"},{"@type":"Answer","text":"' OR '1'='1' --"},{"@type":"Answer","text":"../../../../etc/passwd%00"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?","acceptedAnswer":{"@type":"Answer","text":"Run a DCSync attack using mimikatz 'lsadump::dcsync /user:krbtgt' from your foothold to request replication of the account's secrets"},"suggestedAnswer":[{"@type":"Answer","text":"Upload and run secretsdump against the local SAM hive of the compromised workstation to extract the KRBTGT hash"},{"@type":"Answer","text":"Deploy Mimikatz directly on the domain controller and run 'sekurlsa::logonpasswords' against LSASS memory"},{"@type":"Answer","text":"Perform Kerberoasting against the KRBTGT SPN and crack the resulting ticket offline"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?","acceptedAnswer":{"@type":"Answer","text":"Use a DNS rebinding attack: return a public IP on the first resolution (validation) and an internal IP with a very low TTL on the second resolution (fetch)"},"suggestedAnswer":[{"@type":"Answer","text":"Encode the internal IP address in hexadecimal or octal notation within the URL to evade the string-based blocklist"},{"@type":"Answer","text":"Submit a URL with an @ symbol so the application parses the internal host as credentials rather than the destination"},{"@type":"Answer","text":"Send the request over HTTPS so the TLS layer prevents the application from inspecting the destination IP address"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal penetration test, you have compromised a domain controller and extracted the KRBTGT account's NTLM hash using DCSync. The client asks you to demonstrate a persistence technique that would let you impersonate any user in the domain—including nonexistent accounts—without relying on the DC to validate account existence, and that would survive individual user password resets. Which technique should you demonstrate?","acceptedAnswer":{"@type":"Answer","text":"Forge a Golden Ticket by crafting a Kerberos TGT signed with the KRBTGT hash"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a Silver Ticket attack using a captured service account hash"},{"@type":"Answer","text":"Conduct an overpass-the-hash attack with a standard user's NTLM hash"},{"@type":"Answer","text":"Execute a Kerberoasting attack against service principal names"}]},{"@context":"https://schema.org","@type":"Question","text":"During a password-cracking phase, you have captured a large set of NTLM hashes. The client's documented password policy requires exactly 8 characters: one uppercase letter, followed by five lowercase letters, followed by two digits. A straight dictionary attack has yielded few results. Which hashcat approach best leverages this known policy to efficiently recover the remaining hashes?","acceptedAnswer":{"@type":"Answer","text":"A mask attack using the pattern ?u?l?l?l?l?l?d?d"},"suggestedAnswer":[{"@type":"Answer","text":"A pure brute-force attack across the full keyspace with -a 3 and no mask"},{"@type":"Answer","text":"A straight (dictionary) attack with the rockyou.txt wordlist and no rules"},{"@type":"Answer","text":"A combinator attack merging two copies of the same wordlist"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you discover a GraphQL API endpoint at /graphql. The application does not appear to expose its schema in any documentation. You want to map every available query, mutation, and type before attempting authorization bypass testing. Which technique should you use first to enumerate the full API structure?","acceptedAnswer":{"@type":"Answer","text":"Send an introspection query (e.g., the __schema and __type meta-fields) to the endpoint to retrieve the complete type system"},"suggestedAnswer":[{"@type":"Answer","text":"Fuzz the endpoint with a wordlist of common REST paths such as /api/v1/users to discover hidden resources"},{"@type":"Answer","text":"Submit a batched array of aliased queries to trigger a denial-of-service and reveal error stack traces"},{"@type":"Answer","text":"Perform a SQL injection test against the id parameter to enumerate backend database tables"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application test, a penetration tester finds that submitting `role=user` in a POST request is enforced server-side, but the backend framework processes duplicate parameters by concatenating or selecting the last value. The tester crafts a request with `role=user&role=admin` and observes that the application grants administrative access. Which attack technique did the tester successfully exploit?","acceptedAnswer":{"@type":"Answer","text":"HTTP parameter pollution (HPP)"},"suggestedAnswer":[{"@type":"Answer","text":"HTTP request smuggling (CL.TE desync)"},{"@type":"Answer","text":"Mass assignment via JSON body injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF)"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?","acceptedAnswer":{"@type":"Answer","text":"HTTP request smuggling using a CL.TE desynchronization"},"suggestedAnswer":[{"@type":"Answer","text":"Server-side request forgery (SSRF) via header injection"},{"@type":"Answer","text":"HTTP response splitting through CRLF injection"},{"@type":"Answer","text":"Cross-site request forgery (CSRF) using a malicious form"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?","acceptedAnswer":{"@type":"Answer","text":"Insecure Direct Object Reference (IDOR) due to missing object-level authorization"},"suggestedAnswer":[{"@type":"Answer","text":"Reflected cross-site scripting (XSS) in the invoice parameter"},{"@type":"Answer","text":"Server-side request forgery (SSRF) against the billing backend"},{"@type":"Answer","text":"SQL injection in the invoice ID path parameter"}]},{"@context":"https://schema.org","@type":"Question","text":"During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?","acceptedAnswer":{"@type":"Answer","text":"Craft a malicious serialized Java object using a gadget chain (e.g., via ysoserial) and submit it in the parameter"},"suggestedAnswer":[{"@type":"Answer","text":"Perform a UNION-based SQL injection by appending crafted SQL to the decoded parameter"},{"@type":"Answer","text":"Inject a stored XSS payload into the parameter to execute JavaScript in the admin's browser"},{"@type":"Answer","text":"Use HTTP parameter pollution to duplicate the parameter and bypass server-side validation"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal engagement, you notice the target Windows environment has IPv6 enabled on all workstations but no DHCPv6 server is deployed. You want to become the primary DNS server for these hosts to capture and relay authentication traffic to a domain controller. Which technique should you use to exploit this misconfiguration?","acceptedAnswer":{"@type":"Answer","text":"Use mitm6 to spoof DHCPv6 replies and advertise your host as the IPv6 DNS server, then relay captured credentials with ntlmrelayx"},"suggestedAnswer":[{"@type":"Answer","text":"Launch an ARP cache poisoning attack with Ettercap to redirect IPv4 traffic through your host"},{"@type":"Answer","text":"Perform an SLAAC-only router advertisement flood to exhaust the IPv4 DHCP scope"},{"@type":"Answer","text":"Run Responder in analyze-only mode to passively fingerprint LLMNR broadcasts without responding"}]},{"@context":"https://schema.org","@type":"Question","text":"During an API assessment, you capture a JSON Web Token (JWT) used for authentication. Decoding it reveals a header of {\"alg\":\"HS256\",\"typ\":\"JWT\"} and a payload containing {\"user\":\"analyst\",\"role\":\"user\"}. You want to escalate to an administrative role. Which technique should you attempt FIRST to test for a common JWT verification flaw?","acceptedAnswer":{"@type":"Answer","text":"Modify the payload to \"role\":\"admin\", change the header algorithm to \"none\", and remove the signature to test whether the server validates signatures"},"suggestedAnswer":[{"@type":"Answer","text":"Brute-force the HS256 secret with a full 256-bit keyspace using a GPU cluster before making any request"},{"@type":"Answer","text":"Base64-encode a new random signature and append it, expecting the server to accept any well-formed token"},{"@type":"Answer","text":"Replay the original unmodified token repeatedly to trigger a session fixation vulnerability"}]},{"@context":"https://schema.org","@type":"Question","text":"During an internal Active Directory assessment, you have valid low-privileged domain user credentials. You want to obtain credentials for service accounts without triggering account lockouts or interacting directly with the target service hosts. You run a tool that requests Kerberos service tickets for accounts with an SPN set and exports the ticket hashes. What is the primary reason this technique is effective, and what must you do next?","acceptedAnswer":{"@type":"Answer","text":"TGS-REP tickets are encrypted with the service account's password hash, so you can crack them offline to recover the plaintext password"},"suggestedAnswer":[{"@type":"Answer","text":"AS-REP responses are returned without pre-authentication, so you replay the ticket directly to authenticate as the service account"},{"@type":"Answer","text":"The KDC returns the NTLM hash of the service account in cleartext, so you pass the hash to move laterally immediately"},{"@type":"Answer","text":"The service tickets contain the KRBTGT hash, so you forge a golden ticket to impersonate any domain user"}]}]}
CompTIA PenTest+ (PT0-003) · Domain 4 · 35% of exam

Attacks and Exploits

Drill 20 practice questions focused entirely on Attacks and Exploits for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During a mobile application assessment, a penetration tester discovers that a corporate Android tablet used for kiosk purposes has ADB (Android Debug Bridge) exposed over the network on TCP port 5555 with no authentication. The tester can already reach the device from their laptop on the same segment. Which command allows the tester to install a repackaged, instrumented version of the target APK onto the device to observe runtime behavior and hook API calls?

Reviewed for accuracy · Report an issue
Question 2 of 20

During an internal engagement, you are positioned on a flat /24 network segment that carries traffic between a group of workstations and a legacy internal web application that authenticates over HTTP. You want to intercept credentials that users submit to this application without deploying a rogue access point or disrupting the entire segment. Which technique will most effectively allow you to capture the plaintext credentials in transit?

Reviewed for accuracy · Report an issue
Question 3 of 20

During an internal engagement, a penetration tester queries Active Directory and discovers several user accounts that have the 'Do not require Kerberos preauthentication' flag set. The tester wants to leverage this misconfiguration to obtain crackable credential material without needing any valid domain account authentication first. Which attack technique should the tester use?

Reviewed for accuracy · Report an issue
Question 4 of 20

During a cloud application assessment, you notice the web app generates AWS S3 presigned URLs to let users download their own invoice PDFs. A sample URL is: https://invoices.s3.amazonaws.com/user/1042/invoice-2024.pdf?X-Amz-Signature=abc123&X-Amz-Expires=3600&X-Amz-Credential=AKIA...%2Fs3%2Faws4_request. You change the path from user/1042 to user/1001 while keeping the same signature and query parameters. Which outcome should you expect, and what does it reveal?

Reviewed for accuracy · Report an issue
Question 5 of 20

During a cloud penetration test, you gain remote code execution on an Azure Linux VM through a vulnerable web application. You confirm the VM has a system-assigned managed identity attached. Your goal is to leverage this identity to move laterally and access other Azure resources. What is the MOST effective next step?

Reviewed for accuracy · Report an issue
Question 6 of 20

During a physical security assessment of a corporate office, you notice several employees using older Bluetooth-enabled mobile devices that remain in discoverable mode. You want to demonstrate the risk of an attacker extracting contact lists, calendar entries, and emails from these devices without the user's knowledge or authorization. Which attack technique should you use to demonstrate this specific risk?

Reviewed for accuracy · Report an issue
Question 7 of 20

During a web application assessment, you find a network diagnostic feature that pings a user-supplied hostname. When you submit '127.0.0.1; whoami' the page returns only the normal ping output with no visible command result, and time-based payloads like '127.0.0.1 && sleep 10' produce no observable delay. You suspect command injection but cannot see any output. Which technique is MOST likely to confirm the vulnerability?

Reviewed for accuracy · Report an issue
Question 8 of 20

During a web application assessment of a customer feedback portal, you notice that submitted comments are later exported by administrators into a CSV file and opened in Microsoft Excel. You want to test whether you can achieve code execution on an administrator's workstation through the data you submit. Which payload should you inject into the comment field to test this vulnerability?

Reviewed for accuracy · Report an issue
Question 9 of 20

During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?

Reviewed for accuracy · Report an issue
Question 10 of 20

During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?

Reviewed for accuracy · Report an issue
Question 11 of 20

During an internal penetration test, you have compromised a domain controller and extracted the KRBTGT account's NTLM hash using DCSync. The client asks you to demonstrate a persistence technique that would let you impersonate any user in the domain—including nonexistent accounts—without relying on the DC to validate account existence, and that would survive individual user password resets. Which technique should you demonstrate?

Reviewed for accuracy · Report an issue
Question 12 of 20

During a password-cracking phase, you have captured a large set of NTLM hashes. The client's documented password policy requires exactly 8 characters: one uppercase letter, followed by five lowercase letters, followed by two digits. A straight dictionary attack has yielded few results. Which hashcat approach best leverages this known policy to efficiently recover the remaining hashes?

Reviewed for accuracy · Report an issue
Question 13 of 20

During a web application assessment, you discover a GraphQL API endpoint at /graphql. The application does not appear to expose its schema in any documentation. You want to map every available query, mutation, and type before attempting authorization bypass testing. Which technique should you use first to enumerate the full API structure?

Reviewed for accuracy · Report an issue
Question 14 of 20

During a web application test, a penetration tester finds that submitting `role=user` in a POST request is enforced server-side, but the backend framework processes duplicate parameters by concatenating or selecting the last value. The tester crafts a request with `role=user&role=admin` and observes that the application grants administrative access. Which attack technique did the tester successfully exploit?

Reviewed for accuracy · Report an issue
Question 15 of 20

During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?

Reviewed for accuracy · Report an issue
Question 16 of 20

During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?

Reviewed for accuracy · Report an issue
Question 17 of 20

During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?

Reviewed for accuracy · Report an issue
Question 18 of 20

During an internal engagement, you notice the target Windows environment has IPv6 enabled on all workstations but no DHCPv6 server is deployed. You want to become the primary DNS server for these hosts to capture and relay authentication traffic to a domain controller. Which technique should you use to exploit this misconfiguration?

Reviewed for accuracy · Report an issue
Question 19 of 20

During an API assessment, you capture a JSON Web Token (JWT) used for authentication. Decoding it reveals a header of {"alg":"HS256","typ":"JWT"} and a payload containing {"user":"analyst","role":"user"}. You want to escalate to an administrative role. Which technique should you attempt FIRST to test for a common JWT verification flaw?

Reviewed for accuracy · Report an issue
Question 20 of 20

During an internal Active Directory assessment, you have valid low-privileged domain user credentials. You want to obtain credentials for service accounts without triggering account lockouts or interacting directly with the target service hosts. You run a tool that requests Kerberos service tickets for accounts with an SPN set and exports the ticket hashes. What is the primary reason this technique is effective, and what must you do next?

Reviewed for accuracy · Report an issue

More PT0-003 practice

Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.

← Back to PT0-003 overview