to extract account names"},{"@type":"Answer","text":"Run an SMTP VRFY/EXPN enumeration against the mail service to reveal domain accounts"},{"@type":"Answer","text":"Initiate a DNS zone transfer against the domain controller to list user records"}]},{"@context":"https://schema.org","@type":"Question","text":"During analysis of a large scan report, a penetration tester must recommend which vulnerability to prioritize for remediation. Two findings stand out: Finding X has a CVSS base score of 9.8 but an EPSS (Exploit Prediction Scoring System) score of 0.4% and no public exploit; Finding Y has a CVSS base score of 7.5, an EPSS score of 92%, and is actively being weaponized in the wild against internet-facing hosts identical to the client's exposed web server. Which recommendation best reflects risk-based prioritization?","acceptedAnswer":{"@type":"Answer","text":"Prioritize Finding Y first because its high EPSS score and active exploitation against exposed assets indicate a far greater likelihood of near-term compromise"},"suggestedAnswer":[{"@type":"Answer","text":"Prioritize Finding X first because its higher CVSS base score indicates greater severity"},{"@type":"Answer","text":"Prioritize both equally since CVSS is the only authoritative severity metric for remediation ordering"},{"@type":"Answer","text":"Defer both findings until a temporal CVSS score is manually recalculated for each"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm based in the United States is contracted to test a web application for a client headquartered in Germany. During pre-engagement scoping, the tester discovers the application processes personal data of EU residents, and captured test artifacts may include this data. What is the MOST important legal consideration the tester must address before beginning the engagement?","acceptedAnswer":{"@type":"Answer","text":"Ensure the rules of engagement specify GDPR-compliant handling, storage, and cross-border transfer requirements for any personal data encountered"},"suggestedAnswer":[{"@type":"Answer","text":"Confirm that the testing window falls within German business hours to avoid disrupting operations"},{"@type":"Answer","text":"Require the client to obtain PCI DSS certification before the assessment can proceed"},{"@type":"Answer","text":"Limit the assessment to a black-box methodology so no personal data is ever accessed"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration tester is midway through a two-week engagement for a healthcare client. The client's CISO requests that the team stop testing the legacy billing application and instead focus remaining hours on a newly deployed patient portal that was not in the original scope document. The tester wants to accommodate the request while remaining compliant with the engagement's governance requirements. What should the tester do FIRST?","acceptedAnswer":{"@type":"Answer","text":"Obtain a written scope change (change request/amendment) authorizing the patient portal before testing it"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing the patient portal immediately, since the CISO has authority over the client's security program"},{"@type":"Answer","text":"Continue testing the billing application as originally scoped and note the CISO's request in the final report"},{"@type":"Answer","text":"Perform a quick vulnerability scan of the patient portal to confirm it is worth including, then request authorization"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have compromised a domain controller and extracted the KRBTGT account's NTLM hash using DCSync. The client asks you to demonstrate a persistence technique that would let you impersonate any user in the domain—including nonexistent accounts—without relying on the DC to validate account existence, and that would survive individual user password resets. Which technique should you demonstrate?","acceptedAnswer":{"@type":"Answer","text":"Forge a Golden Ticket by crafting a Kerberos TGT signed with the KRBTGT hash"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a Silver Ticket attack using a captured service account hash"},{"@type":"Answer","text":"Conduct an overpass-the-hash attack with a standard user's NTLM hash"},{"@type":"Answer","text":"Execute a Kerberoasting attack against service principal names"}]},{"@context":"https://schema.org","@type":"Question","text":"During a password-cracking phase, you have captured a large set of NTLM hashes. The client's documented password policy requires exactly 8 characters: one uppercase letter, followed by five lowercase letters, followed by two digits. A straight dictionary attack has yielded few results. Which hashcat approach best leverages this known policy to efficiently recover the remaining hashes?","acceptedAnswer":{"@type":"Answer","text":"A mask attack using the pattern ?u?l?l?l?l?l?d?d"},"suggestedAnswer":[{"@type":"Answer","text":"A pure brute-force attack across the full keyspace with -a 3 and no mask"},{"@type":"Answer","text":"A straight (dictionary) attack with the rockyou.txt wordlist and no rules"},{"@type":"Answer","text":"A combinator attack merging two copies of the same wordlist"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover a GraphQL API endpoint at /graphql. The application does not appear to expose its schema in any documentation. You want to map every available query, mutation, and type before attempting authorization bypass testing. Which technique should you use first to enumerate the full API structure?","acceptedAnswer":{"@type":"Answer","text":"Send an introspection query (e.g., the __schema and __type meta-fields) to the endpoint to retrieve the complete type system"},"suggestedAnswer":[{"@type":"Answer","text":"Fuzz the endpoint with a wordlist of common REST paths such as /api/v1/users to discover hidden resources"},{"@type":"Answer","text":"Submit a batched array of aliased queries to trigger a denial-of-service and reveal error stack traces"},{"@type":"Answer","text":"Perform a SQL injection test against the id parameter to enumerate backend database tables"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a hospital network. During testing, the team will access servers that store and process electronic protected health information (ePHI). The hospital's compliance officer wants to ensure the firm is legally bound to safeguard this data and to specify permitted uses, breach notification obligations, and safeguards. Which document must be executed to satisfy this HIPAA requirement before testing begins?","acceptedAnswer":{"@type":"Answer","text":"A Business Associate Agreement (BAA) between the hospital and the testing firm"},"suggestedAnswer":[{"@type":"Answer","text":"A mutual non-disclosure agreement (NDA) covering both organizations"},{"@type":"Answer","text":"A statement of work (SOW) detailing the testing deliverables and timeline"},{"@type":"Answer","text":"A signed authorization ('get-out-of-jail') letter from the hospital's CISO"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, a penetration tester finds that submitting `role=user` in a POST request is enforced server-side, but the backend framework processes duplicate parameters by concatenating or selecting the last value. The tester crafts a request with `role=user&role=admin` and observes that the application grants administrative access. Which attack technique did the tester successfully exploit?","acceptedAnswer":{"@type":"Answer","text":"HTTP parameter pollution (HPP)"},"suggestedAnswer":[{"@type":"Answer","text":"HTTP request smuggling (CL.TE desync)"},{"@type":"Answer","text":"Mass assignment via JSON body injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF)"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?","acceptedAnswer":{"@type":"Answer","text":"HTTP request smuggling using a CL.TE desynchronization"},"suggestedAnswer":[{"@type":"Answer","text":"Server-side request forgery (SSRF) via header injection"},{"@type":"Answer","text":"HTTP response splitting through CRLF injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF) using a malicious form"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authenticated vulnerability scan of a Debian-based web server, the scanner flags OpenSSH as vulnerable to a critical CVE, citing the reported version banner of 8.4p1. The client insists the system is fully patched via their standard apt update process. Before including this finding in the report, what is the MOST accurate way for you to determine whether this is a false positive?","acceptedAnswer":{"@type":"Answer","text":"Check the installed package changelog with 'dpkg -l openssh-server' and 'apt changelog openssh-server' to confirm whether the vendor backported the security fix without changing the version banner"},"suggestedAnswer":[{"@type":"Answer","text":"Run the exploit proof-of-concept against the SSH service in production to see if it succeeds"},{"@type":"Answer","text":"Trust the scanner's CVSS score and version match, and include the finding as critical since the banner clearly shows 8.4p1"},{"@type":"Answer","text":"Re-run the scan with an unauthenticated profile to compare the two banner results"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?","acceptedAnswer":{"@type":"Answer","text":"Insecure Direct Object Reference (IDOR) due to missing object-level authorization"},"suggestedAnswer":[{"@type":"Answer","text":"Reflected cross-site scripting (XSS) in the invoice parameter"},{"@type":"Answer","text":"Server-side request forgery (SSRF) against the billing backend"},{"@type":"Answer","text":"SQL injection in the invoice ID path parameter"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?","acceptedAnswer":{"@type":"Answer","text":"Craft a malicious serialized Java object using a gadget chain (e.g., via ysoserial) and submit it in the parameter"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a UNION-based SQL injection by appending crafted SQL to the decoded parameter"},{"@type":"Answer","text":"Inject a stored XSS payload into the parameter to execute JavaScript in the admin's browser"},{"@type":"Answer","text":"Use HTTP parameter pollution to duplicate the parameter and bypass server-side validation"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a client that operates a legacy manufacturing control system. The client is concerned that active testing could inadvertently disrupt production equipment or cause physical damage. The lead tester wants to ensure the firm is financially protected if such an incident occurs during authorized testing. Which contractual element should the firm confirm is in place before starting the engagement?","acceptedAnswer":{"@type":"Answer","text":"Errors and omissions / professional liability insurance coverage referenced in the contract"},"suggestedAnswer":[{"@type":"Answer","text":"A non-disclosure agreement signed by all testers"},{"@type":"Answer","text":"A detailed scope statement listing target IP ranges"},{"@type":"Answer","text":"A rules-of-engagement document defining testing hours"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you notice the target Windows environment has IPv6 enabled on all workstations but no DHCPv6 server is deployed. You want to become the primary DNS server for these hosts to capture and relay authentication traffic to a domain controller. Which technique should you use to exploit this misconfiguration?","acceptedAnswer":{"@type":"Answer","text":"Use mitm6 to spoof DHCPv6 replies and advertise your host as the IPv6 DNS server, then relay captured credentials with ntlmrelayx"},"suggestedAnswer":[{"@type":"Answer","text":"Launch an ARP cache poisoning attack with Ettercap to redirect IPv4 traffic through your host"},{"@type":"Answer","text":"Perform an SLAAC-only router advertisement flood to exhaust the IPv4 DHCP scope"},{"@type":"Answer","text":"Run Responder in analyze-only mode to passively fingerprint LLMNR broadcasts without responding"}]},{"@context":"https://schema.org","@type":"Question","text":"During an API assessment, you capture a JSON Web Token (JWT) used for authentication. Decoding it reveals a header of {\"alg\":\"HS256\",\"typ\":\"JWT\"} and a payload containing {\"user\":\"analyst\",\"role\":\"user\"}. You want to escalate to an administrative role. Which technique should you attempt FIRST to test for a common JWT verification flaw?","acceptedAnswer":{"@type":"Answer","text":"Modify the payload to \"role\":\"admin\", change the header algorithm to \"none\", and remove the signature to test whether the server validates signatures"},"suggestedAnswer":[{"@type":"Answer","text":"Brute-force the HS256 secret with a full 256-bit keyspace using a GPU cluster before making any request"},{"@type":"Answer","text":"Base64-encode a new random signature and append it, expecting the server to accept any well-formed token"},{"@type":"Answer","text":"Replay the original unmodified token repeatedly to trigger a session fixation vulnerability"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal Active Directory assessment, you have valid low-privileged domain user credentials. You want to obtain credentials for service accounts without triggering account lockouts or interacting directly with the target service hosts. You run a tool that requests Kerberos service tickets for accounts with an SPN set and exports the ticket hashes. What is the primary reason this technique is effective, and what must you do next?","acceptedAnswer":{"@type":"Answer","text":"TGS-REP tickets are encrypted with the service account's password hash, so you can crack them offline to recover the plaintext password"},"suggestedAnswer":[{"@type":"Answer","text":"AS-REP responses are returned without pre-authentication, so you replay the ticket directly to authenticate as the service account"},{"@type":"Answer","text":"The KDC returns the NTLM hash of the service account in cleartext, so you pass the hash to move laterally immediately"},{"@type":"Answer","text":"The service tickets contain the KRBTGT hash, so you forge a golden ticket to impersonate any domain user"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have obtained valid low-privilege domain credentials for an Active Directory environment. You want to enumerate all domain user accounts, their group memberships, and account attributes such as description fields that may contain plaintext passwords. Which approach will most efficiently gather this information directly from the domain controller?","acceptedAnswer":{"@type":"Answer","text":"Query the domain controller over LDAP (port 389) using authenticated queries with a tool such as ldapsearch or the PowerShell ADSI/Get-ADUser cmdlets"},"suggestedAnswer":[{"@type":"Answer","text":"Run an Nmap TCP SYN scan against port 445 on the domain controller to enumerate user accounts via SMB"},{"@type":"Answer","text":"Perform a DNS zone transfer against the domain controller to list all user principal names"},{"@type":"Answer","text":"Use an anonymous SMB null session to enumerate the RID cycle and dump the full user attribute set"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized engagement, a penetration tester has interactive shell access to a compromised Linux server using a shared service account. Before disconnecting for the day, the tester wants to prevent the commands run during this session from being written to the account's ~/.bash_history file when the shell exits, without altering historical entries that existed before the session began. Which action best accomplishes this goal?","acceptedAnswer":{"@type":"Answer","text":"Run 'unset HISTFILE' in the current shell before logging out"},"suggestedAnswer":[{"@type":"Answer","text":"Delete ~/.bash_history entirely with 'rm ~/.bash_history'"},{"@type":"Answer","text":"Run 'history -c' immediately after each command executes"},{"@type":"Answer","text":"Overwrite ~/.bash_history with 'echo \"\" > ~/.bash_history' before logging out"}]},{"@context":"https://schema.org","@type":"Question","text":"During post-exploitation on a compromised Linux web server, you have a low-privileged shell as the user 'www-data'. You run 'getcap -r / 2>/dev/null' and notice that '/usr/bin/python3.9' has 'cap_setuid+ep' set. What is the most effective next step to escalate to root?","acceptedAnswer":{"@type":"Answer","text":"Execute python3.9 with a one-liner that calls os.setuid(0) followed by spawning a shell, e.g. python3.9 -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'"},"suggestedAnswer":[{"@type":"Answer","text":"Add the www-data user to the sudoers file by editing /etc/sudoers directly with a text editor"},{"@type":"Answer","text":"Run 'python3.9 -c \"import pty; pty.spawn(\\'/bin/bash\\')\"' to upgrade to a fully interactive TTY session"},{"@type":"Answer","text":"Replace /usr/bin/python3.9 with a malicious binary that runs a reverse shell to your attacker machine"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you have a low-privileged shell as user 'webapp'. Enumeration reveals a root-owned cron entry running '/opt/scripts/backup.sh' every five minutes. The script file has permissions '-rwxrwxrwx' and is owned by root. Which action most directly leads to privilege escalation?","acceptedAnswer":{"@type":"Answer","text":"Append a reverse shell or command that copies bash and sets the SUID bit into backup.sh, then wait for the next cron execution"},"suggestedAnswer":[{"@type":"Answer","text":"Replace /etc/crontab entirely to schedule your own root job every minute"},{"@type":"Answer","text":"Run the backup.sh script manually as the webapp user to trigger elevated execution"},{"@type":"Answer","text":"Add the webapp user to the /etc/cron.allow file to gain scheduling privileges"}]},{"@context":"https://schema.org","@type":"Question","text":"After compromising a low-privilege account on a Linux web server during an internal engagement, you want to identify additional systems and data that may extend your reach. You run 'mount' and 'cat /etc/fstab' and notice an NFS export from 10.10.20.50 mounted at /mnt/backup with 'rw' access and no root_squash restriction visible. What is the MOST useful next action to leverage this discovery for lateral movement?","acceptedAnswer":{"@type":"Answer","text":"Write a SUID-root binary onto the NFS share from a system where you have root, then execute it on the web server to escalate and pivot toward 10.10.20.50"},"suggestedAnswer":[{"@type":"Answer","text":"Immediately delete the /mnt/backup mount point to prevent the file server from logging your access"},{"@type":"Answer","text":"Run a full Nmap SYN scan of the entire 10.10.20.0/24 range from the web server to map every host before touching the share"},{"@type":"Answer","text":"Encrypt the contents of /mnt/backup to demonstrate ransomware impact to the client"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase, you gain a shell on a compromised Linux web server in a DMZ. Before attempting lateral movement, you want to identify which internal networks this host can reach so you can plan a pivot. The host has no GUI and limited installed tooling. Which command output would MOST directly reveal additional internal subnets the compromised host is configured to route to?","acceptedAnswer":{"@type":"Answer","text":"ip route (or route -n) to display the host's routing table and configured gateways"},"suggestedAnswer":[{"@type":"Answer","text":"cat /etc/passwd to list local user accounts and their home directories"},{"@type":"Answer","text":"netstat -tulpn to list listening services on the local host"},{"@type":"Answer","text":"uname -a to display the kernel version and architecture"}]},{"@context":"https://schema.org","@type":"Question","text":"After gaining a low-privilege shell on a Linux web server, a penetration tester wants to identify locally running network services and internal listening ports that are not exposed externally, in order to plan lateral movement. Which command provides the most relevant information for this specific goal?","acceptedAnswer":{"@type":"Answer","text":"ss -tulpn to list listening TCP/UDP sockets and the associated processes"},"suggestedAnswer":[{"@type":"Answer","text":"getcap -r / 2>/dev/null to enumerate binaries with file capabilities"},{"@type":"Answer","text":"find / -perm -4000 2>/dev/null to locate SUID binaries"},{"@type":"Answer","text":"cat /etc/crontab to review scheduled tasks"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you gained root on an application server and, to maintain access, appended your public key to /root/.ssh/authorized_keys, added a systemd service that spawns a reverse shell on boot, and modified /etc/sudoers to grant a low-privilege service account NOPASSWD access. The engagement is now ending and the rules of engagement require you to restore the environment to its pre-test state. Which action is MOST important to include in your cleanup so the environment is not left in a weakened security posture?","acceptedAnswer":{"@type":"Answer","text":"Remove the injected SSH key, delete and disable the systemd service, and revert the /etc/sudoers modification, documenting each change"},"suggestedAnswer":[{"@type":"Answer","text":"Leave the persistence mechanisms in place but notify the client so their blue team can practice detecting them"},{"@type":"Answer","text":"Overwrite the entire /etc directory with a fresh copy from another server to guarantee no artifacts remain"},{"@type":"Answer","text":"Clear the bash history and auth logs so the client cannot trace the persistence artifacts back to the test"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you have root on a production application server and need durable persistence that survives reboots but remains low-profile. The client's rules of engagement require that all persistence mechanisms be documented and cleanly removable at engagement end. You are considering an LD_PRELOAD-based technique. Which approach best balances persistence, stealth, and the ability to fully restore the environment during cleanup?","acceptedAnswer":{"@type":"Answer","text":"Append a malicious shared object path to /etc/ld.so.preload, logging the original file state (or its absence) so it can be reverted exactly during cleanup"},"suggestedAnswer":[{"@type":"Answer","text":"Recompile every system binary to statically link a backdoor, ensuring persistence even if libraries change"},{"@type":"Answer","text":"Replace /bin/bash with a wrapper script that spawns a reverse shell on each login and delete the original binary"},{"@type":"Answer","text":"Set an LD_PRELOAD variable in your current shell session only and rely on it for reboot persistence"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement you gained a Meterpreter session on a dual-homed Linux host (10.0.10.5). This host also has an interface on 192.168.50.0/24, a subnet your Kali attack box cannot reach directly. You want to run additional Metasploit modules against hosts in the 192.168.50.0/24 range through the compromised host without setting up separate port forwards for each target port. Which action best achieves this?","acceptedAnswer":{"@type":"Answer","text":"Run 'run autoroute -s 192.168.50.0/24' from the Meterpreter session so subsequent Metasploit modules route through the compromised host"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on the Kali box with 'ip route add 192.168.50.0/24 via 10.0.10.5' so traffic reaches the internal subnet"},{"@type":"Answer","text":"Use 'portfwd add -l 4444 -p 445 -r 192.168.50.20' to expose the single SMB service you need to reach"},{"@type":"Answer","text":"Enable IP forwarding on the compromised host with 'echo 1 > /proc/sys/net/ipv4/ip_forward' and rescan from Kali"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have a Meterpreter session on a dual-homed Linux host (10.0.5.20). This host also has an interface on 172.16.30.0/24, a segment your attack machine cannot reach directly. You need to connect your local RDP client to a Windows server at 172.16.30.15 on TCP 3389 through the compromised host. Which action most directly accomplishes this?","acceptedAnswer":{"@type":"Answer","text":"Run 'portfwd add -l 3389 -p 3389 -r 172.16.30.15' from the Meterpreter session, then point your RDP client at 127.0.0.1:3389"},"suggestedAnswer":[{"@type":"Answer","text":"Add a static route on your attack machine to 172.16.30.0/24 via 10.0.5.20 using the OS route command"},{"@type":"Answer","text":"Run 'run autoroute -s 172.16.30.0/24' and connect your RDP client directly to 172.16.30.15"},{"@type":"Answer","text":"Start an ARP spoofing module on 10.0.5.20 to redirect 172.16.30.15 traffic back to your attack machine"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, you created a persistence mechanism by copying /bin/bash to /tmp/.sysd and setting the SUID bit so you could regain root access. The engagement is now complete, and the rules of engagement require you to restore the environment to its original state. Which action MUST be documented and performed to properly clean up this specific artifact?","acceptedAnswer":{"@type":"Answer","text":"Remove the /tmp/.sysd file and note the removal, timestamp, and hash in the cleanup log"},"suggestedAnswer":[{"@type":"Answer","text":"Reset the SUID bit on the original /bin/bash to restore default permissions"},{"@type":"Answer","text":"Clear the /var/log/auth.log entries that recorded the copy command"},{"@type":"Answer","text":"Reboot the host to flush the SUID binary from memory"}]},{"@context":"https://schema.org","@type":"Question","text":"During a Linux post-exploitation phase, a penetration tester gains root access to a web server through a kernel exploit. The tester wants to maintain reliable access that survives reboots and does not depend on the current vulnerable process, while blending in with normal administrative activity. The server exposes SSH to a management VLAN the tester can reach through an established pivot. Which persistence technique BEST meets these requirements?","acceptedAnswer":{"@type":"Answer","text":"Append the tester's public key to the root account's ~/.ssh/authorized_keys file"},"suggestedAnswer":[{"@type":"Answer","text":"Keep the interactive shell from the kernel exploit open in a screen session"},{"@type":"Answer","text":"Re-run the same kernel exploit each time access is needed"},{"@type":"Answer","text":"Bind a Netcat listener to a high port using a foreground shell process"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have gained an initial foothold and want to generate a standalone Windows executable payload that connects back to your Metasploit listener. Your first payload was immediately quarantined by the target's signature-based antivirus. Which msfvenom approach BEST improves the chance the new payload evades detection while maintaining a working reverse connection?","acceptedAnswer":{"@type":"Answer","text":"Use msfvenom with multiple iterations of an encoder (e.g., -e x86/shikata_ga_nai -i 10) and embed the shellcode into a legitimate template executable using -x"},"suggestedAnswer":[{"@type":"Answer","text":"Generate the payload with a staged reverse_tcp handler but omit the LHOST parameter so no signature can be built"},{"@type":"Answer","text":"Increase the payload size by padding with NOP sleds using the -n flag until the file exceeds the AV scan limit"},{"@type":"Answer","text":"Switch the output format to raw shellcode with -f raw and deliver it directly, since AV cannot scan raw binary data"}]},{"@context":"https://schema.org","@type":"Question","text":"A penetration testing firm is finalizing pre-engagement paperwork for a client. During scoping, the client's IT manager verbally authorizes testing of a marketing web application that is hosted and fully managed by a separate managed service provider (MSSP). The IT manager insists this asset is 'in scope' and asks the testers to begin immediately. What is the tester's most appropriate action before testing that application?","acceptedAnswer":{"@type":"Answer","text":"Obtain written authorization from a party with the legal authority to permit testing of the MSSP-managed asset before including it in scope"},"suggestedAnswer":[{"@type":"Answer","text":"Begin testing immediately since the IT manager has operational responsibility for the marketing application"},{"@type":"Answer","text":"Add the application to the scope document and note the IT manager's verbal approval in the final report"},{"@type":"Answer","text":"Exclude the application from all testing and reporting because MSSP-hosted assets can never be tested"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run a credentialed Nessus scan against a Windows server. The report lists a plugin flagged as 'Critical' with a CVSS base score of 9.8, but the plugin output notes 'This is a potential vulnerability — the affected service was detected but the patch level could not be confirmed remotely.' Your client wants to prioritize remediation efficiently. What is the most appropriate next step before reporting this as a confirmed critical finding?","acceptedAnswer":{"@type":"Answer","text":"Manually verify the finding by checking the installed patch level and version on the host, then attempt to confirm exploitability"},"suggestedAnswer":[{"@type":"Answer","text":"Report the finding as a confirmed Critical based on the CVSS 9.8 score to ensure the client patches quickly"},{"@type":"Answer","text":"Immediately re-run the scan with all safe checks disabled to force exploitation of the service"},{"@type":"Answer","text":"Downgrade the finding to Informational because Nessus could not confirm the patch level"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you are connected directly to the 192.168.50.0/24 subnet via an authorized drop. You need to build an accurate inventory of live hosts on this local segment, but several hosts have host-based firewalls that drop ICMP echo requests. Which Nmap command will most reliably discover live hosts on this segment?","acceptedAnswer":{"@type":"Answer","text":"nmap -sn -PR 192.168.50.0/24"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sn -PE 192.168.50.0/24"},{"@type":"Answer","text":"nmap -sn -Pn 192.168.50.0/24"},{"@type":"Answer","text":"nmap -sS -p- 192.168.50.0/24"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you connect to a jump host where you only have a standard (non-root) user account. You attempt to run 'nmap -sS 10.10.5.0/24' to perform a SYN scan across the subnet, but Nmap warns it is falling back to a different scan type. Which explanation best describes what is happening and how to proceed effectively?","acceptedAnswer":{"@type":"Answer","text":"SYN scanning requires raw packet (root/CAP_NET_RAW) privileges; without them Nmap falls back to a TCP connect scan (-sT), which completes the full three-way handshake and is noisier but still valid"},"suggestedAnswer":[{"@type":"Answer","text":"The subnet is being blocked by a firewall, so Nmap automatically switches to a UDP scan to bypass the filtering rules"},{"@type":"Answer","text":"SYN scans only work against Windows hosts, so Nmap detected Linux targets and downgraded to an ICMP-only ping sweep"},{"@type":"Answer","text":"Nmap requires the -Pn flag to run a SYN scan, and adding it will restore raw SYN scanning without elevated privileges"}]},{"@context":"https://schema.org","@type":"Question","text":"During an authorized external assessment, a penetration tester wants to enumerate open ports on a target host while making it difficult for the target's SOC to identify which source IP is the true origin of the scan. The tester decides to use a zombie host with predictable IP ID sequence numbers to bounce the scan off of, so the target never receives packets directly from the tester's real address. Which Nmap technique should the tester use?","acceptedAnswer":{"@type":"Answer","text":"Idle scan using -sI with a suitable zombie host"},"suggestedAnswer":[{"@type":"Answer","text":"Decoy scan using -D with multiple spoofed source addresses"},{"@type":"Answer","text":"Fragmentation scan using -f to split packets"},{"@type":"Answer","text":"Source port manipulation using --source-port 53"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run Nmap against a /24 subnet and export the results with the -oX flag to results.xml. Your team lead asks you to quickly produce a clean list of only the hosts that have TCP port 3389 open, so it can be fed into a follow-up RDP audit script. Which approach most efficiently produces this filtered list from the existing scan output?","acceptedAnswer":{"@type":"Answer","text":"Convert the XML output to a grepable format (or parse it) and extract addresses where port 3389 shows state 'open', for example using nmap -oG or a script that reads the XML and filters on port/state"},"suggestedAnswer":[{"@type":"Answer","text":"Re-run Nmap with -p 3389 --open across the subnet and manually copy the results into a text file"},{"@type":"Answer","text":"Open results.xml in a browser and visually scan each host block for the 3389 entry, pasting matches by hand"},{"@type":"Answer","text":"Import results.xml into Nessus and rely on its RDP plugin to regenerate the host list"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have identified a web server running on 10.0.5.22 over ports 80 and 443. The client has authorized active enumeration of exposed web content. You want to use Nmap to discover common web directories, application paths, and interesting files on the host before launching a dedicated web scanner. Which Nmap command best supports this goal?","acceptedAnswer":{"@type":"Answer","text":"nmap -p 80,443 --script http-enum 10.0.5.22"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -p 80,443 -sV --version-intensity 9 10.0.5.22"},{"@type":"Answer","text":"nmap -p 80,443 --script ssl-cert 10.0.5.22"},{"@type":"Answer","text":"nmap -p 80,443 -O --osscan-guess 10.0.5.22"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have identified several Windows hosts with TCP port 445 open. Before attempting exploitation, you want to safely check whether these hosts are vulnerable to known SMB flaws (such as MS17-010) and gather additional SMB configuration details using Nmap. Which command best accomplishes this enumeration goal?","acceptedAnswer":{"@type":"Answer","text":"nmap -p445 --script smb-vuln-ms17-010,smb-os-discovery,smb-security-mode 10.10.5.0/24"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=pass.txt 10.10.5.0/24"},{"@type":"Answer","text":"nmap -sU -p445 -A 10.10.5.0/24"},{"@type":"Answer","text":"nmap -p445 --script vuln --min-rate 10000 -T5 10.10.5.0/24"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, a penetration tester needs to identify the operating system running on a target host at 10.10.5.20 to tailor subsequent exploitation. The tester wants Nmap to perform TCP/IP stack fingerprinting and report a best-guess OS even if the results are not definitive. Which command should the tester run?","acceptedAnswer":{"@type":"Answer","text":"nmap -O --osscan-guess 10.10.5.20"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sV --version-intensity 9 10.10.5.20"},{"@type":"Answer","text":"nmap -sn 10.10.5.20"},{"@type":"Answer","text":"nmap -sU -p 137 --script smb-os-discovery 10.10.5.20"}]},{"@context":"https://schema.org","@type":"Question","text":"During an external assessment, you run 'nmap -sS -p- 203.0.113.45' and receive results showing port 443 as 'open', ports 22 and 3389 as 'filtered', and all other ports as 'closed'. The client insists SSH (22) is running and reachable internally. Which conclusion best explains the 'filtered' state for ports 22 and 3389?","acceptedAnswer":{"@type":"Answer","text":"A firewall or packet filter is dropping the SYN probes without returning a response, so Nmap cannot determine if the ports are open or closed"},"suggestedAnswer":[{"@type":"Answer","text":"The services on ports 22 and 3389 have crashed and are no longer listening on the target host"},{"@type":"Answer","text":"The target host sent a RST packet for ports 22 and 3389, indicating no service is bound to them"},{"@type":"Answer","text":"Nmap identified the service versions but could not fingerprint them, marking the ports as filtered"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have identified a host at 10.10.5.42 with several open TCP ports. Your goal now is to determine the exact software and version running on each open port so you can cross-reference them against known vulnerability databases. Which Nmap command best accomplishes this enumeration objective?","acceptedAnswer":{"@type":"Answer","text":"nmap -sV --version-intensity 9 10.10.5.42"},"suggestedAnswer":[{"@type":"Answer","text":"nmap -sn 10.10.5.42"},{"@type":"Answer","text":"nmap -sS -Pn 10.10.5.42"},{"@type":"Answer","text":"nmap -O 10.10.5.42"}]},{"@context":"https://schema.org","@type":"Question","text":"During a post-exploitation phase on a compromised Windows Server 2019 host, a penetration tester wants to store a secondary payload on disk in a way that keeps it out of casual directory listings and standard file browsing, while still allowing it to be executed later. The tester decides to hide the executable behind a legitimate log file already present in C:\\Logs\\system.log. Which technique achieves this goal?","acceptedAnswer":{"@type":"Answer","text":"Append the payload to an NTFS Alternate Data Stream, e.g. type payload.exe > C:\\Logs\\system.log:update.exe"},"suggestedAnswer":[{"@type":"Answer","text":"Set the payload file's attributes to hidden and system using attrib +h +s payload.exe"},{"@type":"Answer","text":"Compress the payload into a password-protected ZIP archive and place it in the Recycle Bin"},{"@type":"Answer","text":"Rename the payload with a .log extension and move it into C:\\Logs\\"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester examines an OAuth 2.0 authorization code flow. The authorization server validates the redirect_uri parameter using only a prefix match (it checks that the value begins with https://app.example.com). The tester notices the client application also hosts an open redirect at https://app.example.com/go?url=. Which attack does this combination most directly enable?","acceptedAnswer":{"@type":"Answer","text":"Stealing the authorization code by chaining the open redirect to forward the code to an attacker-controlled host"},"suggestedAnswer":[{"@type":"Answer","text":"Downgrading the flow to the implicit grant to expose the client secret"},{"@type":"Answer","text":"Forging a JWT by exploiting the 'none' algorithm during token issuance"},{"@type":"Answer","text":"Performing a CSRF attack against the token revocation endpoint"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you run both an unauthenticated and a credentialed OpenVAS scan against the same Windows workstation. The unauthenticated scan reports a critical remote code execution vulnerability in an outdated version of a service, but the credentialed scan does not list that finding at all. Local patch records confirm the relevant update was installed last month. Which conclusion best explains the discrepancy, and what should you do?","acceptedAnswer":{"@type":"Answer","text":"The unauthenticated finding is likely a false positive based on a stale service banner; correlate with the patch-level data from the credentialed scan and manually verify before reporting."},"suggestedAnswer":[{"@type":"Answer","text":"The credentialed scan missed the vulnerability due to insufficient privileges; report the critical RCE from the unauthenticated scan as confirmed."},{"@type":"Answer","text":"Both results are valid; report the vulnerability twice, once as critical and once as informational, to reflect each scan perspective."},{"@type":"Answer","text":"The patch records are unreliable; escalate to the client immediately and recommend re-imaging the workstation before continuing testing."}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester notices that an authentication token is passed in a cookie as a base64-encoded, AES-CBC-encrypted blob. When the tester submits a token with a slightly altered final block, the server returns a distinct '500 Internal Server Error' (invalid padding), whereas a semantically invalid but well-padded token returns a '403 Forbidden'. The tester wants to recover the plaintext of the token without knowing the encryption key. Which attack should the tester perform?","acceptedAnswer":{"@type":"Answer","text":"A padding oracle attack, using the differing server responses to decrypt the ciphertext byte-by-byte"},"suggestedAnswer":[{"@type":"Answer","text":"A length extension attack to append forged data to the encrypted token"},{"@type":"Answer","text":"A brute-force attack against the AES key using a GPU cracking rig"},{"@type":"Answer","text":"A birthday attack to find a hash collision in the token generation function"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you dump the local SAM database on a compromised Windows workstation and recover the NTLM hash for a local administrator account. You discover that this same local admin account and password are reused across many hosts in the environment. The target hosts require NTLM authentication and you do not have the cleartext password. Which technique lets you authenticate to the other hosts and move laterally using only the recovered hash?","acceptedAnswer":{"@type":"Answer","text":"Pass-the-hash using a tool such as impacket-psexec or CrackMapExec with the NTLM hash"},"suggestedAnswer":[{"@type":"Answer","text":"Kerberoasting to request and crack the service account TGS ticket offline"},{"@type":"Answer","text":"Perform an LLMNR/NBT-NS poisoning attack with Responder to relay credentials"},{"@type":"Answer","text":"Run a brute-force attack with Hydra against RDP using the hash as the password"}]},{"@context":"https://schema.org","@type":"Question","text":"During the social-engineering discovery phase of an authorized engagement, a penetration tester is preparing a spear-phishing campaign against a company's finance department. The tester has already collected employee names, job titles, and email addresses. To maximize the credibility of the pretext before launching the campaign, which additional discovery activity provides the MOST value?","acceptedAnswer":{"@type":"Answer","text":"Research the target's recent press releases, vendor relationships, and internal terminology from public sources to craft a contextually believable lure"},"suggestedAnswer":[{"@type":"Answer","text":"Run a full credentialed Nessus scan of the finance department's workstations to identify missing patches"},{"@type":"Answer","text":"Perform an Nmap SYN scan against the company's external mail gateway to map open ports"},{"@type":"Answer","text":"Attempt SMTP VRFY commands against the mail server to validate that each address exists"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a tester notices that a search feature validates user input against a regular expression on the server side. When the tester submits a long string of repeated characters ending in a non-matching character (e.g., 'aaaaaaaaaaaaaaaaaaaa!'), the server takes over 30 seconds to respond and CPU utilization spikes to 100%. Submitting shorter inputs returns instantly. Which vulnerability is the tester most likely exploiting?","acceptedAnswer":{"@type":"Answer","text":"Regular Expression Denial of Service (ReDoS) via catastrophic backtracking"},"suggestedAnswer":[{"@type":"Answer","text":"Server-Side Request Forgery (SSRF) through the search parameter"},{"@type":"Answer","text":"SQL injection causing a full table scan and query delay"},{"@type":"Answer","text":"XML External Entity (XXE) billion-laughs entity expansion"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal network penetration test, you have no valid domain credentials. You notice that hosts on the local subnet frequently broadcast LLMNR and NBT-NS name resolution requests for mistyped or unresolved hostnames. You want to capture credential material and then use it to authenticate to another host that has SMB signing disabled. Which combination of techniques best achieves this?","acceptedAnswer":{"@type":"Answer","text":"Use Responder to poison LLMNR/NBT-NS responses and capture NetNTLMv2 hashes, then relay them with ntlmrelayx to the target with SMB signing disabled"},"suggestedAnswer":[{"@type":"Answer","text":"Use Responder to capture NetNTLMv2 hashes, then pass-the-hash directly with the captured NetNTLMv2 value using CrackMapExec"},{"@type":"Answer","text":"Run an ARP spoofing attack with Ettercap to intercept Kerberos tickets and replay them against the target host"},{"@type":"Answer","text":"Perform a DNS cache poisoning attack to redirect SMB traffic, then extract cleartext NTLM credentials from the captured packets"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester notices that the application assigns a session identifier in the URL before login and continues to use that same identifier after the user authenticates. The tester sends a victim a crafted link containing a session ID the tester already knows, waits for the victim to log in, and then reuses the same session ID to access the victim's authenticated session. Which vulnerability did the tester exploit?","acceptedAnswer":{"@type":"Answer","text":"Session fixation"},"suggestedAnswer":[{"@type":"Answer","text":"Cross-site request forgery (CSRF)"},{"@type":"Answer","text":"Session hijacking via packet sniffing"},{"@type":"Answer","text":"Insecure direct object reference (IDOR)"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you capture NTLMv2 authentication attempts using Responder but need to escalate beyond offline cracking, which is too slow given weak-password policy is enforced. You enumerate the domain and identify several hosts where SMB signing is not required. You want to leverage the captured authentication to gain command execution on one of these hosts. What is the MOST effective next step?","acceptedAnswer":{"@type":"Answer","text":"Configure Responder to disable its SMB and HTTP servers, then use ntlmrelayx.py to relay the incoming authentication to a target host with SMB signing disabled"},"suggestedAnswer":[{"@type":"Answer","text":"Feed the captured NTLMv2 hashes into hashcat with a larger wordlist and rule set to speed up cracking"},{"@type":"Answer","text":"Perform a pass-the-hash attack using the NTLMv2 hash directly against the target host with impacket's psexec"},{"@type":"Answer","text":"Use the captured hash to request a Kerberos TGT and forge a golden ticket for domain-wide access"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you confirm a SQL injection vulnerability in a Microsoft SQL Server backend. However, the application returns no error messages, no visible query output, and no measurable time delays when you inject boolean or time-based payloads. Outbound TCP to the internet is blocked, but the database server is permitted to make outbound DNS queries. Which technique is most appropriate to extract data from this database?","acceptedAnswer":{"@type":"Answer","text":"Trigger an out-of-band DNS exfiltration using xp_dirtree to a UNC path containing subqueried data"},"suggestedAnswer":[{"@type":"Answer","text":"Use a UNION-based injection to append the target columns to the visible result set"},{"@type":"Answer","text":"Perform a heavy time-based blind extraction using WAITFOR DELAY on each character"},{"@type":"Answer","text":"Force verbose SQL error messages with a CAST conversion to leak data in the response body"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you identify a product-listing page with a parameter (?id=12) that appears vulnerable to SQL injection. Before extracting data via a UNION-based attack, you need to determine the number of columns returned by the original query. Which technique should you use FIRST to reliably enumerate the correct column count?","acceptedAnswer":{"@type":"Answer","text":"Inject sequential 'ORDER BY n--' statements, incrementing n until the application returns an error"},"suggestedAnswer":[{"@type":"Answer","text":"Inject 'UNION SELECT NULL-- ' and immediately attempt to read table names from information_schema"},{"@type":"Answer","text":"Append 'AND 1=1--' and 'AND 1=2--' to confirm boolean-based blind injection timing differences"},{"@type":"Answer","text":"Submit 'WAITFOR DELAY '0:0:10'--' to measure response latency and infer column structure"}]}]}
CompTIA · Intermediate · Full-length timed mock

CompTIA PenTest+ (PT0-003) (PT0-003) full-length practice exam

Sit a free, full-length PT0-003 mock exam under real timed conditions: 90 exam-style questions in 165 minutes — about 110 seconds per question — with 75% to pass. The clock runs in real time and the screen stays completely ad-free from the moment you start until you submit.

Verified answer90 questions165 minutes
90
Questions
165 min
Time limit
75%
Pass mark
5
Domains

How this timed PT0-003 mock exam works

  • One real-time clock. You get 165 minutes for all 90 questions. The timer counts down continuously — even if you close the tab — and the exam auto-submits the instant it reaches zero, exactly like the proctored test.
  • No answers until the end. Unlike topic drills, the mock hides feedback while you work. Choose an option, move on, and flag anything you want to revisit using the question navigator.
  • Jump around freely. The navigator grid shows which questions you have answered so you can manage your pace and return to skipped items before time runs out.
  • Your progress is saved. Answers, your place in the exam, and the remaining time are stored in your browser, so an accidental refresh drops you right back where you were.
  • Ad-free while you test. Ads only appear on this landing page. Once the exam starts, the screen is clean until you submit.

What your PT0-003 results show

When you submit, you get an overall score against the 75% pass mark and a per-domain breakdown. Weak domains are highlighted in amber so you know exactly where to focus, and every question links straight to its full explanation and a breakdown of why each wrong option is wrong.

Engagement Management13% of exam
Reconnaissance and Enumeration21% of exam
Vulnerability Discovery and Analysis17% of exam
Attacks and Exploits35% of exam
Post-exploitation and Lateral Movement14% of exam

How to get the most out of it

Treat this like the real exam: find a quiet hour, put your notes away, and do not pause. Aim to finish with a few minutes to spare so you can revisit flagged questions. If you clear the pass mark comfortably on two separate attempts, you are in good shape to book the live PT0-003. If a single domain keeps dragging you down, drill it on the topic pages, then come back and retake the full mock.

Disclaimer

Not affiliated with or endorsed by CompTIA. CompTIA, PT0-003, and related product names are trademarks or registered trademarks of their respective owners, used here for identification and study reference only. These practice questions are original study material written to align with the published PT0-003 exam objectives — none are reproduced from a live test. For authoritative, up-to-date requirements, always consult the official CompTIA certification documentation.

Ready for the full PT0-003 mock exam?

90 questions · 165 minutes · 75% to pass. The clock runs in real time and the screen stays ad-free until you submit — just like the real thing.