Attacks and Exploits
Drill 20 practice questions focused entirely on Attacks and Exploits for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
During a mobile application assessment, a penetration tester discovers that a corporate Android tablet used for kiosk purposes has ADB (Android Debug Bridge) exposed over the network on TCP port 5555 with no authentication. The tester can already reach the device from their laptop on the same segment. Which command allows the tester to install a repackaged, instrumented version of the target APK onto the device to observe runtime behavior and hook API calls?
During an internal engagement, you are positioned on a flat /24 network segment that carries traffic between a group of workstations and a legacy internal web application that authenticates over HTTP. You want to intercept credentials that users submit to this application without deploying a rogue access point or disrupting the entire segment. Which technique will most effectively allow you to capture the plaintext credentials in transit?
During an internal engagement, a penetration tester queries Active Directory and discovers several user accounts that have the 'Do not require Kerberos preauthentication' flag set. The tester wants to leverage this misconfiguration to obtain crackable credential material without needing any valid domain account authentication first. Which attack technique should the tester use?
During a cloud application assessment, you notice the web app generates AWS S3 presigned URLs to let users download their own invoice PDFs. A sample URL is: https://invoices.s3.amazonaws.com/user/1042/invoice-2024.pdf?X-Amz-Signature=abc123&X-Amz-Expires=3600&X-Amz-Credential=AKIA...%2Fs3%2Faws4_request. You change the path from user/1042 to user/1001 while keeping the same signature and query parameters. Which outcome should you expect, and what does it reveal?
During a cloud penetration test, you gain remote code execution on an Azure Linux VM through a vulnerable web application. You confirm the VM has a system-assigned managed identity attached. Your goal is to leverage this identity to move laterally and access other Azure resources. What is the MOST effective next step?
During a physical security assessment of a corporate office, you notice several employees using older Bluetooth-enabled mobile devices that remain in discoverable mode. You want to demonstrate the risk of an attacker extracting contact lists, calendar entries, and emails from these devices without the user's knowledge or authorization. Which attack technique should you use to demonstrate this specific risk?
During a web application assessment, you find a network diagnostic feature that pings a user-supplied hostname. When you submit '127.0.0.1; whoami' the page returns only the normal ping output with no visible command result, and time-based payloads like '127.0.0.1 && sleep 10' produce no observable delay. You suspect command injection but cannot see any output. Which technique is MOST likely to confirm the vulnerability?
During a web application assessment of a customer feedback portal, you notice that submitted comments are later exported by administrators into a CSV file and opened in Microsoft Excel. You want to test whether you can achieve code execution on an administrator's workstation through the data you submit. Which payload should you inject into the comment field to test this vulnerability?
During an internal engagement, you have compromised an account that is a member of a group with the 'Replicating Directory Changes' and 'Replicating Directory Changes All' extended rights on the domain object. You want to obtain the NTLM hash of the KRBTGT account without executing code on a domain controller or triggering endpoint detection on the DC itself. Which technique should you use?
During a web application test, you discover an endpoint that fetches remote URLs supplied by the user to generate link previews. The application blocks requests to RFC 1918 addresses and localhost by resolving the hostname once and validating the resulting IP before making the request. You control an external domain and its authoritative DNS server. Which technique most effectively bypasses this filter to reach an internal service?
During an internal penetration test, you have compromised a domain controller and extracted the KRBTGT account's NTLM hash using DCSync. The client asks you to demonstrate a persistence technique that would let you impersonate any user in the domain—including nonexistent accounts—without relying on the DC to validate account existence, and that would survive individual user password resets. Which technique should you demonstrate?
During a password-cracking phase, you have captured a large set of NTLM hashes. The client's documented password policy requires exactly 8 characters: one uppercase letter, followed by five lowercase letters, followed by two digits. A straight dictionary attack has yielded few results. Which hashcat approach best leverages this known policy to efficiently recover the remaining hashes?
During a web application assessment, you discover a GraphQL API endpoint at /graphql. The application does not appear to expose its schema in any documentation. You want to map every available query, mutation, and type before attempting authorization bypass testing. Which technique should you use first to enumerate the full API structure?
During a web application test, a penetration tester finds that submitting `role=user` in a POST request is enforced server-side, but the backend framework processes duplicate parameters by concatenating or selecting the last value. The tester crafts a request with `role=user&role=admin` and observes that the application grants administrative access. Which attack technique did the tester successfully exploit?
During a web application assessment, you notice a front-end proxy and a back-end server disagree on how to determine message length. You craft a request where the front-end honors the Content-Length header while the back-end honors the Transfer-Encoding: chunked header, allowing part of your request to be prepended to the next user's request. Which attack are you performing?
During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?
During a web application assessment, you intercept a POST request in Burp Suite and notice a base64-encoded parameter that decodes to a byte stream beginning with the hex signature 'AC ED 00 05'. The application is built on Apache Struts and uses this parameter to store session state. Which attack technique is MOST likely to lead to remote code execution against this endpoint?
During an internal engagement, you notice the target Windows environment has IPv6 enabled on all workstations but no DHCPv6 server is deployed. You want to become the primary DNS server for these hosts to capture and relay authentication traffic to a domain controller. Which technique should you use to exploit this misconfiguration?
During an API assessment, you capture a JSON Web Token (JWT) used for authentication. Decoding it reveals a header of {"alg":"HS256","typ":"JWT"} and a payload containing {"user":"analyst","role":"user"}. You want to escalate to an administrative role. Which technique should you attempt FIRST to test for a common JWT verification flaw?
During an internal Active Directory assessment, you have valid low-privileged domain user credentials. You want to obtain credentials for service accounts without triggering account lockouts or interacting directly with the target service hosts. You run a tool that requests Kerberos service tickets for accounts with an SPN set and exports the ticket hashes. What is the primary reason this technique is effective, and what must you do next?
More PT0-003 practice
Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.
← Back to PT0-003 overview