- A tester wants Nmap to perform only host discovery across a small range of IP addresses to learn which hosts are alive, without scanning any ports. Which Nmap option performs this ping-sweep behavior?
Correct answer: -sn
The -sn option is correct because it tells Nmap to carry out host discovery only and skip the port scan, producing a list of which addresses respond. The -sV flag adds version detection that requires a port scan, -sC runs default scripts against found ports, and -p- specifies scanning all ports; none of those limit the run to a pure host-discovery sweep.
- An Nmap scan reports a TCP port in the "closed" state. What does the closed state tell the tester about that port?
- A firewall is silently dropping all probes to the port
- The host responded and no application is listening on that port
- An exploitable service is confirmed running on the port
- The port is open but its banner could not be read
Correct answer: The host responded and no application is listening on that port
Concluding that the host responded and nothing is listening is correct because a closed result means Nmap received a reply indicating the port is reachable but has no application bound to it. A firewall silently dropping probes produces a filtered state instead, a closed port has no running service to exploit, and an unreadable banner is unrelated to the closed determination.
- A tester scans a host and finds only ports 22 and 80 open, but suspects the intended foothold service runs on an uncommon high TCP port the default scan never touched. Which single follow-up scan most directly addresses this suspicion?
- Re-run the same default-port scan a second time
- Add OS detection with
-O to the default scan - Scan all 65535 TCP ports with
-p- to cover the uncommon high ports - Switch to a host-discovery-only sweep with
-sn
Correct answer: Scan all 65535 TCP ports with -p- to cover the uncommon high ports
Scanning all 65535 TCP ports with -p- is correct because a full port scan is the only way to reveal a service hiding on an uncommon high port that the default top-ports scan skipped. Repeating the default scan covers the same limited set, OS detection identifies the platform rather than finding new ports, and a host-discovery sweep checks only whether the host is alive.
- A tester adds
-sV to a scan and Nmap returns a column showing each service's product name and version number alongside the open ports. Why is this version information central to the foothold phase on a standalone box?- It automatically launches the matching exploit for each service
- It conceals the scan from the target's intrusion detection
- It guarantees every detected service is exploitable
- It lets the tester map a precise software version to known version-specific exploits
Correct answer: It lets the tester map a precise software version to known version-specific exploits
Mapping a precise version to known exploits is correct because exploitation usually hinges on the exact build, and version detection tells the tester which specific vulnerabilities and public exploits could apply. Version detection does not launch any exploit, it adds rather than removes scan noise, and identifying a version never guarantees that an exploit exists for it.
- A tester needs to scan a UDP service such as DNS or SNMP that a normal TCP scan will never reveal. Which Nmap option performs a UDP scan?
Correct answer: -sU
The -sU option is correct because it instructs Nmap to send UDP probes, the only way to enumerate UDP-based services like DNS, SNMP, and TFTP. The -sS flag performs a TCP SYN scan, -sT performs a TCP connect scan, and -sn does host discovery without scanning ports; none of those examine UDP services.
- A tester is debating whether to run a quick top-ports scan or a full all-ports scan as the very first action on an unfamiliar box under exam time pressure. Which sequencing reasoning is soundest?
- Run only the top-ports scan and never bother with a full scan
- Start a quick top-ports scan for immediate leads while launching a full all-ports scan in the background to catch hidden services
- Run a full UDP-only scan first because UDP is fastest
- Skip scanning and guess the services from the IP address
Correct answer: Start a quick top-ports scan for immediate leads while launching a full all-ports scan in the background to catch hidden services
Starting a quick scan for fast leads while a full scan runs in the background is correct because it gives the tester something to work immediately without sacrificing the thorough coverage that catches services on uncommon ports. Relying only on top ports risks missing the intended service, UDP scanning is actually slow rather than fastest, and skipping enumeration entirely forfeits the information the whole attack depends on.
- A tester scans a host that does not respond to ICMP echo requests, so Nmap reports it as down and refuses to scan its ports. Which option forces Nmap to treat the host as up and proceed with the port scan?
Correct answer: -Pn
The -Pn option is correct because it skips Nmap's host-discovery step and treats the target as online, so the scan proceeds even when the host blocks ping. The -A flag enables an aggressive feature bundle, -F runs a fast limited-port scan, and -6 selects IPv6; none of those override the down determination caused by blocked discovery.
- Two version scans of the same web service disagree: a low-intensity scan labels it generically while a higher-intensity scan returns a specific product and version. What does this difference reveal about how Nmap performs version detection?
- Higher intensity switches the scan to UDP automatically
- Lower intensity always produces the more accurate result
- Version intensity only changes the output file format
- Higher intensity sends more probes and matches more signatures, improving identification on stubborn services at the cost of time
Correct answer: Higher intensity sends more probes and matches more signatures, improving identification on stubborn services at the cost of time
Recognizing that higher intensity sends more probes and tries more signatures is correct because the intensity level governs how hard Nmap works to fingerprint a service, and a harder effort better identifies stubborn services while taking longer. Intensity does not switch the protocol to UDP, the lower setting is not inherently more accurate, and intensity affects probing rather than output formatting.
- A tester wants to record an Nmap scan's full results in a single file format that can later be parsed by other tools as well as read directly. Which output approach captures the scan in all standard formats at once?
- Use
-oA with a base name to write the normal, XML, and grepable outputs together - Use
-p- to scan every port - Use
-sV to add version detection - Use
-T4 to speed up the scan
Correct answer: Use -oA with a base name to write the normal, XML, and grepable outputs together
Using -oA with a base name is correct because that single option writes the scan to the normal, XML, and grepable formats simultaneously, giving both human-readable and machine-parsable records. Scanning all ports, adding version detection, and raising the timing template all change what or how fast Nmap scans rather than how its results are saved.
- A tester runs gobuster in directory mode against a web root and appends a list of file extensions to each word. What does adding these extensions accomplish during content discovery?
- It restricts the scan to only HTTPS responses
- It tests for files like word.php and word.txt, not just bare directory names
- It lowers the number of concurrent requests
- It converts the scan into a virtual-host fuzz
Correct answer: It tests for files like word.php and word.txt, not just bare directory names
Testing for files such as word.php and word.txt is correct because appending extensions makes gobuster request each wordlist entry with those suffixes, surfacing scripts and documents rather than only directories. Adding extensions does not filter by protocol, it does not change concurrency, and it does not turn the run into a virtual-host fuzz.
- A directory brute-force returns a
/backup/ path that lists downloadable archive files. Why is uncovering a path like this so valuable during the foothold phase?- Loading the directory automatically returns a shell
- A listed directory proves the server has no vulnerabilities
- Archived files may contain source code, configuration, or credentials that open a path to access
- It encrypts the tester's traffic to the application
Correct answer: Archived files may contain source code, configuration, or credentials that open a path to access
Recognizing that archived files may hold source code, configuration, or credentials is correct because exposed backups frequently leak secrets or reveal application internals that lead directly to a foothold. Browsing the directory grants no shell on its own, a directory listing says nothing about the absence of vulnerabilities, and it does not encrypt the tester's traffic.
- A tester fuzzing with ffuf wants to keep only responses returning HTTP 200 and 301 while discarding everything else. Which ffuf capability accomplishes this?
- Appending file extensions to each payload
- Increasing the request rate
- Ignoring TLS certificate validation
- Matching responses by status code so only 200 and 301 results are shown
Correct answer: Matching responses by status code so only 200 and 301 results are shown
Matching responses by status code is correct because ffuf can be told to display only chosen codes, so requiring 200 and 301 filters the output down to likely-valid paths. Appending extensions changes the payloads tested, raising the request rate affects speed, and ignoring TLS validation addresses certificate errors rather than status filtering.
- A tester brute-forces a site and gets a flood of identical 200-byte responses for every nonexistent path because the application returns a custom "not found" page with HTTP 200. How should the tester make the results usable?
- Filter out the responses that share the uniform size or word count of the soft-404 page
- Stop content discovery because a custom 404 page makes it impossible
- Switch the scan to UDP ports
- Trust every 200 response as a real page
Correct answer: Filter out the responses that share the uniform size or word count of the soft-404 page
Filtering out the uniform-size soft-404 responses is correct because the bogus page returns a consistent length or word count, so excluding that baseline leaves only the responses that genuinely differ. Content discovery is not impossible against a soft 404, switching to UDP abandons the web enumeration, and trusting every 200 would treat the fake pages as real hits.
- A tester is choosing a wordlist for directory discovery on a web application and notices the app appears to use uncommon, technology-specific paths. Which selection reasoning best fits the situation?
- Use a numbers-only wordlist regardless of the technology
- Use a wordlist tailored to the detected technology in addition to a general one to surface stack-specific paths
- Avoid wordlists entirely and guess paths by hand
- Pick the smallest wordlist because size is the only factor
Correct answer: Use a wordlist tailored to the detected technology in addition to a general one to surface stack-specific paths
Using a technology-tailored wordlist alongside a general one is correct because stack-specific lists contain the framework and CMS paths that a generic list misses, improving the odds of finding hidden attack surface. A numbers-only list ignores meaningful path names, hand-guessing is far less thorough, and the smallest list is not necessarily the most relevant.
- After running gobuster, a tester wonders why the tool found
/robots.txt on the server. How does inspecting a file like robots.txt advance enumeration even though it is not an exploit itself?- It grants the tester administrative access to the site
- It removes the need to run any other content discovery
- It can disclose disallowed paths that point to admin panels or hidden directories worth investigating
- It proves the application is patched against all attacks
Correct answer: It can disclose disallowed paths that point to admin panels or hidden directories worth investigating
Recognizing that robots.txt can disclose disallowed paths is correct because site owners often list sensitive directories there to keep crawlers out, inadvertently pointing the tester at admin panels and hidden content. The file grants no administrative access, it supplements rather than replaces other discovery, and its presence says nothing about whether the app is patched.
- A tester wants an authorized vulnerability scanner to enumerate missing patches on a Linux target as accurately as possible. Which configuration choice most improves detection accuracy?
- Pointing the scanner at the broadcast address
- Disabling all plugins before scanning
- Running the scan with no target host defined
- Supplying valid SSH credentials so the scanner can perform an authenticated scan
Correct answer: Supplying valid SSH credentials so the scanner can perform an authenticated scan
Supplying valid SSH credentials for an authenticated scan is correct because logging in lets the scanner read installed packages and patch levels from inside, producing far more accurate missing-patch findings than a network-only view. Scanning a broadcast address does not target the host, disabling plugins removes the checks, and omitting the target gives nothing to assess.
- A vulnerability scanner reports a high-severity finding, but when the tester manually probes the service the behavior does not match the reported flaw. What is the most appropriate conclusion?
- The finding may be a false positive that manual verification has cast doubt on, so it should be confirmed before pursuing it
- The manual probe must be wrong because scanners are never mistaken
- The host is now compromised because a finding exists
- All other findings in the report should be ignored
Correct answer: The finding may be a false positive that manual verification has cast doubt on, so it should be confirmed before pursuing it
Treating the result as a possible false positive needing confirmation is correct because scanners do produce false positives, and manual behavior that contradicts a finding is a reason to verify before spending exam time on it. Scanners can be wrong, a reported finding is not a compromise, and one questionable result does not justify discarding the rest of the report.
- A tester needs to schedule a recurring authorized scan and chooses a scan template within the vulnerability scanner. What does selecting a scan policy or template primarily control?
- The physical location of the target server
- The set and depth of checks the scan will run
- The target's password complexity rules
- Whether the target reboots after the scan
Correct answer: The set and depth of checks the scan will run
Selecting the set and depth of checks is correct because a scan policy or template defines which plugins and how intensive a scan the tool performs, letting the tester scope a light or thorough assessment. A template does not move the server, change the target's password rules, or trigger a reboot of the host.
- A vulnerability scan of a single standalone box returns many low and informational findings but only one rated critical that suggests a remote code execution path. Given limited exam time, how should the tester act on this report?
- Work through the informational findings first since there are more of them
- Attempt every finding simultaneously in no particular order
- Concentrate on validating and exploiting the critical remote-code-execution finding before lower-value items
- Disregard the report because one box rarely has real issues
Correct answer: Concentrate on validating and exploiting the critical remote-code-execution finding before lower-value items
Concentrating on the critical remote-code-execution finding first is correct because that finding offers the most direct route to a foothold, and limited time should go to the highest-value path. Informational findings rarely yield access, attacking everything at once is chaotic and wasteful, and dismissing the report discards genuinely useful enumeration data.
- A tester identifies a service as "Apache Tomcat 7.0.88" and wants to search the local offline exploit archive for matching public exploits. Which searchsploit invocation is appropriate?
searchsploit --crack tomcatsearchsploit 10.10.10.5- Searchsploit
searchsploit tomcat 7.0.88
Correct answer: searchsploit tomcat 7.0.88
Running searchsploit tomcat 7.0.88 is correct because supplying the product and version as keywords matches them against the offline archive's titles and returns candidate public exploits to review. There is no crack function in searchsploit, supplying an IP does not search by target, and running it bare only prints usage rather than results.
- After a searchsploit search lists several matching entries, a tester wants to read the full details and code of one entry without leaving the terminal. Which searchsploit feature displays the chosen exploit's contents?
- The examine option that prints the selected exploit's file to the terminal
- The option that uninstalls the exploit database
- An option that emails the exploit to the author
- A flag that scans the target with the exploit
Correct answer: The examine option that prints the selected exploit's file to the terminal
Using the examine option to print the file is correct because searchsploit can output a chosen exploit's contents directly to the terminal so the tester can read the code and notes before using it. There is no uninstall-by-search behavior, searchsploit does not email exploits, and it does not connect to or scan the target itself.
- A tester finds two Exploit-DB entries for the same service: one is a denial-of-service proof of concept and the other is a remote code execution exploit. For gaining initial access to the standalone box, which should the tester prioritize and why?
- The denial-of-service entry, because crashing the service grants access
- The remote code execution exploit, because it can yield a shell or command execution that provides a foothold
- Neither, because Exploit-DB entries are always fake
- Whichever entry has the lower identifier number, regardless of type
Correct answer: The remote code execution exploit, because it can yield a shell or command execution that provides a foothold
Prioritizing the remote code execution exploit is correct because the objective is initial access, and an RCE exploit can produce a shell or command execution while a denial-of-service merely disrupts the service. Crashing the service does not grant access, Exploit-DB entries are not categorically fake, and the identifier number does not indicate which exploit type achieves a foothold.
- A tester locates a promising Exploit-DB entry but the page notes it was written for an older minor version than the one running on the target. What is the most reasonable next step before discarding it?
- Assume it cannot possibly work and skip it without examination
- Report the version mismatch to Exploit-DB administrators
- Examine the exploit to judge whether the underlying flaw and code still apply to the target's version
- Run it against a different host to test it elsewhere
Correct answer: Examine the exploit to judge whether the underlying flaw and code still apply to the target's version
Examining the exploit to judge whether it still applies is correct because a minor version difference often does not affect the underlying flaw, and reading the code reveals whether it can be used or adapted. Skipping it untested may discard a viable path, contacting administrators does nothing for the engagement, and running it against an unrelated host does not assess fit for the actual target.
- A Python exploit downloaded from Exploit-DB defines variables near the top for the attacker's IP, the listening port, and the target URL. Before running it, what must the tester typically do with these variables?
- Leave them exactly as the author set them, since they self-configure
- Delete them so the exploit prompts for nothing
- Replace them with the certifying body's contact details
- Set them to the tester's own IP and port and the actual target URL for this engagement
Correct answer: Set them to the tester's own IP and port and the actual target URL for this engagement
Setting the variables to the tester's own IP and port and the real target URL is correct because these environment-specific values are placeholders the author hardcoded, and a reverse connection or request only works when they match the current setup. The values do not self-configure, deleting them breaks the exploit, and certifying-body contact details have no role in the code.
- A tester runs a public exploit unchanged and it throws an error about a missing Python module on the attacker machine. What is the appropriate adaptation to get the exploit running?
- Install or import the required dependency on the attacker machine so the exploit can execute
- Rewrite the exploit in a different language entirely
- Conclude the target is patched because the exploit errored
- Run the exploit against a different port to avoid the error
Correct answer: Install or import the required dependency on the attacker machine so the exploit can execute
Installing the required dependency on the attacker machine is correct because a missing-module error reflects an unmet requirement on the tester's own system, and satisfying it lets the exploit run. A dependency error says nothing about the target being patched, a full rewrite is unnecessary for a missing library, and changing ports does not resolve an absent module.
- A tester examines a C exploit that includes a long hexadecimal shellcode blob the author generated to spawn a bind shell on a fixed port. The tester instead needs a reverse shell to their own listener. What is the correct adaptation?
- Run the bind-shell exploit and hope it connects back automatically
- Replace the embedded shellcode with a reverse-shell payload pointed at the tester's IP and port
- Delete the shellcode and run the exploit empty
- Change the exploit's filename to indicate a reverse shell
Correct answer: Replace the embedded shellcode with a reverse-shell payload pointed at the tester's IP and port
Replacing the embedded shellcode with a reverse-shell payload aimed at the tester's IP and port is correct because the payload type and callback are baked into the blob, and swapping it changes the behavior to connect back to the listener. A bind shell will not connect outward on its own, running with no shellcode does nothing useful, and renaming the file does not alter the payload.
- Before executing any exploit code copied from a public source against a target, why is reading through the entire script considered essential practice?
- Reading it converts the script into a faster binary
- Reading it guarantees the exploit will succeed
- Reading reveals hardcoded values to change and any unsafe or destructive actions to avoid running blindly
- Reading the script encrypts it before execution
Correct answer: Reading reveals hardcoded values to change and any unsafe or destructive actions to avoid running blindly
Reading the script to reveal hardcoded values and unsafe actions is correct because public exploits embed environment-specific settings and can contain harmful or even malicious code, so review prevents both failure and damage. Reading does not compile the script, it does not guarantee success, and it does not encrypt the file.
- A tester wants the Nmap Scripting Engine to run an entire category of checks, such as all scripts in the "vuln" category, against the discovered services. Which syntax invokes a whole category by name?
-sV only-p- only-Pn only--script vuln
Correct answer: --script vuln
Using --script vuln is correct because the --script option accepts category names, so naming vuln runs every script in that category against the targeted services. The -sV flag performs version detection without scripts, -p- only sets the port range, and -Pn merely skips host discovery; none invoke a script category.
- A tester wants NSE to enumerate the shares a target offers over SMB to find non-default shares worth investigating. Which approach uses the Scripting Engine for this purpose?
- Run the SMB-enumeration NSE script category against the SMB ports to list shares and related details
- Run an OS-detection scan to read the shares
- Use a UDP scan to list SMB shares
- Use the http-title script against the SMB ports
Correct answer: Run the SMB-enumeration NSE script category against the SMB ports to list shares and related details
Running the SMB-enumeration NSE scripts against the SMB ports is correct because those scripts query the service to enumerate shares and related metadata, pointing the tester at non-default shares. OS detection identifies the platform rather than shares, a UDP scan does not enumerate SMB which is TCP-based, and http-title targets web pages, not SMB.
- An NSE vuln-category script reports a service as possibly vulnerable to a specific issue but adds that the result could not be fully confirmed. How should the tester weigh this output?
- Treat it as a confirmed compromise and document it as access gained
- Treat it as a lead to manually validate before committing to a matching exploit
- Ignore it because NSE cannot indicate vulnerabilities
- Re-run the script until it stops saying possibly
Correct answer: Treat it as a lead to manually validate before committing to a matching exploit
Treating it as a lead to validate before committing is correct because an unconfirmed NSE indication points toward a likely weakness that should be verified to avoid wasting time on the wrong exploit. It is not a compromise, NSE scripts certainly can flag vulnerabilities, and re-running the identical script will not change an unconfirmed result.
- Using Netcat to connect to an open HTTP port, a tester types a raw GET request and reads the response headers, including the Server line. What enumeration technique is the tester performing?
- Privilege escalation through the web service
- Password cracking against the web server
- Banner grabbing to identify the web server software from its response
- Pivoting through the web server to another host
Correct answer: Banner grabbing to identify the web server software from its response
Identifying the web server from its response is banner grabbing, which is correct because manually issuing a request and reading the returned headers reveals the server software and often its version. The action escalates no privileges, cracks no passwords, and tunnels nothing; it simply elicits identifying information from the service.
- A tester grabs an SSH service banner that reads "SSH-2.0-OpenSSH_7.2p2 Ubuntu". Beyond naming the SSH software, how does this banner aid enumeration of the standalone box?
- It provides the root password directly
- It guarantees the SSH service is exploitable
- It grants an immediate shell on the host
- It hints at the underlying operating system and distribution, narrowing later research and exploit selection
Correct answer: It hints at the underlying operating system and distribution, narrowing later research and exploit selection
Recognizing that the banner hints at the OS and distribution is correct because a string mentioning the platform helps the tester infer the operating environment, narrowing which exploits and techniques are relevant. The banner does not contain a password, it does not guarantee exploitability, and reading it grants no shell.
- A tester is deciding whether to trust a service banner that could have been manually changed by an administrator to mislead scanners. What is the soundest way to handle a potentially altered banner during enumeration?
- Corroborate the service through additional behavioral checks before relying on the banner to pick an exploit
- Always trust the banner exactly and choose an exploit from it immediately
- Conclude the host is unexploitable because the banner is suspect
- Overwrite the banner with the correct value on the target
Correct answer: Corroborate the service through additional behavioral checks before relying on the banner to pick an exploit
Corroborating the service through additional checks is correct because banners can be edited to mislead, so confirming behavior prevents wasting time on an exploit aimed at the wrong software. Blindly trusting a suspect banner risks a dead end, a questionable banner does not prove the host is unexploitable, and the tester cannot change a banner on a target they have not compromised.
- During service enumeration a tester finds an anonymous-login FTP service on port 21. What is the most appropriate first action against it?
- Forge a Kerberos ticket for the FTP service
- Log in anonymously and list the directories to look for readable files or writable upload locations
- Run winPEAS against the FTP port to escalate privileges
- Crack the FTP service's hash offline
Correct answer: Log in anonymously and list the directories to look for readable files or writable upload locations
Logging in anonymously and listing directories is correct because anonymous FTP may expose readable files containing secrets or a writable directory that enables a foothold. Forging a Kerberos ticket is an Active Directory technique, winPEAS is a post-foothold Windows privilege-escalation tool, and there is no service hash to crack when anonymous access is already permitted.
- A tester enumerating a target discovers a PostgreSQL database service reachable from the attacker machine on its default port. Which initial enumeration step is most appropriate?
- Run a directory brute-force against the database port with a web wordlist
- Request a service ticket for the database account from a domain controller
- Attempt to connect with common or default credentials and enumerate the databases for stored secrets
- Dump the attacker machine's memory for the database password
Correct answer: Attempt to connect with common or default credentials and enumerate the databases for stored secrets
Attempting common or default credentials and enumerating the databases is correct because an exposed database may accept weak logins and hold credentials or data that lead to a foothold. A web wordlist brute-force does not apply to a database port, requesting a service ticket is an Active Directory step, and dumping the attacker's own memory does not reveal the target's database password.
- A tester enumerating a web application notices it identifies itself as a well-known content management system. Which enumeration action most directly maps this application to known vulnerable components?
- Dumping the local SAM database with Mimikatz
- Forwarding the web port through a SOCKS proxy
- Performing a UDP scan of the web port
- Running a CMS-specific scanner to enumerate the version, themes, and plugins
Correct answer: Running a CMS-specific scanner to enumerate the version, themes, and plugins
Running a CMS-specific scanner is correct because such tools enumerate the platform's version and its themes and plugins, mapping the application to known vulnerabilities that guide an exploit. Dumping the SAM with Mimikatz is a post-foothold Windows credential step, proxying the port is a pivoting action, and a UDP scan does not enumerate web application components.
- A tester finds a service on a standalone box that exposes a web-based admin interface protected by a login form, and enumeration has already revealed valid credentials in a leaked configuration file. What is the appropriate initial-access action?
- Authenticate to the admin interface with the leaked credentials and explore its functionality for a route to code execution
- Crack the box's kernel to bypass the login
- Forge a golden ticket to access the interface
- Run linPEAS against the login form
Correct answer: Authenticate to the admin interface with the leaked credentials and explore its functionality for a route to code execution
Authenticating with the leaked credentials and exploring the interface is correct because valid credentials open the admin panel, where features like file uploads or template editing often lead to code execution and a foothold. Cracking the kernel and running linPEAS are post-foothold privilege-escalation activities, and forging a golden ticket is an Active Directory technique unrelated to a standalone web login.
- A tester discovers a mail service on port 25 and wants to learn whether specific usernames exist on the system using the service's own verification commands. Which enumeration outcome can this provide?
- It dumps the mail server's password database
- It can confirm valid local usernames that may be reused for later password-guessing attempts
- It immediately grants a shell on the mail host
- It forges Kerberos tickets for those users
Correct answer: It can confirm valid local usernames that may be reused for later password-guessing attempts
Confirming valid local usernames is correct because certain SMTP verification commands reveal which accounts exist, giving the tester a vetted username list for later guessing. The interaction does not dump a password database, it does not grant a shell, and it does not forge any Kerberos ticket; it only validates account names.
- A tester runs enum4linux against a Windows target and the tool returns the machine's domain or workgroup, a list of users, and the password policy. Which single enumeration goal does enum4linux serve here?
- Escalating the tester to SYSTEM on the box
- Forging a golden ticket for the domain
- Aggregating SMB and related information such as users, shares, and policy into one enumeration view
- Tunneling SMB traffic through proxychains
Correct answer: Aggregating SMB and related information such as users, shares, and policy into one enumeration view
Aggregating SMB-related information into one view is correct because enum4linux wraps several queries to collect users, shares, group, and policy details in a single pass for the tester to review. It does not escalate privileges to SYSTEM, it does not forge any Kerberos ticket, and it does not tunnel traffic; it is purely an enumeration tool.
- A tester confirms a target allows SMB connections with an empty username and password. What does this null session permit during enumeration?
- Full read and write access to every share automatically
- Immediate administrator rights on the host
- A reverse shell over the SMB port
- Anonymous queries that can reveal metadata such as users, groups, or share names depending on configuration
Correct answer: Anonymous queries that can reveal metadata such as users, groups, or share names depending on configuration
Recognizing that a null session permits anonymous metadata queries is correct because empty-credential access can expose users, groups, and share names depending on how the server is configured, which feeds the next foothold step. It does not grant full read and write to every share, it confers no administrator rights, and it does not by itself produce a reverse shell.
- Using smbclient, a tester connects to a share and finds a directory where they can upload files. Beyond reading data, why is identifying a writable SMB location significant during the foothold phase?
- A writable location may let the tester plant a payload or poison a file that a user or process later executes, enabling access
- A writable share automatically grants SYSTEM privileges
- Write access proves the host has no other vulnerabilities
- Writing to the share forges a Kerberos ticket
Correct answer: A writable location may let the tester plant a payload or poison a file that a user or process later executes, enabling access
Recognizing that a writable location lets the tester plant or poison a file that gets executed is correct because dropping a payload or tampering with a file a process consumes can lead to code execution and a foothold. Write access does not grant SYSTEM by itself, it does not prove the absence of other issues, and it does not forge any Kerberos ticket.
- A web server's response changes depending on the Host header value supplied, which suggests name-based virtual hosting. Why does enumerating virtual hosts expand the tester's options on a single IP?
- Because each virtual host is a separate physical machine Nmap missed
- Because one server can host multiple distinct applications selected by hostname, and some appear only when the right name is requested
- Because virtual hosting encrypts all responses from scanners
- Because the IP changes whenever a hostname is used
Correct answer: Because one server can host multiple distinct applications selected by hostname, and some appear only when the right name is requested
Recognizing that one server hosts multiple applications selected by hostname is correct because name-based virtual hosting routes requests to different sites by the Host header, so some applications stay hidden until the correct name is requested. Virtual hosts are not separate machines, they do not encrypt responses, and the IP does not change when a hostname is supplied.
- After a wordlist-driven scan reveals a virtual host such as internal.target.local that resolves to the same IP, the tester finds it must add an entry to a local file before the browser will reach it by name. Which configuration step enables that access on the attacker machine?
- Requesting a new certificate from a certificate authority
- Forwarding the web port through a domain controller
- Mapping the hostname to the target IP in the attacker's local hosts file
- Running a UDP scan to register the hostname
Correct answer: Mapping the hostname to the target IP in the attacker's local hosts file
Mapping the hostname to the target IP in the local hosts file is correct because the discovered virtual host has no public DNS, so adding a local entry lets the browser resolve the name to the target and reach the hidden application. Requesting a certificate does not provide name resolution, forwarding through a domain controller is unrelated, and a UDP scan does not register hostnames.
- A tester enumerating a target's certificate and DNS records collects several hostnames that all point to the same box. What general enumeration benefit does compiling these names provide?
- It escalates privileges by abusing a SUID binary
- It cracks captured password hashes
- It pivots through a compromised host into an internal network
- It reveals additional named applications and naming conventions on the host, expanding the attack surface to probe
Correct answer: It reveals additional named applications and naming conventions on the host, expanding the attack surface to probe
Recognizing that the names reveal additional applications and naming conventions is correct because each hostname can expose another site on the same host, and the patterns hint at further names, widening the surface to enumerate. Abusing a SUID binary is privilege escalation, cracking hashes recovers passwords, and pivoting moves through a compromised host; none describe expanding entry points via hostname discovery.
- A tester has fully compromised a standalone box and is preparing the report. To document the initial-access step credibly, which content best demonstrates how the foothold was achieved?
- The enumeration findings, the exact exploit or technique used, and the command output showing the resulting shell
- A statement that the box was compromised, with no supporting steps
- A list of every tool installed on the attacker machine
- The target's full memory dump attached as an appendix
Correct answer: The enumeration findings, the exact exploit or technique used, and the command output showing the resulting shell
Documenting the enumeration findings, the exploit or technique, and the command output showing the shell is correct because the report must let a reader follow and reproduce how initial access was gained. A bare claim of compromise is not verifiable, a list of installed tools does not show the attack chain, and a full memory dump is neither expected nor a clear demonstration of the foothold.
- When writing the penetration test report after the exam window, a tester must decide what to include for each compromised standalone machine to meet the grading standard. Which inclusion is most important for the report to be accepted?
- Marketing language describing the tester's skills
- Clear, reproducible steps and the required proof from each machine so an assessor can verify the compromise
- Screenshots of the attacker's desktop wallpaper
- A copy of the exam guide pasted into the document
Correct answer: Clear, reproducible steps and the required proof from each machine so an assessor can verify the compromise
Including clear, reproducible steps and the required proof is correct because the report is graded on whether an assessor can follow and verify each compromise, making documented steps and proof essential. Marketing language, desktop wallpaper screenshots, and a pasted exam guide add no verifiable evidence of the compromises.
- A tester probing a numeric product-listing parameter changes its value from a number to the same number followed by an arithmetic expression, and the page returns the product that matches the computed total. What does the application performing that arithmetic indicate about the parameter?
- The parameter is being evaluated inside the SQL query, indicating SQL injection
- The parameter triggers a cross-site scripting reflection
- The parameter is protected by a parameterized statement
- The parameter only affects client-side rendering
Correct answer: The parameter is being evaluated inside the SQL query, indicating SQL injection
The parameter being evaluated inside the SQL query is the right read because the database computing an arithmetic expression supplied through the input proves the value is concatenated into the executed statement rather than treated as inert data. A parameterized statement would store the expression as literal text instead of computing it, cross-site scripting concerns markup running in the browser not server-side math, and a purely client-side parameter would not change which record the database returns.
- A tester exploiting a UNION-based injection on Microsoft SQL Server needs to learn the current database user and version to plan the next step, displaying both inside one of the reflected columns. Which built-in expressions return that account and version information when placed in a UNION column?
- The
SLEEP and BENCHMARK timing functions - The
SYSTEM_USER and @@version values - The
LOAD_FILE and INTO OUTFILE file functions - The
CONCAT and GROUP_CONCAT aggregation functions
Correct answer: The SYSTEM_USER and @@version values
SYSTEM_USER and @@version are correct because on Microsoft SQL Server these return the connected login and the product version string, which a UNION can surface in a visible column to inform planning. Timing functions are for blind inference rather than reading identity, file functions read or write files instead of reporting the user, and the concatenation functions only join strings rather than reveal the account or version.
- A tester confirms injection but no data or boolean difference appears in responses, so they inject a payload that pauses the database for several seconds only when a tested condition is true and times the response. Which blind technique is being used?
- UNION-based SQL injection
- Error-based SQL injection
- Time-based blind SQL injection
- Out-of-band DNS exfiltration
Correct answer: Time-based blind SQL injection
Time-based blind SQL injection is correct because when the page reveals neither data nor a content difference, deliberately delaying the response on a true condition and measuring the elapsed time becomes the only inference channel. Error-based injection needs visible error text, UNION-based injection needs reflected output, and out-of-band exfiltration relies on an external callback rather than timing the same response.
- A login form builds its query as a string and the tester submits a username value that closes the string and adds a condition that is always true, returning the first account without a password. Which classic authentication-bypass payload pattern does this describe?
- A second-order payload stored for later
- A stacked query that drops a table
- A time-delay payload that sleeps the server
- A tautology that makes the WHERE clause always evaluate true
Correct answer: A tautology that makes the WHERE clause always evaluate true
A tautology is correct because injecting an always-true condition into the WHERE clause causes the query to match rows regardless of the supplied credentials, bypassing the login. A stacked query runs an additional separate statement, a time-delay payload only pauses execution for blind inference, and a second-order payload depends on stored input being used in a later query rather than immediately satisfying the login check.
- A tester finds that input is stored in one feature and later used unsafely in a SQL query by a different, privileged feature, so the injection only triggers when the second feature runs. What term describes this delayed injection that fires when stored input is later used?
- Second-order SQL injection
- Reflected SQL injection
- Header-based SQL injection
- Inline SQL injection
Correct answer: Second-order SQL injection
Second-order SQL injection is correct because the payload is first saved harmlessly and only executes when a different operation later incorporates the stored value into a query, decoupling injection from the original input point. The other labels do not capture this delay: there is no single immediate reflection point, the vector is not specifically an HTTP header, and the issue is precisely that the query is built elsewhere rather than inline at submission.
- On a MySQL backend where the database account holds the FILE privilege and a writable web directory exists, a tester wants to use injection to write a small PHP web shell to disk. Which SQL clause is intended to write query output to a file on the server?
- The
information_schema catalog - The
INTO OUTFILE clause - The
ORDER BY clause - The
HAVING clause
Correct answer: The INTO OUTFILE clause
The INTO OUTFILE clause is correct because, given the FILE privilege and a writable path, it writes the result of a SELECT to a file on the server, which a tester abuses to drop a web shell. The information_schema catalog only describes the schema, ORDER BY sorts results, and HAVING filters grouped rows; none of those write content to the filesystem.
- A tester building a UNION injection must first learn how many columns the original query returns. They append ordering by an increasing column position until the application errors at a number, then conclude the query has one fewer column. Which technique is being applied to find the column count?
- Reading
information_schema for the web server logs - Submitting a stored cross-site scripting payload
- Incrementing
ORDER BY positions until an out-of-range error reveals the count - Forcing a time delay per column
Correct answer: Incrementing ORDER BY positions until an out-of-range error reveals the count
Incrementing ORDER BY positions is correct because the query accepts ordering by valid column positions and errors once the number exceeds the count, so the last working number equals the column total needed for the UNION. A cross-site scripting payload tests browser execution, information_schema does not store web server logs, and a per-column delay does not measure how many columns the SELECT returns.
- A tester points sqlmap at a request that requires an authenticated session and finds sqlmap is logged out before testing. Which sqlmap input lets the tool carry the tester's valid session so it can reach the injectable parameter behind login?
- Supplying a list of UDP ports to scan
- Supplying a directory wordlist to brute-force
- Supplying the attacker's listener port
- Supplying the authenticated session cookie so requests are sent as a logged-in user
Correct answer: Supplying the authenticated session cookie so requests are sent as a logged-in user
Supplying the authenticated session cookie is correct because passing a valid session value makes sqlmap's requests appear logged in, allowing it to reach parameters that only exist behind authentication. A directory wordlist drives content discovery, a listener port configures a reverse shell, and a UDP port list belongs to scanning; none of those maintain the authenticated session sqlmap needs.
- A tester captures a complex POST request with many parameters in a proxy and wants sqlmap to test it exactly as the application expects, including all headers and the body. Which sqlmap input most reliably reproduces the captured request for testing?
- Feeding sqlmap the saved raw HTTP request file so it replays the exact request
- Feeding sqlmap only the bare hostname
- Feeding sqlmap a captured NTLM hash
- Feeding sqlmap a list of subdomains
Correct answer: Feeding sqlmap the saved raw HTTP request file so it replays the exact request
Feeding sqlmap the saved raw HTTP request file is correct because providing the full captured request preserves the method, headers, and body so sqlmap tests parameters precisely as the application receives them. A bare hostname omits the parameters and body, an NTLM hash is for offline cracking, and a subdomain list is enumeration data; none reproduce the exact request for accurate testing.
- After confirming injection, a tester wants sqlmap to be more aggressive in the payloads it tries and the depth of checks it performs to find a working technique. Which pair of sqlmap settings is specifically intended to broaden the payloads and tests attempted?
- The crawl and forms settings
- The level and risk settings
- The threads and delay settings
- The batch and flush-session settings
Correct answer: The level and risk settings
The level and risk settings are correct because raising them expands the range of injection points tested and permits more aggressive payloads, helping sqlmap detect harder injections. Crawl and forms control discovery of pages and inputs, threads and delay tune timing, and batch and flush-session control prompts and cached results; none of those govern how many or how aggressive the injection payloads are.
- A tester runs sqlmap and it confirms a parameter is injectable but, on this OSCP standalone box, the tester must understand what sqlmap actually did to write it up and to reproduce the access manually. Why is reviewing sqlmap's identified technique and payloads important for the engagement?
- Because sqlmap performs privilege escalation that needs documenting
- Because sqlmap forges Kerberos tickets that must be logged
- Because the report and reproducibility require knowing the exact injection point and method used
- Because sqlmap scans for UDP services that must be listed
Correct answer: Because the report and reproducibility require knowing the exact injection point and method used
Knowing the exact injection point and method is correct because the engagement deliverable depends on documenting how access was achieved and being able to reproduce it, which means understanding sqlmap's chosen technique and payloads. sqlmap does not forge Kerberos tickets, does not perform host privilege escalation, and does not scan UDP services; those are unrelated activities outside what sqlmap reported here.
- A tester finds reflected input that lands directly between two script tags already on the page, inside existing JavaScript. To execute, the payload must be valid JavaScript rather than HTML markup. Which approach fits this JavaScript-context reflection?
- Adding a
UNION SELECT to the parameter - Submitting an HTML bold tag to test formatting
- Appending a ../ traversal sequence
- Closing the current statement and injecting new JavaScript code that runs in that context
Correct answer: Closing the current statement and injecting new JavaScript code that runs in that context
Closing the current statement and injecting new JavaScript is correct because when reflection occurs inside existing script, the payload must be syntactically valid JavaScript to execute rather than be inserted as inert markup. An HTML bold tag would just be a string inside the script, a traversal sequence targets file paths, and a UNION SELECT targets SQL; none execute within an existing JavaScript context.
- An application strips the literal word that names the script element from input but does not otherwise filter event handlers. A tester achieves execution by using an image element with a broken source and an error event handler that runs code. What weakness does this bypass exploit?
- The filter blocks one specific element name but allows other elements and event handlers that can execute script
- The application uses parameterized queries
- The cookie is marked HttpOnly
- The server stores files outside the web root
Correct answer: The filter blocks one specific element name but allows other elements and event handlers that can execute script
Blocking one element while allowing handlers is correct because cross-site scripting can fire through many vectors, so a denylist that removes only one tag name leaves event handlers on other elements available to run code. Parameterized queries concern SQL, the HttpOnly attribute affects cookie reading not whether script runs, and storage location of files is unrelated to which markup the page interprets.
- A tester demonstrating cross-site scripting impact wants to capture keystrokes a victim types on the affected page to harvest a password entered into a form. How can the injected script accomplish this within the victim's browser?
- By executing
xp_cmdshell through the database - By registering a JavaScript event listener that records key events and sends them to the tester's server
- By reading the server's
web.config via traversal - By forging a Kerberos service ticket
Correct answer: By registering a JavaScript event listener that records key events and sends them to the tester's server
Registering a JavaScript key-event listener is correct because script running in the victim's browser can hook keyboard events on the page and exfiltrate the captured input to an attacker endpoint. Executing xp_cmdshell is a SQL Server feature, reading web.config is a server file-disclosure action, and forging a Kerberos ticket is an Active Directory technique; none capture keystrokes in the browser.
- A tester notices the application returns a Content-Security-Policy that forbids inline scripts, so a basic inline payload is blocked even though input is reflected unencoded. What does the presence of this policy mean for exploiting the reflection?
- The reflection is now impossible to ever exploit
- The policy converts the flaw into SQL injection
- The tester must find a payload the policy permits, such as abusing an allowed source or a policy gap, rather than a simple inline script
- The policy encrypts all responses
Correct answer: The tester must find a payload the policy permits, such as abusing an allowed source or a policy gap, rather than a simple inline script
Finding a permitted payload is correct because a content-security policy restricts which scripts run, so exploitation shifts to vectors the policy allows or to weaknesses in the policy rather than plain inline script. The policy does not make exploitation categorically impossible, it does not turn the issue into SQL injection, and it does not encrypt responses; it merely constrains how the cross-site scripting must be delivered.
- During a web assessment the tester finds a comment field that renders submitted HTML to every visitor and confirms a script payload runs for all of them. To maximize impact in a report, what is the most accurate characterization of this finding's reach?
- It affects only the attacker's own browser
- It requires each victim to click a unique crafted link
- It only works if JavaScript is disabled
- It executes against every user who loads the page where the payload is stored
Correct answer: It executes against every user who loads the page where the payload is stored
Executing against every viewer is correct because a stored payload rendered to all visitors fires for anyone who loads the affected page, giving it broad reach worth emphasizing. It is not limited to the attacker's browser, it does not require a unique link per victim as reflected attacks do, and it depends on JavaScript being enabled rather than disabled.
- A tester probing a host-lookup web tool injects a semicolon followed by a command and the page returns the output of that command alongside the normal lookup result. The semicolon is acting as which kind of shell construct here?
- A command separator that ends the first command and begins another unconditionally
- A SQL comment marker
- An HTML attribute delimiter
- A directory traversal token
Correct answer: A command separator that ends the first command and begins another unconditionally
A command separator is correct because in a shell the semicolon terminates one command and starts the next regardless of the first command's result, which lets the injected command run after the legitimate one. A SQL comment marker affects database statements, an HTML attribute delimiter concerns markup, and a traversal token walks file paths; none describe the semicolon's role of sequencing shell commands.
- A tester suspects command injection on a parameter but the application returns no command output to the page, so success is not directly visible. Which approach best confirms execution when output is not reflected?
- Submitting an
ORDER BY clause to sort results - Injecting a command that causes the server to make an outbound request to a tester-controlled host, confirming execution out of band
- Injecting a bold HTML tag
- Reading the browser's local storage
Correct answer: Injecting a command that causes the server to make an outbound request to a tester-controlled host, confirming execution out of band
Forcing an outbound request to a tester host is correct because blind command injection provides no on-page output, so triggering a callback such as a ping or HTTP request to infrastructure the tester monitors proves the command ran. An ORDER BY clause tests SQL, a bold tag tests cross-site scripting, and reading browser storage is a client-side action; none confirm blind server-side command execution.
- A tester achieves command injection and wants a stable interactive session instead of issuing one command per request. Which immediate action through the injection point best moves toward that interactive session on a Linux target?
- Injecting a ../ sequence to read
/etc/passwd - Injecting a
UNION SELECT to dump the database - Injecting a command that launches a reverse shell connecting back to the tester's listener
- Injecting a script tag to alert the browser
Correct answer: Injecting a command that launches a reverse shell connecting back to the tester's listener
Launching a reverse shell is correct because using the command-injection point to run a payload that connects back to a listener upgrades one-shot command execution into an interactive session the tester controls. A UNION SELECT targets SQL data, a traversal sequence only reads a file, and a script tag affects the browser; none establish an interactive shell on the target host.
- A tester finds an application that passes a user-supplied value into a system command but only after wrapping the whole input in double quotes. To inject, the tester first uses a construct that runs a command and substitutes its output inline within those quotes. Which shell feature enables this in-quote execution?
- The
php://filter wrapper - The SQL UNION operator
- The HttpOnly cookie attribute
- Command substitution using backticks or the dollar-parenthesis form
Correct answer: Command substitution using backticks or the dollar-parenthesis form
Command substitution is correct because backticks or the dollar-parenthesis form execute an embedded command and insert its output, and these can run inside a double-quoted string where simple separators may be neutralized. The SQL UNION operator targets databases, the HttpOnly attribute concerns cookies, and php://filter is a PHP stream wrapper; none execute a command within a quoted shell argument.
- A tester confirms command injection running as a low-privileged service account and, before escalating, wants to map what was achieved on this standalone box. Which OSCP scoring outcome does landing command execution through this web flaw satisfy?
- It satisfies the initial-access portion of the box, with privilege escalation still required for full points
- It satisfies the full points for the box on its own
- It satisfies the domain controller objective
- It satisfies the report-only requirement with no technical work
Correct answer: It satisfies the initial-access portion of the box, with privilege escalation still required for full points
Satisfying the initial-access portion is correct because each standalone machine awards points for the foothold and separately for escalation, so command execution as a low-privileged account earns the access portion while escalation remains. It does not earn full points alone, the domain controller objective belongs to the Active Directory set, and a foothold is hands-on work rather than report-only.
- A tester reading files through path traversal on a Linux target wants to discover the exact command line and environment of the web service process to find credentials passed as arguments. Which pseudo-filesystem location is the appropriate traversal target for a running process's command line?
- The Windows registry hives
- The proc filesystem entries for the process, such as its cmdline and environ files
- The application's CSS files
- The domain controller's
NTDS.dit
Correct answer: The proc filesystem entries for the process, such as its cmdline and environ files
Reading the proc filesystem entries is correct because on Linux the per-process cmdline and environ pseudo-files expose how a process was invoked and its environment, which can leak credentials passed in arguments or variables. Windows registry hives are not on Linux, CSS files hold styling, and NTDS.dit is a domain controller secret; none reveal a Linux process's command line through traversal.
- A traversal filter removes the sequence of two dots followed by a slash a single time before using the input. A tester defeats it by nesting the sequence so that after one removal a valid traversal remains. Which bypass technique does this describe?
- Submitting a
UNION SELECT - Switching to a stored cross-site scripting payload
- Using a nested or doubled traversal sequence so a single-pass filter leaves a working path
- Forwarding a local port
Correct answer: Using a nested or doubled traversal sequence so a single-pass filter leaves a working path
Using a nested or doubled traversal sequence is correct because a filter that strips the pattern only once can be defeated by embedding the pattern inside itself so the remaining text still forms a valid traversal after removal. A cross-site scripting payload targets the browser, a UNION SELECT targets SQL, and port forwarding is a tunneling action; none address a single-pass traversal filter.
- On a Windows IIS application vulnerable to traversal, a tester wants to read the credentials and configuration the application uses to reach its database. Beyond the application's own config, which Windows account-database file is a high-value traversal target if readable?
- The krbtgt account's plaintext password
- The Linux
/etc/shadow file - The application's favicon
- The SAM registry hive containing local account password hashes
Correct answer: The SAM registry hive containing local account password hashes
The SAM hive is correct because on Windows it stores local account password hashes, so reading it through traversal can yield credentials to crack or reuse. The /etc/shadow file is Linux-specific, the favicon is a low-value icon, and the krbtgt password is not stored in plaintext anywhere; only the SAM hive is the Windows account-database traversal target here.
- A tester confirms a traversal flaw that reads arbitrary files but the application prepends a fixed base directory to the supplied path. The tester still escapes it by supplying enough parent-directory steps to climb above that base. What property of the flaw makes this possible?
- The application concatenates user input into the path without canonicalizing or restricting it to the base directory
- The application uses parameterized SQL queries
- The cookie is marked HttpOnly
- The server runs an unquoted service path
Correct answer: The application concatenates user input into the path without canonicalizing or restricting it to the base directory
Concatenating input without canonicalization is correct because if the code joins the user value to the base path and never resolves or confines the final path, enough parent-directory steps walk above the intended directory. Parameterized SQL concerns databases, the HttpOnly attribute concerns cookies, and an unquoted service path is a Windows privilege-escalation issue; none explain why the traversal escapes the base directory.
- A tester exploiting a PHP local file inclusion cannot find a poisonable log, so they use a PHP wrapper that reads a stream from the request body and have the include execute code supplied through that input stream. Which wrapper provides this request-body input stream for inclusion?
- The
information_schema catalog - The
php://input wrapper that exposes the raw request body - The HttpOnly attribute
- The
ORDER BY clause
Correct answer: The php://input wrapper that exposes the raw request body
The php://input wrapper is correct because it exposes the raw POST body as a stream, so when included it lets the server execute PHP the tester places in the request body. The information_schema catalog is SQL metadata, HttpOnly is a cookie attribute, and ORDER BY is a SQL clause; none provide an includable request-body stream for code execution.
- A tester abuses a PHP file-inclusion flaw to view source code safely by encoding it before output so PHP is not executed, revealing hardcoded secrets in the source. Which PHP wrapper applies that base64 encoding to return source instead of running it?
- The
php://input wrapper reading the body - The data wrapper supplying inline PHP
- The
php://filter wrapper with a base64-encode conversion - The expect wrapper running commands
Correct answer: The php://filter wrapper with a base64-encode conversion
The php://filter wrapper with base64 encoding is correct because applying the encode conversion returns the file as encoded text rather than executing it, letting the tester recover and decode source to find secrets. The data wrapper supplies inline code to execute, php://input reads the request body to execute, and the expect wrapper runs commands; those execute rather than safely disclose source.
- A tester confirms PHP local file inclusion and chooses to poison the web server access log because the application reflects the User-Agent header into it. After placing PHP code in the User-Agent and triggering a request, what must the tester do to gain execution?
- Run an Nmap UDP scan of the target
- Submit a
UNION SELECT against the parameter - Forge a Kerberos ticket for the web account
- Include the access log file through the inclusion parameter so the injected PHP runs
Correct answer: Include the access log file through the inclusion parameter so the injected PHP runs
Including the access log through the inclusion parameter is correct because the poisoned log now contains attacker PHP, and forcing the include statement to load that log executes the embedded code. A UNION SELECT targets SQL, forging a Kerberos ticket is an Active Directory action, and a UDP scan is enumeration; none execute the PHP planted in the log.
- A tester finds an inclusion parameter that only loads files relative to a fixed directory and appends a fixed suffix, limiting what can be read, but the application is running a very old interpreter. Which historical condition would let a long sequence of path characters truncate the appended suffix so an arbitrary file is included?
- A path-length truncation behavior on legacy interpreters that drops the appended suffix
- A modern Content-Security-Policy header
- A parameterized SQL statement
- An HttpOnly cookie flag
Correct answer: A path-length truncation behavior on legacy interpreters that drops the appended suffix
Path-length truncation on legacy interpreters is correct because older versions could silently cut a path at a maximum length, discarding an appended suffix so the tester reaches their intended file. A content-security policy governs script sources in the browser, a parameterized statement concerns SQL, and an HttpOnly flag concerns cookies; none cause path truncation that drops the appended suffix.
- A tester recovers a hardcoded database password by reading the application's configuration through a file-inclusion source disclosure, but the database is not directly reachable. How might this leaked credential still advance the tester toward a foothold on the box?
- By using it to forge a golden ticket
- By trying the same password against other services like SSH, since users reuse credentials
- By using it to write to the proc filesystem
- By using it to set the HttpOnly attribute
Correct answer: By trying the same password against other services like SSH, since users reuse credentials
Trying the password against other services is correct because credential reuse is common, so a leaked database password is worth testing against SSH or other login surfaces to gain an interactive foothold. Forging a golden ticket is an Active Directory attack needing domain secrets, the proc filesystem is read-oriented and not a credential target, and HttpOnly is a cookie attribute; none reuse the leaked password for access.
- An upload form rejects files unless the first bytes match a known image signature. A tester bypasses it by prepending valid image magic bytes to a PHP web shell so it passes the signature check while still containing executable code. What validation weakness does this exploit?
- Relying on an HttpOnly cookie
- Relying on a parameterized SQL query
- Relying on a leading file signature while still allowing the file to be executed as a script
- Relying on an unquoted service path
Correct answer: Relying on a leading file signature while still allowing the file to be executed as a script
Relying on a leading signature is correct because checking only the magic bytes lets an attacker prepend a valid header to a script that the server still interprets as code, defeating the check. A parameterized query concerns SQL, an HttpOnly cookie concerns the browser, and an unquoted service path is a Windows privilege-escalation issue; none describe a bypass of magic-byte upload validation.
- A tester uploads a web shell but the application renames every file to a random value and strips the extension on save, so the stored file no longer ends in an executable suffix. Why does this control hinder turning the upload into code execution?
- Because renaming forges a Kerberos ticket
- Because renaming encrypts the file contents
- Because renaming converts the upload to SQL injection
- Because without an executable extension the server is unlikely to interpret the stored file as a script when requested
Correct answer: Because without an executable extension the server is unlikely to interpret the stored file as a script when requested
Removing the executable extension is correct because servers commonly decide whether to run a file based on its suffix, so a stored file with no script extension is served as inert data rather than executed. Renaming does not encrypt contents, does not create SQL injection, and does not forge tickets; the obstacle is purely that the saved file is no longer recognized as a script.
- A tester finds an upload that allows archive files and the application extracts them server-side, preserving paths inside the archive. The tester crafts an archive whose entry uses traversal so extraction writes a web shell into the web root. What is this upload-and-extract technique called?
- A path-traversal archive extraction attack
- A reflected cross-site scripting attack
- A time-based blind SQL injection
- A pass-the-hash attack
Correct answer: A path-traversal archive extraction attack
A path-traversal archive extraction attack is correct because embedding traversal sequences in archive entry names can cause an extractor that trusts those paths to write files outside the intended directory, such as a web shell into the web root. Reflected cross-site scripting runs in the browser, time-based blind injection targets a database, and pass-the-hash is an Active Directory technique; none describe malicious archive extraction.
- A tester successfully places a web shell that the server will execute and now wants to identify which operating-system account the web shell runs as, to plan the privilege-escalation phase. Which command requested through the web shell answers this on a Linux target?
- A
UNION SELECT against the application - A command that prints the current user, such as the one returning the effective user name
- A request for the application's CSS file
- A captured-hash submission to a cracker
Correct answer: A command that prints the current user, such as the one returning the effective user name
Printing the current user is correct because running a command that reports the effective user name tells the tester which low-privileged account the web shell executes as, framing the escalation plan. A UNION SELECT queries the database, requesting a stylesheet reveals nothing about the account, and submitting a hash is offline cracking; none identify the web shell's running user.
- An upload feature checks the extension against an allow-list but does so case-sensitively, and the server still executes the file regardless of case. A tester bypasses the check by uploading the script with a mixed-case extension. What flaw does this demonstrate?
- A SQL injection in the upload form
- A correctly configured upload that cannot be bypassed
- An inconsistency where the validation is case-sensitive but the execution handler is case-insensitive
- A directory traversal in the cookie
Correct answer: An inconsistency where the validation is case-sensitive but the execution handler is case-insensitive
An inconsistency between case-sensitive validation and case-insensitive execution is correct because if the check distinguishes case but the server runs the file regardless of case, a mixed-case extension slips past the allow-list yet still executes. This is not a secure configuration, it is not SQL injection in the form, and it is not traversal in the cookie; the gap is the mismatch in how case is treated.
- A tester preparing a client-side attack against staff crafts an Office document whose embedded macro runs when the user opens it and chooses to enable editing and content. Which user action is the necessary precondition for this macro-based foothold to succeed?
- The database must enable
xp_cmdshell - The recipient must run a
UNION SELECT - The web server must store the file outside the web root
- The recipient must open the document and enable the macro content
Correct answer: The recipient must open the document and enable the macro content
The recipient opening the document and enabling macro content is correct because macro-based client-side attacks depend on user interaction, since modern applications block macros until the user explicitly enables them. Running a UNION SELECT is a database action, web-root storage concerns server file uploads, and xp_cmdshell is a SQL Server feature; none are the user precondition for a macro to execute.
- A tester sends staff a link that, when clicked, prompts the user to open a file using a custom application handler that then runs attacker-controlled parameters. Why is this categorized as a client-side attack rather than exploitation of the web server?
- Because the malicious action executes on the user's own machine through software they invoke, requiring their interaction
- Because it runs entirely inside the database engine
- Because it modifies files on the web server's disk
- Because it requires no user involvement of any kind
Correct answer: Because the malicious action executes on the user's own machine through software they invoke, requiring their interaction
Executing on the user's machine through invoked software is correct because client-side attacks target applications on the client and rely on the victim interacting, here by clicking the link and letting a local handler run. It does not execute in the database engine, it does not alter the web server's files, and the defining trait is that it does require user involvement rather than none.
- A tester delivering a client-side payload must decide how the victim's machine will retrieve the second-stage code after the initial macro runs, given outbound web traffic is allowed from the workstation. Which approach fits this staged client-side delivery?
- Have the macro read the server's
information_schema - Have the macro download and execute a stage from the tester's web server over the permitted outbound channel
- Have the macro forge a Kerberos ticket
- Have the macro run a UDP scan of the internet
Correct answer: Have the macro download and execute a stage from the tester's web server over the permitted outbound channel
Downloading and executing a stage over the permitted channel is correct because a staged client-side attack uses the victim's allowed outbound access to fetch and run further code from the tester's infrastructure. Reading information_schema is a database action, forging a Kerberos ticket is an Active Directory technique, and a UDP internet scan is unrelated enumeration; none accomplish staged client-side delivery.
- A tester finds error-based SQL injection where the application displays database error messages on the page. They craft a payload that forces a conversion error so the database includes a chosen value inside the error text. Why is forcing such an error useful for extraction?
- Because errors encrypt the database connection
- Because errors automatically grant administrative access
- Because the database embeds the targeted data within the returned error message, leaking it directly
- Because errors set the HttpOnly cookie flag
Correct answer: Because the database embeds the targeted data within the returned error message, leaking it directly
Embedding data in the error message is correct because error-based injection deliberately triggers an error whose text includes the queried value, leaking data through the displayed message even without a clean output column. Errors do not grant administrative access, do not encrypt the connection, and do not set cookie attributes; their value here is the data revealed in the message.
- A tester wants sqlmap to enumerate all databases, then the tables of a chosen database, and finally dump a specific table, working from broad to narrow. Which ordering of sqlmap's enumeration goals reflects this drill-down workflow?
- Brute-force directories, then fuzz parameters, then capture packets
- Crack hashes, then scan ports, then read cookies
- Forge tickets, then pivot, then tunnel
- List databases, then list that database's tables, then dump the chosen table's contents
Correct answer: List databases, then list that database's tables, then dump the chosen table's contents
Listing databases, then tables, then dumping the table is correct because sqlmap supports a logical drill-down where the tester first sees available databases, narrows to a database's tables, and finally dumps the table of interest. The other sequences mix in unrelated activities like hash cracking, ticket forging, pivoting, or packet capture that are not sqlmap's enumeration drill-down for extracting database contents.
- A tester exploiting cross-site scripting wants to make the victim's authenticated browser submit a state-changing form, but the form includes an anti-forgery token the attacker cannot guess. How does running script in the victim's browser overcome the token?
- The injected script can read the token from the page and include it in the forged request, since it runs in the victim's context
- The script forces the database to disable the token
- The script forwards a port to bypass the token
- The token is automatically void whenever any script runs
Correct answer: The injected script can read the token from the page and include it in the forged request, since it runs in the victim's context
Reading the token from the page is correct because cross-site scripting executes in the victim's session, so the script can fetch the legitimate page, parse out the anti-forgery token, and submit a valid forged request. The script does not disable tokens in the database, port forwarding is unrelated, and a token is not automatically voided merely because script runs; its strength is overcome by reading it in context.
- A tester confirms command injection on a Linux web app but the limited shell strips many special characters, though it still allows base64 decoding utilities. How can the tester run a complex command despite the character filtering?
- Submit the command as a
UNION SELECT - Encode the command in base64 and decode then execute it through allowed utilities to avoid the filtered characters
- Place the command in an HTML attribute
- Read the command from the browser cache
Correct answer: Encode the command in base64 and decode then execute it through allowed utilities to avoid the filtered characters
Encoding the command in base64 and decoding it is correct because representing the payload in an encoding that lacks the filtered characters, then decoding and piping it to a shell, sidesteps the character restrictions while still executing the intended command. A UNION SELECT targets SQL, an HTML attribute targets the browser, and the browser cache is a client artifact; none bypass shell character filtering to run a command.
- A tester reading files through a directory traversal on a Linux web host wants to find a service's stored credentials and notices the application uses a popular framework with an environment file. Which commonly named file is worth targeting for database and secret-key values?
- The domain controller's krbtgt hash
- The Windows SAM hive
- An environment configuration file such as a
.env file in the application directory - The browser's saved passwords
Correct answer: An environment configuration file such as a .env file in the application directory
An environment configuration file is correct because many frameworks store database credentials and secret keys in a .env file within the application directory, making it a high-value traversal read on Linux. The SAM hive is a Windows artifact, the krbtgt hash is a domain controller secret, and the browser's saved passwords are a client-side store; none are the framework environment file targeted here.
- A tester achieves a foothold by uploading a web shell, then immediately uses it to download and run a more capable payload that gives an interactive reverse connection. Why move off the browser-based web shell to a reverse connection so quickly?
- The browser web shell grants root by default
- The web shell automatically forges Kerberos tickets
- The reverse connection encrypts the database
- An interactive reverse shell provides a more stable and full-featured session for the privilege-escalation phase than a one-command-per-request web shell
Correct answer: An interactive reverse shell provides a more stable and full-featured session for the privilege-escalation phase than a one-command-per-request web shell
Moving to an interactive reverse shell is correct because a single-command web shell is awkward for the sustained, interactive work of enumeration and escalation, whereas a reverse connection gives a stable session. The web shell does not forge tickets, a reverse connection does not encrypt the database, and a browser web shell does not grant root by default; the reason is the quality of the session for later phases.
- A tester confirms SQL injection on a parameter and observes the application caps every response to a single returned row, making row-by-row dumping slow. To pull many values into that one visible row at once on MySQL, which function concatenates multiple rows into a single string?
- The
GROUP_CONCAT function that combines rows into one delimited string - The
SLEEP function that pauses execution - The
ORDER BY clause that sorts results - The
LOAD_FILE function that reads a file
Correct answer: The GROUP_CONCAT function that combines rows into one delimited string
The GROUP_CONCAT function is correct because it merges values from many rows into a single delimited string, letting the tester surface multiple records inside the one row the application will display. The SLEEP function only delays the response for blind timing, ORDER BY merely sorts output, and LOAD_FILE reads a server file rather than aggregating rows; none pack many rows into one visible value.
- A tester finds reflected cross-site scripting that appears only when a specific request header value is echoed unencoded into an error page. To exploit this against a target, what makes header-based reflected cross-site scripting harder to weaponize than a query-string version?
- Headers are encrypted and can never be read
- The attacker cannot easily make a victim's browser send an arbitrary custom header through a normal link, unlike a URL parameter
- Header reflection automatically becomes SQL injection
- Header values are always set only by the server
Correct answer: The attacker cannot easily make a victim's browser send an arbitrary custom header through a normal link, unlike a URL parameter
The difficulty of forcing a victim's browser to send an arbitrary header is correct because a URL parameter can be delivered in a simple crafted link, whereas many request headers cannot be set by following a link, limiting practical delivery. Header reflection does not turn into SQL injection, headers in requests are not encrypted away from the application, and request headers are client-supplied rather than only server-set; the real obstacle is delivery.
- A tester lands a basic shell on a Linux host and runs a one-liner using python3 to spawn
/bin/bash through pty.spawn so the session behaves like a real terminal. What does this single step accomplish for the tester?- It allocates a pseudo-terminal so the shell supports job control and interactive programs
- It cracks the user's password from
/etc/shadow automatically - It opens a SOCKS proxy to the internal network
- It dumps the local NTLM hashes into a file
Correct answer: It allocates a pseudo-terminal so the shell supports job control and interactive programs
Allocating a pseudo-terminal is correct because pty.spawn requests a PTY for the spawned shell, which is what enables job control, signal handling, and interactive utilities. It does not crack /etc/shadow, open a SOCKS proxy, or dump NTLM hashes; the python3 pty trick exists purely to give the raw shell a working terminal.
- After stabilizing a Linux shell, a tester exports
TERM=xterm and a sane PATH before running enumeration. Why set the TERM variable specifically?- It encrypts the reverse shell traffic end to end
- It grants the session root through environment inheritance
- It forces the target to reconnect on a new port
- It tells full-screen and color-aware programs how to address the terminal so they render correctly
Correct answer: It tells full-screen and color-aware programs how to address the terminal so they render correctly
Telling programs how to address the terminal is correct because TERM identifies the terminal type so curses-based and color-aware tools emit the right control sequences. Setting TERM does not encrypt traffic, grant root, or change ports; it only fixes rendering for interactive programs in the upgraded shell.
- A tester has only a dumb shell with no python interpreter available on a Linux target but the box has the script utility installed. How can the tester still obtain a PTY?
- By running an Nmap scan that allocates a terminal
- By piping the shell through sqlmap
- By requesting a Kerberos ticket for the shell
- By using
script /dev/null -c bash to spawn a PTY-backed shell
Correct answer: By using script /dev/null -c bash to spawn a PTY-backed shell
Using script /dev/null -c bash is correct because the script utility allocates a pseudo-terminal and can launch bash inside it, providing an upgraded shell without python. An Nmap scan, sqlmap, and Kerberos ticket requests do nothing to allocate a terminal; the script binary is a common fallback for the TTY upgrade.
- A tester is choosing between a reverse shell and a bind shell on a target that sits behind a NAT device with no inbound port mapping but unrestricted outbound access. Which choice works and why?
- A reverse shell, because the NATed target can initiate the outbound connection back to the attacker
- A bind shell, because NAT forwards inbound connections automatically
- Neither, because NAT blocks all shells
- A bind shell, because outbound access is irrelevant to bind shells
Correct answer: A reverse shell, because the NATed target can initiate the outbound connection back to the attacker
A reverse shell is correct because a host behind NAT without inbound mappings cannot accept incoming connections, but it can still reach out, so an outbound callback succeeds. NAT does not auto-forward inbound traffic, shells are not universally blocked, and a bind shell needs the very inbound access that is missing; the outbound-initiated reverse shell fits NAT.
- A tester opens a bind shell on a Windows target and connects to it, but anyone scanning the box could also reach the listening port. Which security drawback of a bind shell does this illustrate?
- Bind shells always require a cracked password to connect
- Bind shells only work over encrypted channels
- The listening port exposes the shell to anyone who can reach it, not just the attacker
- Bind shells automatically grant SYSTEM to every connection
Correct answer: The listening port exposes the shell to anyone who can reach it, not just the attacker
Exposing the shell to anyone who can reach the port is correct because a bind shell listens openly, so any party with network access to that port could connect, which is a real operational risk. Bind shells do not require a cracked password, are not limited to encrypted channels, and do not auto-grant SYSTEM; the open listener is the drawback shown.
- A tester wants to receive a reverse shell but worries a plain netcat listener offers no encryption and may be filtered by deep inspection. Which alternative listener concept addresses confidentiality of the shell channel?
- Forwarding the shell through a domain controller
- Using an encrypted listener such as one wrapped in TLS (for example via socat or ncat with SSL)
- Cracking the shell's hash before connecting
- Switching the payload to an exec-only command
Correct answer: Using an encrypted listener such as one wrapped in TLS (for example via socat or ncat with SSL)
Using a TLS-wrapped listener is correct because tools like socat or ncat with SSL encrypt the reverse-shell channel, addressing the confidentiality gap of plain netcat. Routing through a domain controller, cracking a nonexistent shell hash, and switching to an exec payload do not provide an encrypted interactive channel; an SSL-capable listener does.
- A tester needs a standalone Windows executable that, when run on the target, connects back to the attacker for an interactive command shell. Which msfvenom payload selection matches a non-staged Windows reverse TCP command shell?
windows/x64/shell_reverse_tcplinux/x86/execjava/jsp_shell_bind_tcpphp/reverse_php
Correct answer: windows/x64/shell_reverse_tcp
windows/x64/shell_reverse_tcp is correct because it is a Windows reverse-connecting command-shell payload appropriate for a 64-bit Windows executable. The linux exec payload runs on Linux, the java jsp payload targets Java web servers, and the php payload targets PHP applications; only the Windows reverse TCP shell payload fits the requirement.
- A tester generating a Windows payload with msfvenom finds the target environment flags certain bytes in the shellcode that break execution when embedded in an exploit buffer. Which msfvenom feature is intended to remove specific problematic bytes from the output?
- The Nmap timing template option
- The bad-character exclusion option (for example
-b) that avoids listed bytes in the generated payload - The proxychains chain-length option
- The Hydra task-count option
Correct answer: The bad-character exclusion option (for example -b) that avoids listed bytes in the generated payload
The bad-character exclusion option is correct because msfvenom can be told which bytes to avoid so the encoded payload does not contain characters that would corrupt execution in the target context. Nmap timing, proxychains chain length, and Hydra task counts are unrelated scanning, pivoting, or brute-force settings; specifying bad characters is the relevant feature.
- A tester needs an msfvenom payload formatted as raw shellcode suitable for pasting into a Python exploit script as a byte string. Which output choice produces that result?
- An EXE output for double-clicking
- A WAR archive for Tomcat
- A formatted output such as a Python byte-string variable (-f python)
- An MSI installer package
Correct answer: A formatted output such as a Python byte-string variable (-f python)
A Python byte-string output is correct because msfvenom's format option can emit the shellcode as a ready-to-paste Python variable for use in an exploit script. An EXE is a standalone binary, a WAR is for Java servers, and an MSI is an installer package; the language-formatted output is what embeds cleanly into a Python exploit.
- A tester finds a SUID-root binary that is a copy of bash with the privileges preserved. Which invocation turns this into a root shell?
- Running gobuster against the binary path
- Running it with the
-p flag so it does not drop the elevated privileges - Submitting the binary to a SQL injection point
- Requesting an AS-REP for the bash account
Correct answer: Running it with the -p flag so it does not drop the elevated privileges
Running bash with -p is correct because a SUID-root bash normally drops privileges on startup unless the privileged mode flag is used, which preserves the effective root UID and yields a root shell. Gobuster, SQL injection, and AS-REP requests are unrelated web, database, and Active Directory actions; the -p flag is what keeps the SUID privileges.
- A tester reviewing the output of
getcap on a Linux host sees that a Python interpreter has the cap_setuid capability. Why is this a privilege-escalation finding even without the SUID bit?- Because the capability forges a Kerberos ticket
- Because the capability exposes the interpreter over SMB
- Because the capability lets the interpreter change its UID to 0, allowing it to spawn a root shell
- Because the capability disables the target firewall
Correct answer: Because the capability lets the interpreter change its UID to 0, allowing it to spawn a root shell
Letting the interpreter change its UID to 0 is correct because cap_setuid grants the ability to set the user ID to root, so a script can call setuid(0) and then launch a root shell. The capability does not forge tickets, expose SMB, or disable firewalls; the setuid capability is itself the escalation primitive.
- A tester sees
sudo -l permits running a known archiving utility as root, and that utility supports a checkpoint feature that can execute an external command during operation. How does this lead to root?- By cracking the sudo timestamp file
- By relaying NTLM to the domain controller through the utility
- By performing directory traversal through the archive
- By abusing the utility's checkpoint-action feature to run an attacker command as root
Correct answer: By abusing the utility's checkpoint-action feature to run an attacker command as root
Abusing the checkpoint-action feature is correct because some archiving utilities can trigger an arbitrary command at a checkpoint, and when run via sudo as root that command executes with root privileges. Cracking a timestamp file, relaying NTLM, and directory traversal are unrelated cracking, Active Directory, and web techniques; the utility's command-execution feature is the escalation.
- A tester finds a root cron job that runs a wildcard-based command such as a backup using tar with an asterisk over a directory the user can write to. Why does the writable directory plus wildcard create an escalation path?
- The wildcard forges a service ticket on expansion
- The wildcard expands attacker-named files into command-line options that inject behavior into the root-run command
- The wildcard exposes the directory as an anonymous share
- The wildcard cracks the root password automatically
Correct answer: The wildcard expands attacker-named files into command-line options that inject behavior into the root-run command
Wildcard expansion into options is correct because crafted filenames in a writable directory are expanded by the shell into argument flags, letting the attacker smuggle options (such as a checkpoint action) into the root-run command. The wildcard does not forge tickets, create shares, or crack passwords; argument injection via filenames is the escalation.
- A tester confirms a root cron job sources a shell script and notices the script calls a helper command by name without an absolute path while the cron PATH includes a user-writable directory listed first. How is this abused?
- Place a malicious helper of the same name in the writable PATH directory so the root cron job runs it
- Forge a TGT to register the helper
- Submit the script to a web upload form
- Crack the cron PATH variable offline
Correct answer: Place a malicious helper of the same name in the writable PATH directory so the root cron job runs it
Planting a same-named helper in the writable PATH directory is correct because when a script calls a command without a full path and a writable directory precedes the real one, the cron job under root resolves and runs the attacker's binary. Forging a TGT, submitting to a web form, and cracking a variable are unrelated; PATH hijacking of the helper is the escalation.
- On a Windows host a tester finds a scheduled task that runs hourly with highest privileges and executes a batch file whose containing folder grants the current user Modify rights on the file. What is the direct abuse?
- Request a TGS ticket for the task scheduler
- Run a blind SQL injection against the scheduler database
- Crack the task's last-run timestamp
- Edit the batch file to add commands that the next privileged run executes
Correct answer: Edit the batch file to add commands that the next privileged run executes
Editing the batch file is correct because Modify rights let the user change the script that a high-privilege scheduled task runs, so injected commands execute with the task's elevated rights at the next run. Requesting a TGS, SQL injection, and cracking a timestamp are unrelated Active Directory, database, and cracking actions; modifying the writable script is the path.
- Using
sc qc on a Windows service, a tester sees its binary is owned by the user and writable, and the service start type is set to automatic at boot. Beyond replacing the binary, what additional service property determines whether the tester can trigger it now without a reboot?- Whether the SMB share allows null sessions
- Whether the domain controller is reachable
- Whether the web root is writable
- Whether the user holds the rights to stop and start (restart) the service
Correct answer: Whether the user holds the rights to stop and start (restart) the service
Holding restart rights is correct because even with a writable binary, triggering the replaced executable without a reboot requires the ability to stop and start the service so it reloads. Null SMB sessions, domain controller reachability, and a writable web root are unrelated to restarting a local service; service control rights decide immediate triggering.
- A tester runs
whoami /priv and observes SeBackupPrivilege is enabled. How can this privilege contribute to escalation on a standalone Windows box?- It automatically grants membership in Domain Admins
- It lets the holder read protected files such as the SAM and SYSTEM hives to extract local hashes
- It cracks NTLM hashes without a wordlist
- It opens an outbound reverse shell to the attacker
Correct answer: It lets the holder read protected files such as the SAM and SYSTEM hives to extract local hashes
Reading protected files is correct because SeBackupPrivilege grants read access that bypasses normal ACLs, enabling the tester to copy the SAM and SYSTEM hives and extract local hashes for cracking or reuse. It does not grant Domain Admins, crack hashes by itself, or open reverse shells; privileged read access to protected files is its escalation value.
- A tester searches a Windows host and finds a stored credential under the autologon registry values
DefaultUserName and DefaultPassword. Why is this a meaningful privesc lead?- Because it forges a golden ticket on read
- Because it exposes
/etc/shadow over the network - Because it converts the registry into a web service
- Because it may reveal a plaintext administrative password configured for automatic logon
Correct answer: Because it may reveal a plaintext administrative password configured for automatic logon
Revealing a plaintext autologon password is correct because Windows can store the automatic-logon credential in cleartext in those registry values, and if it belongs to a privileged account it grants escalation. It does not forge tickets, expose Linux shadow files, or create web services; the cleartext credential is the lead.
- A tester recovers a Linux password hash that begins with the marker indicating the yescrypt or bcrypt-style slow algorithm. Which cracking expectation follows compared with an old DES-crypt hash?
- It will crack instantly with a tiny wordlist
- It cannot be loaded by John or Hashcat at all
- It must be passed like an NT hash instead of cracked
- It is far slower to crack, so a focused, smaller wordlist or known-pattern mask is more practical than huge brute force
Correct answer: It is far slower to crack, so a focused, smaller wordlist or known-pattern mask is more practical than huge brute force
Being far slower to crack is correct because deliberately slow algorithms greatly raise the cost per guess, so targeted wordlists or masks beat exhaustive brute force. Such hashes are not instant, are supported by the crackers, and cannot be passed like an NT hash; the slow design dictates a focused cracking strategy.
- A tester captures a KeePass or similar credential file and wants to attack the master password offline. What is the typical workflow with John the Ripper for such a custom format?
- Submit the file directly to a web login form
- Pass the file as a Kerberos ticket to the domain controller
- Use a companion *2john extractor to convert the file into a crackable hash, then run John against it
- Run gobuster against the file to recover the password
Correct answer: Use a companion *2john extractor to convert the file into a crackable hash, then run John against it
Using a *2john extractor first is correct because John relies on helper tools to convert proprietary credential files into a hash string it can attack, after which a wordlist run can recover the master password. Submitting to a web form, passing it as a ticket, and running gobuster are unrelated; the extractor-then-John flow is the standard offline approach.
- A tester adds a rules option to a Hashcat dictionary attack so common substitutions like replacing letters with numbers and appending years are tried automatically. What does enabling rules accomplish?
- It encrypts the wordlist before use
- It forges service tickets for each candidate
- It mutates each wordlist entry into many likely variants without expanding the base list manually
- It converts the attack into an online brute force
Correct answer: It mutates each wordlist entry into many likely variants without expanding the base list manually
Mutating entries into variants is correct because rules apply transformations such as case changes, leetspeak, and suffixes to each base word, vastly increasing coverage from a single wordlist. Rules do not encrypt the list, forge tickets, or turn the attack online; programmatic mutation of candidates is their purpose.
- A tester downloads linPEAS to a target but linux output is hard to read in a cramped reverse shell. Which linPEAS option best helps the tester sort the most promising findings quickly?
- Running it in a mode that highlights and colors high-probability privesc findings
- Piping it through sqlmap to parse results
- Forwarding the output to a domain controller
- Converting the output into a Kerberos ticket
Correct answer: Running it in a mode that highlights and colors high-probability privesc findings
Highlighting high-probability findings is correct because linPEAS can color-code and flag the most likely escalation leads so the tester focuses on what matters first. Piping through sqlmap, forwarding to a domain controller, and converting to a ticket are unrelated web, Active Directory, or nonsensical actions; the highlight feature speeds triage.
- A tester wants to run winPEAS on a target but the box's antivirus may quarantine the well-known binary. Which approach keeps the privesc enumeration moving while respecting the exam's no-AV-evasion scope?
- Forge a TGT to disable antivirus
- Run a UNION SQL injection to enumerate privileges
- Rely on the equivalent built-in manual checks and PowerShell-based enumeration the script automates
- Brute-force the antivirus password with Hydra
Correct answer: Rely on the equivalent built-in manual checks and PowerShell-based enumeration the script automates
Relying on equivalent manual checks is correct because the enumeration winPEAS performs can be reproduced with built-in commands and PowerShell, keeping discovery going without the flagged binary or any disallowed evasion. Forging a TGT, SQL injection, and Hydra brute force are unrelated; manual reproduction of the script's checks is the sound move.
- A privesc script lists dozens of findings on a Linux host. Which finding category should a tester generally prioritize first because it most reliably yields root with the least risk?
- A risky kernel exploit for an old version
- A clearly exploitable misconfiguration such as a writable sudo-run script or a dangerous SUID binary
- A long list of installed packages
- The hostname and uptime values
Correct answer: A clearly exploitable misconfiguration such as a writable sudo-run script or a dangerous SUID binary
Prioritizing a clear misconfiguration is correct because writable privileged scripts and exploitable SUID binaries give reliable, low-risk root, unlike crash-prone kernel exploits or non-actionable inventory data. The package list, hostname, and uptime are context, not vectors, and the kernel exploit is the riskier last resort; the confirmed misconfiguration comes first.
- A tester identifies the running Linux kernel and finds a candidate local-root exploit, but two different public exploits target the same flaw. Which factor should most influence which exploit to try first?
- Reliability and how closely the exploit's tested kernel and distribution match the target, to reduce crash risk
- Whichever has the flashiest filename
- Whichever was uploaded most recently regardless of target match
- Whichever requires forging a Kerberos ticket
Correct answer: Reliability and how closely the exploit's tested kernel and distribution match the target, to reduce crash risk
Matching reliability and tested environment is correct because a kernel exploit proven against the same kernel and distribution is less likely to panic the box, which protects the foothold. Filenames, upload recency alone, and ticket forging are not valid selection criteria; environment match and reliability guide the choice.
- A tester compiles a Linux kernel exploit on the target and it fails with errors about a missing header file. What does this most likely indicate about using kernel exploits in practice?
- The build environment lacks required development headers, so compiling on a matching system with proper headers is often necessary
- Kernel exploits never compile on Linux
- The exploit must be submitted to a web form to compile
- The header error means the box is already root
Correct answer: The build environment lacks required development headers, so compiling on a matching system with proper headers is often necessary
Missing development headers is correct because kernel exploit source often needs specific headers to build, and a target lacking them forces compilation on a properly equipped matching system before transferring the binary. Kernel exploits do compile generally, web forms do not compile code, and the error does not mean root; missing headers explain the failure.
- A tester confirms a Windows service account holds
SeImpersonatePrivilege and the host is a recent Windows build where JuicyPotato no longer works. Which tool is the typical modern choice to abuse the privilege?- Enum4linux to dump the SAM
- Sqlmap against the service
- Gobuster against the host
- A current Potato variant such as PrintSpoofer or a RoguePotato-style tool
Correct answer: A current Potato variant such as PrintSpoofer or a RoguePotato-style tool
A current Potato variant is correct because on newer Windows builds where JuicyPotato is patched, tools like PrintSpoofer or RoguePotato remain effective at abusing SeImpersonate to reach SYSTEM. enum4linux enumerates SMB, sqlmap targets databases, and gobuster brute-forces web paths; an updated Potato-style tool fits the privilege abuse.
- A tester running a web service on IIS gains command execution and checks privileges, expecting a service identity. Which privilege most commonly present on such service accounts makes a Potato-style attack viable?
SeShutdownPrivilege, which only allows shutting down the systemSeImpersonatePrivilege, which allows impersonating the token of another security contextSeTimeZonePrivilege, which only changes the clockSeUndockPrivilege, which only undocks a laptop
Correct answer: SeImpersonatePrivilege, which allows impersonating the token of another security context
SeImpersonatePrivilege is correct because service accounts like the IIS identity commonly hold it, and impersonating a captured high-privilege token is exactly what Potato-style attacks leverage to become SYSTEM. Shutdown, time-zone, and undock privileges do not enable token impersonation; the impersonation privilege is the enabler.
- A tester finds a service whose executable path is C:\Program Files\App Suite\svc.exe registered without quotes, but the C:\ and C:\Program Files directories are not writable. Why might this unquoted path still be unexploitable here?
- Because unquoted paths are never exploitable
- Because the service runs as a standard user only
- Because the tester cannot write a binary into any directory that the truncated path candidates would resolve to
- Because Windows ignores spaces entirely in service paths
Correct answer: Because the tester cannot write a binary into any directory that the truncated path candidates would resolve to
Lacking write access to the candidate directories is correct because exploiting an unquoted path requires placing an executable where a space-truncated prefix resolves, and without write access to C:\ or C:\Program Files the attack cannot land. Unquoted paths can be exploitable, the service identity is not stated as standard-only, and Windows does parse spaces; the missing writable directory blocks it.
- A tester wants to enumerate all Windows services with unquoted paths containing spaces in a single query. Which approach surfaces these candidates efficiently?
- Sending each service name to a SQL injection point
- Requesting AS-REP tickets for each service
- Brute-forcing the services with Hydra
- Running
wmic service get name,pathname,startmode and filtering for unquoted paths with spaces
Correct answer: Running wmic service get name,pathname,startmode and filtering for unquoted paths with spaces
Querying service path names and filtering is correct because listing each service's binary path and checking for unquoted paths that contain spaces directly identifies candidates. SQL injection, AS-REP requests, and Hydra brute force are unrelated database, Active Directory, and login-attack actions; enumerating the path names is the discovery method.
- A tester suspects DLL hijacking against an elevated application and uses Process Monitor to watch its DLL loads. Which observed event indicates a hijack opportunity?
- A successful TGT request to the domain controller
- A NAME NOT FOUND result for a DLL in a directory the tester can write to, before the real DLL is located
- A 404 response from the web server
- An anonymous SMB session being established
Correct answer: A NAME NOT FOUND result for a DLL in a directory the tester can write to, before the real DLL is located
A NAME NOT FOUND in a writable, earlier-searched directory is correct because it shows the loader looking for a missing DLL in a place the tester controls before finding the legitimate one, which is the hijack opening. A TGT request, a web 404, and an SMB session are unrelated Active Directory, web, and share events; the missing-DLL lookup in a writable path reveals the opportunity.
- A tester crafts a malicious DLL for hijacking but the target application crashes immediately after loading it instead of running the payload. Which design consideration most often fixes this?
- Forging a Kerberos ticket inside the DLL
- Ensuring the malicious DLL still exports the functions the application expects (proxying to the real DLL) so the app keeps running
- Adding a SUID bit to the DLL
- Submitting the DLL to a web upload form
Correct answer: Ensuring the malicious DLL still exports the functions the application expects (proxying to the real DLL) so the app keeps running
Exporting the expected functions (proxying) is correct because if the replacement DLL lacks the symbols the application calls, the app crashes; forwarding those exports to the genuine DLL keeps it stable while the payload runs. Ticket forging, a SUID bit, and web uploads are irrelevant to Windows DLL loading; proper export proxying resolves the crash.
- A candidate plans to compromise one standalone machine fully with Metasploit's automated exploit module and use manual methods on the others. After exploiting and escalating the chosen box with the framework, which related framework action would still count against the single-machine restriction if used elsewhere?
- Running an automated post-exploitation or exploit module against a second machine
- Using msfvenom to generate a payload on another box
- Using a manual searchsploit-found exploit on another box
- Reading documentation about a module
Correct answer: Running an automated post-exploitation or exploit module against a second machine
Running an automated module against a second machine is correct because the restriction covers the framework's automated exploitation and post modules, so using them on another box breaks the single-machine rule. msfvenom payload generation, manually adapted searchsploit exploits, and reading docs are not the restricted automation; auto-running modules elsewhere violates the rule.
- A candidate wants to maximize value from their one permitted Metasploit machine. Which selection strategy aligns with the restriction's intent during the exam?
- Use the framework on the easiest box and do the hard one by hand
- Save the automated framework usage for the machine that is most stubborn to crack manually
- Use the framework on every box in small amounts
- Avoid the framework entirely even though one use is allowed
Correct answer: Save the automated framework usage for the machine that is most stubborn to crack manually
Saving automated usage for the hardest box is correct because the one permitted machine is best spent where manual exploitation is most difficult, conserving manual effort for boxes that yield to it. Using it on the easiest box wastes the allowance, spreading it across boxes violates the rule, and avoiding it entirely forgoes a legitimate aid; reserving it for the toughest target is the sound strategy.
- A tester targets an exposed SSH service and wants to try a single username against a password wordlist using Hydra. Which input configuration matches that single-user, many-passwords attack against the ssh module?
- A username list with
-L and a single password with -p - Only an NTLM hash supplied to the module
- A fixed username with
-l and a password list with -P against the ssh module - Only a CSRF token supplied to the module
Correct answer: A fixed username with -l and a password list with -P against the ssh module
A fixed username with a password list is correct because -l sets the single login and -P supplies the password wordlist, which is exactly a one-user, many-passwords SSH brute force. A username list with one password is the opposite shape, an NTLM hash is for offline use, and a CSRF token is a web artifact; the -l with -P combination matches the described attack.
- A tester runs an online brute force against a service and accounts begin locking out after a few attempts. Which adjustment best balances progress against triggering more lockouts?
- Slow the attempt rate and limit guesses per account to stay under the lockout threshold
- Increase parallel tasks to finish before lockouts apply
- Switch to forging Kerberos tickets
- Pipe the attempt through sqlmap
Correct answer: Slow the attempt rate and limit guesses per account to stay under the lockout threshold
Slowing the rate and limiting per-account guesses is correct because keeping attempts below the lockout threshold avoids locking accounts while still making measured progress. Increasing parallel tasks accelerates lockouts, forging tickets is an Active Directory attack, and sqlmap targets databases; throttling under the threshold is the right balance.
- A tester recovers a list of usernames from enumeration and wants to test one weak password against all of them on a Windows-authenticated web portal without locking accounts. Which technique fits this goal?
- Password spraying a single common password across all the usernames
- Throwing a huge wordlist at one username
- Offline cracking the portal's TLS certificate
- Forging a golden ticket for the portal
Correct answer: Password spraying a single common password across all the usernames
Password spraying one password across many users is correct because testing a single common password per account stays under lockout thresholds while covering many users, matching the stated goal. A huge wordlist on one user risks lockout, cracking a TLS certificate is unrelated, and golden ticket forging is an Active Directory attack; spraying fits the requirement.
- A tester gains a foothold as a low-privileged Windows user and finds an unattended installation file (
Unattend.xml) left on disk. Why is this a privilege-escalation lead?- It forges a Kerberos ticket when opened
- It exposes the SAM over SMB automatically
- It can contain credentials, sometimes base64-encoded, used during automated deployment
- It cracks NTLM hashes on read
Correct answer: It can contain credentials, sometimes base64-encoded, used during automated deployment
Containing deployment credentials is correct because unattended install files frequently store administrator or local account credentials, sometimes lightly encoded, that the tester can recover and use to escalate. The file does not forge tickets, expose the SAM, or crack hashes; the embedded deployment credentials are the lead.
- A tester wants to transfer a compiled privesc exploit binary onto a Linux foothold that has no outbound internet but can reach the attacker's host. Which built-in approach commonly works for getting the file onto the target?
- Hosting the file on an attacker HTTP server and pulling it with a tool already on the target such as wget or curl
- Emailing the file to the domain controller
- Forging a TGS that contains the file
- Running gobuster to download the file
Correct answer: Hosting the file on an attacker HTTP server and pulling it with a tool already on the target such as wget or curl
Hosting on an attacker HTTP server and pulling with wget or curl is correct because when the target can reach the attacker, a simple web server plus a present download tool is a reliable transfer method during privesc. Emailing to a domain controller, forging a TGS, and gobuster do not transfer files to the host; the attacker-hosted download is the standard technique.
- A tester stabilizes a Linux reverse shell, then wants to verify which user context the shell is running in before choosing a privesc path. Which immediate command answers that question?
- Nmap, which scans the local ports
- Id, which prints the current user, groups, and UID context
- Sqlmap, which tests for injection
- Hashcat, which cracks a hash
Correct answer: Id, which prints the current user, groups, and UID context
Running id is correct because it reports the effective user, groups, and UID, which immediately tells the tester their privilege context to plan escalation. nmap scans ports, sqlmap tests injection, and hashcat cracks hashes; id answers the who-am-I question that drives the privesc decision.
- A tester crafts an msfvenom Linux ELF reverse-shell payload and must set the connect-back address and port so the listener receives it. Which two variables are essential to set correctly for the callback to reach the attacker?
- RHOST and RPORT, the target IP and port
- SRVHOST and URIPATH, the web delivery path
- LHOST and LPORT, the listener IP and port the payload connects back to
- SMBUser and SMBPass, the share credentials
Correct answer: LHOST and LPORT, the listener IP and port the payload connects back to
Setting LHOST and LPORT is correct because a reverse payload must know the attacker's listener IP and port to call back, and a mismatch means no shell. RHOST and RPORT describe a target for exploit modules, SRVHOST and URIPATH are web-delivery settings, and SMB credentials are for shares; the callback depends on LHOST and LPORT.
- A tester captured a salted hash and wants John the Ripper to crack it but is unsure whether incremental brute force or a wordlist run is more efficient. For a salted, moderately slow hash with no known pattern, which initial strategy is generally most efficient?
- Pure incremental brute force across the full keyspace immediately
- A wordlist attack with rules first, since pure incremental brute force on a slow salted hash is expensive
- Passing the hash to the service to authenticate
- Converting the hash to a Kerberos ticket
Correct answer: A wordlist attack with rules first, since pure incremental brute force on a slow salted hash is expensive
A wordlist with rules first is correct because slow salted hashes make exhaustive brute force costly, so trying likely passwords and mutations yields results faster before falling back to brute force. Immediate full-keyspace brute force is inefficient here, passing the hash to authenticate is not applicable to this format, and converting it to a ticket is unrelated; wordlist-with-rules is the efficient opener.
- A tester escalates and wants a more reliable Windows interactive session than a fragile reverse shell for running a long privesc enumeration. Having recovered valid administrator credentials locally, which approach gives a stable elevated interactive session on the same standalone host?
- Forging a golden ticket for the local machine
- Running enum4linux against the box repeatedly
- Submitting the credentials to a SQL injection point
- Authenticating with the recovered credentials to obtain a proper interactive session (for example via WinRM or RDP if available locally)
Correct answer: Authenticating with the recovered credentials to obtain a proper interactive session (for example via WinRM or RDP if available locally)
Authenticating with the recovered credentials for a proper session is correct because a legitimate interactive logon yields a far more stable elevated environment than a fragile reverse shell for sustained enumeration. Golden ticket forging is an Active Directory attack, enum4linux is SMB enumeration, and SQL injection targets databases; using the valid credentials for an interactive session is the stable choice.
- A tester gains a www-data shell on Linux and finds the user belongs to the 'docker' group. Why does docker group membership commonly equate to root access on the host?
- Because the group automatically forges a Kerberos ticket
- Because the group exposes
/etc/shadow over SMB - Because the group cracks the root hash on login
- Because group members can launch a container that mounts the host filesystem and run commands as root inside it
Correct answer: Because group members can launch a container that mounts the host filesystem and run commands as root inside it
Launching a container that mounts the host filesystem is correct because docker group members can run a privileged container, bind-mount the host root, and act as root on those files, effectively granting host root. The group does not forge tickets, expose shadow over SMB, or crack hashes; container abuse is the escalation path.
- A tester obtains SYSTEM on a Windows box and dumps local hashes, then notices the local administrator hash matches one seen on a separate standalone box. On the OSCP exam, why must reuse of that hash stay within strict limits?
- Because hash reuse forges a golden ticket automatically
- Because reusing a hash deletes the report submission
- Because each standalone machine is scored independently and credentials are not meant to chain the separate boxes together like the AD set
- Because the hash can only be used after the exam ends
Correct answer: Because each standalone machine is scored independently and credentials are not meant to chain the separate boxes together like the AD set
Independent scoring of standalone machines is correct because the three standalone boxes are separate objectives, unlike the connected AD set, so a hash from one is not a designed path into another. Hash reuse does not forge tickets, delete the report, or become available only post-exam; the standalone boxes being independent is the reason.
- A tester wants a quick, dependency-free reverse shell from a Linux target that has bash but no netcat, python, or socat. Which technique provides a reverse shell using only bash itself?
- A bash
/dev/tcp redirection one-liner that connects back to the attacker's listener - An enum4linux callback to the attacker
- A gobuster reverse path back to the attacker
- A hashcat reverse session to the attacker
Correct answer: A bash /dev/tcp redirection one-liner that connects back to the attacker's listener
A bash /dev/tcp redirection is correct because bash can open a TCP connection through its /dev/tcp pseudo-device and redirect a shell over it, giving a reverse shell with no extra tools. enum4linux enumerates SMB, gobuster brute-forces web paths, and hashcat cracks hashes; the /dev/tcp trick delivers the shell using only bash.
- A tester is asked which logical boundary in Active Directory groups computers and users so they can share a common directory database and security policy under a single administrative authority. Which term describes that boundary?
- A domain
- A subnet mask
- A reverse proxy
- A web application pool
Correct answer: A domain
A domain is correct because it is the administrative and security boundary in Active Directory that groups users and computers sharing one directory database and policy under a single authority. A subnet mask defines IP ranges, a reverse proxy routes web traffic, and a web application pool isolates server processes; none is the directory's administrative boundary.
- A tester explains how multiple Active Directory domains can be combined into a larger structure that shares a common schema and a contiguous name space and a top-level container. Which term names that collection of domains?
- A workgroup
- A forest
- A demilitarized zone
- A service principal
Correct answer: A forest
A forest is correct because it is the top-level Active Directory container that holds one or more domains sharing a common schema and global catalog. A workgroup is a non-domain peer arrangement, a demilitarized zone is a network segment, and a service principal identifies a service for Kerberos; none describes the domain-collection structure.
- A tester contrasts a domain-joined Windows machine with a workgroup machine to explain why the AD set is attacked as a connected environment. Which statement is accurate?
- Workgroup machines authenticate centrally while domain machines authenticate locally only
- Both arrangements force every account to be unique per machine with no sharing
- Domain-joined machines trust and authenticate against a central directory, so compromising shared domain credentials can affect many machines, whereas workgroup machines manage accounts independently
- Domain membership only changes the desktop wallpaper and has no security relevance
Correct answer: Domain-joined machines trust and authenticate against a central directory, so compromising shared domain credentials can affect many machines, whereas workgroup machines manage accounts independently
Domain machines trusting a central directory is correct because domain membership centralizes identity, so one set of domain credentials can grant access across many hosts, which is exactly what makes the AD set a connected attack surface. Workgroup machines manage accounts locally, the roles are not reversed, and domain membership is far more than cosmetic.
- A tester wants to recall which TCP port the global catalog and standard directory queries typically use so they can confirm the directory service is reachable from the foothold. Which port is the standard cleartext LDAP port?
- Port 21
- Port 25
- Port 110
- Port 389
Correct answer: Port 389
Port 389 is correct because it is the standard port for cleartext LDAP, the protocol Active Directory exposes for directory queries. Port 21 is FTP, port 25 is SMTP, and port 110 is POP3; none is the LDAP directory port the tester would target for enumeration.
- A tester runs a BloodHound collector against the domain from a foothold and is choosing what to gather. Which data set most directly enables BloodHound to compute attack paths to high privilege?
- Domain users, groups, computers, session information, and access-control relationships
- The HTTP response headers of internal web servers
- The MAC addresses of every switch port
- The TLS certificate chains of internal services
Correct answer: Domain users, groups, computers, session information, and access-control relationships
Collecting users, groups, computers, sessions, and access-control relationships is correct because BloodHound graphs these objects and the rights between them to compute paths toward high privilege. HTTP headers, switch MAC addresses, and TLS certificate chains are not the directory relationship data BloodHound needs to build attack paths.
- A tester wants to list every domain computer's name and operating system from a Linux box using only a valid low-privileged credential and an LDAP query tool. Why is this enumeration step worthwhile early on the AD set?
- It immediately grants domain administrator rights
- It reveals the inventory of hosts and their roles, helping the tester prioritize which machines to target and pivot toward
- It deletes computer objects to weaken the domain
- It forces the domain controller to reboot for a fresh state
Correct answer: It reveals the inventory of hosts and their roles, helping the tester prioritize which machines to target and pivot toward
Revealing the host inventory and roles is correct because listing computers and their operating systems lets the tester see the terrain and prioritize targets and pivot routes. It does not grant domain admin, does not delete objects, and does not reboot the domain controller; LDAP enumeration is for reconnaissance, not direct compromise.
- A tester enumerates the domain and finds a description field on a service account that contains what looks like a password left by an administrator. Which reasoning best describes how to treat this finding?
- Description fields are encrypted and cannot contain readable data
- The string is irrelevant because only the domain controller can read descriptions
- Readable attributes like description fields can leak credentials, so the tester should test the string as a possible password for that or related accounts
- Finding a password in a description automatically logs the tester out of the domain
Correct answer: Readable attributes like description fields can leak credentials, so the tester should test the string as a possible password for that or related accounts
Treating the description string as a possible credential is correct because object attributes are readable to authenticated users and administrators sometimes store passwords there, so the tester should attempt to authenticate with it. Description fields are not encrypted, are readable by ordinary domain users rather than only the domain controller, and reading one does not log the tester out.
- A tester reviews BloodHound output and sees an edge labeled WriteDACL from their controlled group to a sensitive object. How can this right be abused on the AD set?
- It cannot be abused without the krbtgt key
- It only allows viewing the object's creation date
- It automatically resets the entire domain's passwords
- WriteDACL lets the tester modify the object's permissions to grant themselves further control, then leverage that control to take over the object
Correct answer: WriteDACL lets the tester modify the object's permissions to grant themselves further control, then leverage that control to take over the object
Modifying the object's permissions to grant further control is correct because WriteDACL allows rewriting the discretionary access control list, so the tester can add rights for themselves and then abuse those rights to take over the object. It does not require the krbtgt key, is not limited to reading metadata, and does not reset the domain's passwords.
- A tester wants to enumerate every account that has a service principal name set, since those are the candidates for one specific Kerberos attack. Which directory query result is the tester looking for?
- Accounts that have one or more service principal names registered
- Accounts that are disabled
- Accounts that have never logged on
- Accounts that are members of the Guests group
Correct answer: Accounts that have one or more service principal names registered
Accounts with one or more service principal names registered is correct because those are precisely the accounts that can be Kerberoasted, so the tester filters the directory for the SPN attribute. Disabled accounts, never-logged-on accounts, and Guests membership are not the criterion that marks a Kerberoasting candidate.
- A tester runs PowerView and uses a function that returns where domain users currently have active or cached sessions. How does this output advance the attack toward the domain controller?
- It cracks every session password automatically
- It shows which hosts have privileged users present, so the tester knows which machine to compromise to harvest those users' credentials
- It opens a reverse shell on each host listed
- It rewrites the domain controller's access control lists
Correct answer: It shows which hosts have privileged users present, so the tester knows which machine to compromise to harvest those users' credentials
Showing which hosts have privileged users present is correct because session enumeration reveals where high-value accounts are logged in, telling the tester which machine to compromise to steal those credentials. It does not crack passwords, open shells, or rewrite access control lists; it is reconnaissance that guides credential harvesting.
- A tester decides to crack a Kerberoasted ticket with Hashcat and must select the correct algorithm so the tool interprets the captured material properly. What general step is required before launching the crack?
- Provide the domain controller's administrator password
- Disable Kerberos on the domain controller
- Choose the hash mode that matches the Kerberos TGS-REP format and supply a wordlist of candidate passwords
- Submit the ticket to a web proxy for decoding
Correct answer: Choose the hash mode that matches the Kerberos TGS-REP format and supply a wordlist of candidate passwords
Choosing the matching hash mode and supplying a wordlist is correct because the cracker must know the Kerberos TGS-REP format to test candidate passwords against the encrypted portion. It does not need the domain administrator password, does not require disabling Kerberos, and a web proxy plays no role in offline ticket cracking.
- A tester emphasizes that a major appeal of Kerberoasting is that it requires only modest starting access. What is the minimum prerequisite that lets a tester request Kerberoastable service tickets?
- Domain administrator privileges
- Local SYSTEM on the domain controller
- A forged golden ticket
- Any single valid domain user account
Correct answer: Any single valid domain user account
Any single valid domain user account is correct because any authenticated domain user can request service tickets for accounts with an SPN, which is what makes Kerberoasting accessible from a low-privileged foothold. Domain admin rights, SYSTEM on the domain controller, and a forged golden ticket are far beyond the minimal requirement.
- A tester Kerberoasts a domain and recovers a request from a tool that returned the encrypted ticket as a long hash string. What does the encrypted portion of that ticket represent that makes it crackable?
- Data encrypted with a key derived from the service account's password, so guessing the password reproduces the key and validates the guess
- A random value with no relationship to any password
- The domain controller's TLS private key
- The plaintext password stored directly in the ticket
Correct answer: Data encrypted with a key derived from the service account's password, so guessing the password reproduces the key and validates the guess
Data encrypted with a key derived from the service password is correct because the ticket's encrypted part uses that key, so an offline cracker can confirm a guessed password by reproducing the key. It is not a random unrelated value, not the domain controller's TLS key, and the ticket does not store the plaintext password directly.
- A tester cracks a Kerberoasted service account and discovers it is configured to run a database service but is also a member of a powerful group. Which analysis best explains why this combination accelerates the path to the domain controller?
- The cracked credential is only good for stopping the database service
- Membership in a powerful group means the recovered credential carries broad rights that may permit direct or near-direct access toward the domain controller
- Service accounts cannot be used interactively, so the credential is a dead end
- The credential expires the instant it is cracked
Correct answer: Membership in a powerful group means the recovered credential carries broad rights that may permit direct or near-direct access toward the domain controller
The credential carrying broad rights is correct because a Kerberoasted account in a powerful group provides privileges that can shortcut the path to the domain controller. The credential is not limited to stopping a service, service accounts can be used for authentication, and a cracked password does not expire on recovery; its group membership is what makes it potent.
- A tester debates whether Kerberoasting leaves a noticeable footprint on the domain. Which reasoning is most accurate about its detectability?
- Requesting many service tickets is invisible and never logged anywhere
- Kerberoasting only works if logging is fully disabled first
- Requesting service tickets generates Kerberos service-ticket events on the domain controller, so a burst of requests for many SPNs can be detected, though the offline cracking itself is silent
- The attack always crashes the domain controller, making it obvious
Correct answer: Requesting service tickets generates Kerberos service-ticket events on the domain controller, so a burst of requests for many SPNs can be detected, though the offline cracking itself is silent
Service-ticket requests generating events while cracking stays silent is correct because the domain controller logs ticket requests, so mass requests can be flagged, but the subsequent offline cracking produces no domain traffic. The attack is not invisible, does not require logging disabled, and does not crash the domain controller.
- A tester wants to recall which weaker Kerberos encryption type, when present on a Kerberoastable account, is especially favorable for offline cracking. Which encryption type is the easier-to-crack legacy option a tester hopes to see?
- AES-256
- AES-128
- ChaCha20
- RC4 (legacy)
Correct answer: RC4 (legacy)
RC4 is correct because the legacy RC4 encryption type for Kerberos tickets is faster to crack than the modern AES types, so a tester prefers to find SPN accounts that still use it. AES-256 and AES-128 are stronger and slower to crack, and ChaCha20 is not a standard Kerberos ticket encryption type.
- A tester wants to recall what response an AS-REP Roasting attack actually captures from the domain controller for a pre-auth-disabled account. Which message is harvested and then cracked?
- The Authentication Service reply (AS-REP), whose encrypted portion is derived from the account's password
- A TGS service ticket tied to a service principal name
- The raw
NTDS.dit database file - An SMB session setup response
Correct answer: The Authentication Service reply (AS-REP), whose encrypted portion is derived from the account's password
Capturing the AS-REP is correct because for an account without pre-authentication the domain controller returns an AS-REP whose encrypted part comes from the account's password, enabling offline cracking. A TGS ticket is harvested by Kerberoasting, the NTDS.dit is the domain database, and an SMB session response is unrelated to this attack.
- A tester is analyzing why an organization might have accounts with pre-authentication disabled in the first place. Which explanation most plausibly accounts for this exploitable condition?
- Windows always disables pre-authentication by default for every account
- Administrators sometimes disable pre-authentication for compatibility with legacy or non-standard clients, unintentionally leaving the account roastable
- Disabling pre-authentication is required to join the domain
- Pre-authentication can only be disabled by an attacker, never by an administrator
Correct answer: Administrators sometimes disable pre-authentication for compatibility with legacy or non-standard clients, unintentionally leaving the account roastable
Compatibility-driven configuration is correct because administrators occasionally disable pre-authentication to support older or non-standard clients, inadvertently exposing the account to AS-REP Roasting. Pre-authentication is enabled by default rather than disabled, it is not required to join a domain, and administrators, not only attackers, can change the setting.
- A tester recovers a username list and runs an AS-REP Roasting tool that reports several accounts returned a hash while others returned an error requiring pre-authentication. How should the tester interpret the accounts that returned an error?
- Those accounts are domain administrators by definition
- Those accounts have already been compromised
- Those accounts have pre-authentication enabled, so they are not AS-REP roastable and should be skipped for this attack
- Those errors mean the domain controller is offline
Correct answer: Those accounts have pre-authentication enabled, so they are not AS-REP roastable and should be skipped for this attack
Pre-authentication being enabled is correct because an error demanding pre-authentication means the account enforces it and therefore cannot be AS-REP roasted, so the tester focuses on the accounts that returned crackable hashes. The error does not indicate admin status, prior compromise, or an offline domain controller.
- A tester compares AS-REP Roasting and Kerberoasting and is asked which attack can yield crackable material with no valid domain credentials at all, given only a list of valid usernames. Which attack fits that description?
- Kerberoasting
- Pass-the-Hash
- DCSync
- AS-REP Roasting
Correct answer: AS-REP Roasting
AS-REP Roasting is correct because it can be performed against pre-auth-disabled accounts using only usernames, without any valid credentials. Kerberoasting requires an authenticated domain user to request service tickets, Pass-the-Hash needs a captured hash, and DCSync needs replication rights, so none of those works credential-free.
- A tester explains what an NTLM hash is in the context of Pass-the-Hash so a teammate understands what is being reused. Which description is accurate?
- A one-way representation of the account password that Windows uses for NTLM authentication, which can be supplied in place of the password
- The plaintext password encoded in base64
- A Kerberos ticket-granting ticket
- A TLS session key negotiated with the server
Correct answer: A one-way representation of the account password that Windows uses for NTLM authentication, which can be supplied in place of the password
A one-way representation used for NTLM authentication is correct because the NTLM hash derives from the password and is what Windows checks during NTLM logon, so supplying the hash authenticates without the plaintext. It is not base64 plaintext, not a Kerberos TGT, and not a TLS session key.
- A tester compromises a host and recovers the NT hash for a domain user from memory, then wants to authenticate to a file server as that user without cracking it. Which tool category is appropriate for performing the Pass-the-Hash?
- A web vulnerability scanner
- An SMB or remote-execution tool that accepts an NT hash as the authentication credential
- A DNS brute-forcing tool
- A TLS certificate parser
Correct answer: An SMB or remote-execution tool that accepts an NT hash as the authentication credential
An SMB or remote-execution tool that accepts an NT hash is correct because such tools let the tester supply the hash directly to authenticate and act as the user. A web scanner, a DNS brute-forcer, and a certificate parser do not perform NTLM authentication with a hash, so they cannot carry out Pass-the-Hash.
- A tester recovers only the NT portion of a hash (not the LM portion) and worries it is unusable for Pass-the-Hash on a modern domain. Which reasoning is correct?
- Pass-the-Hash requires both the LM and NT portions or it fails
- Without the LM portion the hash must always be cracked first
- Modern Pass-the-Hash uses the NT hash for NTLM authentication, so the NT portion alone is sufficient
- The NT hash only works against Linux hosts
Correct answer: Modern Pass-the-Hash uses the NT hash for NTLM authentication, so the NT portion alone is sufficient
The NT hash alone being sufficient is correct because modern NTLM authentication relies on the NT hash, so the legacy LM portion is not needed for Pass-the-Hash. It does not require both portions, does not force cracking when the NT hash is present, and is a Windows NTLM technique rather than Linux-only.
- A tester maps why Pass-the-Hash threatens lateral movement even when account passwords are long and uncrackable. Which analysis explains the danger?
- Long passwords make the hash impossible to capture
- Long passwords automatically rotate the hash every minute
- The technique only works when the password is short
- Pass-the-Hash never needs the plaintext, so even an uncrackable password is bypassed once its hash is obtained from a compromised host
Correct answer: Pass-the-Hash never needs the plaintext, so even an uncrackable password is bypassed once its hash is obtained from a compromised host
Bypassing the plaintext requirement is correct because Pass-the-Hash authenticates with the hash itself, so password length and crack-resistance are irrelevant once the hash is captured. Long passwords do not prevent hash capture, do not rotate the hash continuously, and the technique is not limited to short passwords.
- A tester recalls that Pass-the-Ticket and Pass-the-Hash abuse different protocols. Which authentication protocol does Pass-the-Ticket abuse?
- Kerberos
- NTLM
- LDAP simple bind over cleartext
- HTTP digest authentication
Correct answer: Kerberos
Kerberos is correct because Pass-the-Ticket reuses stolen Kerberos tickets to authenticate, abusing the Kerberos protocol. NTLM is what Pass-the-Hash abuses, an LDAP simple bind is a directory operation, and HTTP digest authentication is a web scheme; none of those is the ticket-based protocol Pass-the-Ticket targets.
- A tester exports Kerberos tickets from a compromised host and notices both a ticket-granting ticket and several service tickets. For broad reuse via Pass-the-Ticket, which ticket is generally more valuable to inject?
- A single service ticket, because it grants access to all services at once
- The ticket-granting ticket, because it can be presented to obtain service tickets for many services as the user
- Neither, because tickets cannot be reused on another host
- Only an expired ticket, because expired tickets are trusted
Correct answer: The ticket-granting ticket, because it can be presented to obtain service tickets for many services as the user
The ticket-granting ticket being more valuable is correct because a TGT can be used to request service tickets for many services, giving broad reuse, whereas a single service ticket only reaches its one service. Tickets can be reused on another host within validity, and expired tickets are not trusted.
- A tester injects a stolen ticket and finds it stops working after a short period, requiring a fresh one. Which property of Kerberos tickets explains this limitation for Pass-the-Ticket?
- Tickets permanently bind to the original host's MAC address
- Tickets self-destruct the moment they are copied
- Tickets have a limited validity lifetime and expire, so a stolen ticket only works until it expires
- Tickets require the krbtgt account to be online for each use
Correct answer: Tickets have a limited validity lifetime and expire, so a stolen ticket only works until it expires
Limited validity lifetime is correct because Kerberos tickets carry expiration times, so a stolen ticket only functions until it expires, after which a new one is needed. Tickets are not bound to a MAC address, do not self-destruct on copy, and do not require interactive presence of the krbtgt account for each use.
- A tester debates whether to use Pass-the-Ticket or attempt online password guessing to access a Kerberos-protected internal application as a specific user. Which factor most strongly favors Pass-the-Ticket here?
- Pass-the-Ticket cracks the application's database for free
- Online guessing is always faster and quieter
- Pass-the-Ticket forges the krbtgt key automatically
- Reusing an already-valid ticket avoids generating failed logons and lockout risk while authenticating exactly as the intended user
Correct answer: Reusing an already-valid ticket avoids generating failed logons and lockout risk while authenticating exactly as the intended user
Avoiding failed logons and lockout risk is correct because a valid stolen ticket authenticates directly as the user without password attempts, sidestepping detection and lockouts. It does not crack the application database, online guessing is noisier and lockout-prone, and Pass-the-Ticket does not forge the krbtgt key.
- A tester recalls the defining trait of a golden ticket compared with an ordinary stolen ticket. What is fundamentally different about a golden ticket?
- It is forged from scratch using the krbtgt key rather than stolen from a logged-on user, so it can be minted for any user with arbitrary privileges
- It is simply a stolen service ticket renamed
- It is a cracked NTLM hash converted to a ticket
- It is a TLS certificate issued by the domain controller
Correct answer: It is forged from scratch using the krbtgt key rather than stolen from a logged-on user, so it can be minted for any user with arbitrary privileges
Being forged from scratch with the krbtgt key is correct because a golden ticket is fabricated, not stolen, letting the attacker mint a TGT for any identity and privilege level. It is not a renamed stolen service ticket, not a converted NTLM hash, and not a TLS certificate.
- A tester explains that a golden ticket can specify arbitrary group memberships in the forged ticket. Which consequence does this give the attacker?
- The forged ticket can only ever claim membership in the Guests group
- The forged ticket can claim membership in highly privileged groups, so the impersonated session is treated as a high-privilege account across the domain
- Group claims in the ticket are ignored by the domain controller
- Specifying groups disables the ticket immediately
Correct answer: The forged ticket can claim membership in highly privileged groups, so the impersonated session is treated as a high-privilege account across the domain
Claiming privileged group membership is correct because the forged ticket embeds chosen group memberships, so services across the domain treat the session as that privileged account. The ticket is not limited to Guests, the group claims are honored rather than ignored, and specifying groups does not disable the ticket.
- A tester contrasts a golden ticket with a silver ticket to clarify scope. Which statement correctly distinguishes them?
- A golden ticket works for one service only, while a silver ticket works domain-wide
- Both are forged with the krbtgt key and are identical
- A golden ticket is forged with the krbtgt key and works domain-wide, while a silver ticket is forged with a single service account's key and works only for that specific service
- Neither involves forging any ticket
Correct answer: A golden ticket is forged with the krbtgt key and works domain-wide, while a silver ticket is forged with a single service account's key and works only for that specific service
The golden ticket being krbtgt-based and domain-wide while the silver ticket is service-key-based and service-scoped is correct because the krbtgt key authorizes TGTs for the whole domain, whereas a service account's key only forges tickets for its own service. The roles are not reversed, they are not identical, and both involve forging tickets.
- A tester has obtained the krbtgt hash and the domain SID and forges a golden ticket, but it is rejected by services. Which omitted ingredient is the most likely cause that a complete golden ticket requires?
- The victim's web browser cookies
- The attacker's public IP address
- An SSH key for the domain controller
- The fully qualified domain name (and a chosen user/RID) so the forged ticket matches the domain it targets
Correct answer: The fully qualified domain name (and a chosen user/RID) so the forged ticket matches the domain it targets
The domain name and chosen user identity is correct because a valid golden ticket must specify the target domain and an identity (typically a username and RID) in addition to the krbtgt key and SID, or services reject it. Browser cookies, the attacker's public IP, and an SSH key are not components of a forged TGT.
- A tester recalls the primary reason Mimikatz is run with elevated privileges when dumping credentials. Why does it generally require an elevated or SYSTEM context?
- Because reading the protected memory of the Local Security Authority process requires high privilege
- Because Mimikatz must format the disk first
- Because credential dumping only works over the network
- Because it needs to recompile the Windows kernel
Correct answer: Because reading the protected memory of the Local Security Authority process requires high privilege
Needing high privilege to read protected LSA memory is correct because the secrets Mimikatz harvests live in the protected LSASS process, which only an elevated or SYSTEM context can access. It does not format the disk, does not require network-only operation, and does not recompile the kernel.
- A tester uses Mimikatz on a compromised host and recovers Kerberos tickets currently held in memory. What can the tester do with these exported tickets next?
- Convert them into a vulnerability scan report
- Reuse them on another host via Pass-the-Ticket to authenticate as the ticket owners
- Use them to brute-force a web login form
- Turn them into a directory traversal payload
Correct answer: Reuse them on another host via Pass-the-Ticket to authenticate as the ticket owners
Reusing them via Pass-the-Ticket is correct because tickets exported from memory can be injected on another host to impersonate their owners. They are not vulnerability reports, do not feed web login brute-forcing, and are unrelated to directory traversal payloads.
- A tester gains administrator on a member server, runs Mimikatz, and recovers a cached domain administrator credential left in memory from an earlier interactive logon. Which analysis explains why this single dump can be decisive on the AD set?
- Credentials in memory are always fake decoys
- A member server never holds any domain credentials
- Cached privileged credentials in memory can hand the tester domain-level access far beyond the single server they compromised
- Recovering them automatically rebuilds the domain
Correct answer: Cached privileged credentials in memory can hand the tester domain-level access far beyond the single server they compromised
Cached privileged credentials granting domain-level access is correct because if a domain administrator logged on to the member server, their credentials may linger in memory and let the tester pivot straight to domain dominance. Such credentials are not decoys, member servers can hold credentials from logged-on users, and dumping them does not rebuild the domain.
- A tester captures inbound authentication and performs an NTLM relay, choosing to relay to LDAP on the domain controller. What can a successful relay to LDAP potentially allow if the relayed account has sufficient rights?
- Reading the domain controller's BIOS version
- Downgrading the network to FTP
- Forcing the relayed account to crack its own password
- Making directory modifications as the relayed account, such as altering object permissions, depending on the account's privileges
Correct answer: Making directory modifications as the relayed account, such as altering object permissions, depending on the account's privileges
Making directory modifications as the relayed account is correct because relaying to LDAP authenticates to the directory as the victim, so with adequate rights the tester can modify objects or permissions. It does not read BIOS versions, downgrade the network to FTP, or force the account to crack its own password.
- A tester wants to recall the core difference between NTLM relay and Pass-the-Hash. Which statement is correct?
- NTLM relay forwards a live authentication to a target in real time, while Pass-the-Hash reuses a previously captured hash to authenticate later
- NTLM relay reuses a stored hash, while Pass-the-Hash forwards live traffic
- Both require cracking the password first
- Both forge Kerberos golden tickets
Correct answer: NTLM relay forwards a live authentication to a target in real time, while Pass-the-Hash reuses a previously captured hash to authenticate later
Relay forwarding live authentication while Pass-the-Hash reuses a stored hash is correct because relaying happens during an active exchange whereas Pass-the-Hash replays a captured hash on demand. The descriptions are not reversed, neither requires cracking the password, and neither forges a golden ticket.
- A tester plans an NTLM relay and wants to coerce a target into authenticating so there is traffic to relay. Which approach reflects a legitimate way to generate that authentication during the engagement?
- Reboot the domain controller to flush its memory
- Trigger the victim system to connect to an attacker-controlled resource so it sends its NTLM authentication, which the tester then relays
- Submit a SQL UNION query to the directory
- Crack the krbtgt key to start the relay
Correct answer: Trigger the victim system to connect to an attacker-controlled resource so it sends its NTLM authentication, which the tester then relays
Triggering the victim to connect to an attacker resource is correct because coercing the system to authenticate to attacker-controlled infrastructure produces the live NTLM exchange that the relay forwards. Rebooting the domain controller, a SQL UNION query, and cracking the krbtgt key do not generate a relayable NTLM authentication.
- A tester wants to recall a primary defensive control that specifically defeats NTLM relay to SMB targets. Which configuration most directly blocks the relay?
- Increasing the desktop screen resolution
- Disabling IPv6 entirely on clients with no other change
- Enforcing SMB signing so relayed sessions fail integrity validation
- Renaming the domain controller
Correct answer: Enforcing SMB signing so relayed sessions fail integrity validation
Enforcing SMB signing is correct because signing validates session integrity and origin, causing relayed authentications from another host to be rejected. Screen resolution is irrelevant, simply renaming the domain controller does not stop relays, and disabling IPv6 alone is not the targeted SMB-relay control.
- A tester recovers valid administrator credentials and chooses Windows Management Instrumentation to execute a command on a remote host for lateral movement. What is a notable characteristic of using WMI for this purpose?
- It only works on Linux targets
- It always requires uploading a custom kernel driver first
- It can only read files and never execute commands
- It is a native Windows mechanism that can run commands remotely without installing a service, often blending in with legitimate administration
Correct answer: It is a native Windows mechanism that can run commands remotely without installing a service, often blending in with legitimate administration
Being a native remote-execution mechanism that avoids installing a service is correct because WMI is built into Windows and can run commands remotely, often appearing as normal administration. It is not Linux-only, does not require a custom kernel driver, and is capable of executing commands rather than only reading files.
- A tester recalls the default ports for WinRM-based remote management so they can confirm the service is reachable on a target. Which port pair corresponds to WinRM HTTP and HTTPS listeners?
- 5985 (HTTP) and 5986 (HTTPS)
- 80 (HTTP) and 443 (HTTPS)
- 139 and 445
- 3389 and 3390
Correct answer: 5985 (HTTP) and 5986 (HTTPS)
5985 and 5986 are correct because WinRM listens on 5985 for HTTP and 5986 for HTTPS by default, which the tester checks for PowerShell remoting access. Ports 80 and 443 are general web, 139 and 445 are SMB, and 3389 is RDP; none is the default WinRM pair.
- A tester has valid credentials for a domain account and wants to obtain an interactive PowerShell session on a remote host that has WinRM enabled. Which approach correctly achieves this lateral movement?
- Send the credentials to a web upload form on the host
- Connect to the host's WinRM service with the credentials to open a remote PowerShell session and run commands
- Perform a UDP sweep and read the responses as a shell
- Grab the host's SMTP banner to gain a session
Correct answer: Connect to the host's WinRM service with the credentials to open a remote PowerShell session and run commands
Connecting to WinRM for a remote PowerShell session is correct because authenticating to the WinRM service with valid credentials yields an interactive shell on the remote host. A web upload form, a UDP sweep, and an SMTP banner grab do not provide a remote command session.
- A tester reflects on why lateral movement is the heart of the AD set's scoring beyond the first foothold. Which analysis best fits the exam's structure?
- Because lateral movement is worth zero points and only enumeration counts
- Because every machine in the set is reachable directly without movement
- Because the second host and domain controller points require moving from the initial foothold using harvested credentials and remote-execution techniques, not just exploiting one box
- Because lateral movement only matters after the report is graded
Correct answer: Because the second host and domain controller points require moving from the initial foothold using harvested credentials and remote-execution techniques, not just exploiting one box
Lateral movement being required to claim the second host and domain controller points is correct because the AD set's scoring depends on chaining from the foothold to additional hosts via credentials and remote execution. It is not worth zero points, the hosts are not all directly reachable, and movement matters during the test, not only after grading.
- A tester recalls what defines a pivot host in a multi-network engagement. Which description fits a pivot?
- A host that has no network interfaces at all
- The attacker's own Kali machine before any compromise
- A public DNS server on the internet
- A compromised host that has connectivity to a network segment the attacker cannot reach directly, used to relay traffic into that segment
Correct answer: A compromised host that has connectivity to a network segment the attacker cannot reach directly, used to relay traffic into that segment
A compromised host bridging to an unreachable segment is correct because a pivot is a foothold with access the attacker lacks, used to relay traffic into the hidden network. A host with no interfaces cannot pivot, the attacker's own machine is not a pivot into the target, and a public DNS server is not the internal bridge.
- A tester confirms a compromised host is dual-homed by finding it has two network interfaces on different subnets. Why does this discovery matter for the AD set?
- A dual-homed host can route the tester's traffic from the reachable subnet into the internal subnet, making it an ideal pivot toward the domain controller
- Two interfaces mean the host cannot be used for anything
- It proves the domain controller is already compromised
- It forces the tester to abandon the engagement
Correct answer: A dual-homed host can route the tester's traffic from the reachable subnet into the internal subnet, making it an ideal pivot toward the domain controller
A dual-homed host routing into the internal subnet is correct because its second interface reaches a network the attacker cannot, making it a prime pivot toward the domain controller. Two interfaces do not make it useless, do not imply the domain controller is compromised, and do not force abandoning the test.
- A tester is planning how to enumerate an internal subnet that is only reachable from a compromised pivot. Which approach correctly performs that internal discovery?
- Scan the internal subnet directly from the attacker box ignoring the lack of a route
- Route scanning traffic through the pivot so it originates from the host that can see the internal subnet
- Email the internal subnet a request to identify itself
- Wait for the internal subnet to scan the attacker first
Correct answer: Route scanning traffic through the pivot so it originates from the host that can see the internal subnet
Routing scanning through the pivot is correct because only the pivot can reach the internal subnet, so the tester must send discovery traffic through it. Scanning directly fails without a route, the subnet will not self-identify by email, and waiting for it to scan the attacker is not a discovery method.
- A tester has an SSH connection to a Linux pivot and wants to expose an internal RDP service to the attacker box on a chosen local port. Which forwarding type maps a local listening port on the attacker through the SSH session to the internal target?
- Remote port forwarding
- Banner grabbing
- Local port forwarding
- A UDP broadcast
Correct answer: Local port forwarding
Local port forwarding is correct because it opens a listening port on the attacker machine and tunnels its traffic through the SSH session to the internal target service. Remote port forwarding sends a port from the remote side back to the initiator, banner grabbing identifies services, and a UDP broadcast does not create a tunnel.
- A tester sets up a dynamic SSH tunnel to obtain a SOCKS proxy for routing many tools into the internal network. What does the dynamic option provide that a single local forward does not?
- Automatic cracking of every internal password
- A guaranteed connection to the domain controller without credentials
- Encryption of the internal hosts' disks
- A SOCKS proxy that can reach arbitrary internal hosts and ports on demand, rather than one fixed destination
Correct answer: A SOCKS proxy that can reach arbitrary internal hosts and ports on demand, rather than one fixed destination
A SOCKS proxy reaching arbitrary internal hosts and ports is correct because a dynamic tunnel is flexible, letting tools target many destinations, unlike a local forward locked to one host and port. It does not crack passwords, does not bypass credentials to reach the domain controller, and does not encrypt internal disks.
- A tester has shell access on an internal host that can connect outward to the attacker, but the attacker cannot connect inward. The tester wants the attacker to reach a service on the internal host. Which forwarding direction fits?
- Remote port forwarding, where the internal host opens a port on the attacker that tunnels back to the internal service
- Local port forwarding initiated by the attacker connecting inward
- A direct connection from the attacker ignoring the firewall
- An ICMP redirect from the internal host
Correct answer: Remote port forwarding, where the internal host opens a port on the attacker that tunnels back to the internal service
Remote port forwarding is correct because when only outbound connections from the internal host work, that host initiates the SSH connection and forwards a port back to the attacker, exposing its service. Local forwarding requires the attacker to connect inward, a direct connection fails through the firewall, and an ICMP redirect does not create the tunnel.
- A tester forwards an internal database port to the attacker box and then connects a database client to the local forwarded port. Which analysis explains why the client behaves as if the database were local?
- The forwarding copies the entire database to the attacker box first
- The forwarded local port transparently relays the client's traffic over the tunnel to the real internal database, so the client is unaware of the indirection
- The client is actually talking to a decoy database on the attacker box
- Forwarding changes the database's password to a known value
Correct answer: The forwarded local port transparently relays the client's traffic over the tunnel to the real internal database, so the client is unaware of the indirection
Transparent relaying over the tunnel is correct because the local forwarded port passes the client's traffic through to the real internal database, making the connection appear local. It does not copy the whole database, does not present a decoy, and does not alter the database password.
- A tester needs to tunnel through a compromised Windows host that lacks an SSH server and is heavily firewalled inbound. Which characteristic makes Chisel well suited to this pivot?
- It requires installing a full SSH daemon on the pivot first
- It only runs on the domain controller
- It is a single cross-platform binary that can run a client connecting outbound from the pivot to an attacker-hosted server, building a tunnel over one port
- It can only transfer files, not tunnel traffic
Correct answer: It is a single cross-platform binary that can run a client connecting outbound from the pivot to an attacker-hosted server, building a tunnel over one port
Being a single cross-platform binary that connects outbound over one port is correct because Chisel can be dropped on a Windows pivot and dial back to the attacker's server, tunneling through restrictive inbound firewalls. It does not require an SSH daemon, is not limited to the domain controller, and tunnels traffic rather than only transferring files.
- A tester edits the proxychains configuration before running tools through a Chisel SOCKS proxy. Which configuration detail must match the proxy that Chisel exposes for traffic to flow correctly?
- The domain controller's hostname only
- The attacker's keyboard layout
- The victim's screen resolution
- The SOCKS proxy type and the local port number that Chisel is listening on
Correct answer: The SOCKS proxy type and the local port number that Chisel is listening on
Matching the SOCKS type and listening port is correct because proxychains must point at the exact proxy type and port Chisel exposes for tools' traffic to route through the tunnel. The domain controller's hostname, keyboard layout, and screen resolution are irrelevant to wiring proxychains to the proxy.
- A tester routes an SMB enumeration tool through proxychains over a Chisel SOCKS tunnel and it works, but an Nmap ping scan returns nothing useful through the same tunnel. Which analysis explains the discrepancy?
- SOCKS proxies relay TCP connections but not ICMP, so ping-based discovery does not traverse the tunnel while TCP-based SMB does
- The SMB tool secretly disables the firewall
- Nmap ping scans require a golden ticket
- Chisel only forwards the first packet of any connection
Correct answer: SOCKS proxies relay TCP connections but not ICMP, so ping-based discovery does not traverse the tunnel while TCP-based SMB does
SOCKS relaying TCP but not ICMP is correct because the proxy carries TCP connections like SMB, but ICMP-based ping discovery does not pass through it, so the tester must use no-ping TCP scans. The SMB tool does not disable the firewall, ping scans do not need a golden ticket, and Chisel does not forward only one packet per connection.
- A tester combines Chisel and proxychains to run a Windows remote-execution tool from Linux against an internal host two networks away. Which deployment most coherently delivers that access?
- Run the remote-execution tool with no tunnel and hope it routes itself
- Stand up a Chisel server on the attacker, connect a Chisel client from the pivot to expose a SOCKS proxy, point proxychains at it, then prefix the remote-execution tool with proxychains
- Crack the internal host's hash to create a tunnel
- Forward the attacker's loopback to itself through Chisel
Correct answer: Stand up a Chisel server on the attacker, connect a Chisel client from the pivot to expose a SOCKS proxy, point proxychains at it, then prefix the remote-execution tool with proxychains
Standing up the server, connecting the client for a SOCKS proxy, configuring proxychains, then prefixing the tool is correct because that chain routes the tool's traffic through the pivot to the internal host. Running without a tunnel cannot route to an unreachable host, cracking a hash does not create a tunnel, and forwarding loopback to itself accomplishes nothing.
- A tester recalls what role a domain controller plays that makes it the highest-value target in the AD set. Which statement is accurate?
- It is just a print server with no special data
- It only stores web application logs
- It authenticates the domain and stores all domain account data, so controlling it grants control over the entire domain
- It has no influence over other machines in the domain
Correct answer: It authenticates the domain and stores all domain account data, so controlling it grants control over the entire domain
Authenticating the domain and storing all account data is correct because the domain controller is the directory authority, so compromising it yields control over the whole domain. It is not merely a print server, does not just store web logs, and exerts central control over domain machines.
- A tester gains administrative access to the domain controller and wants to extract all domain hashes efficiently using a credential tool's domain-replication capability rather than copying the database file. Which technique fits?
- A reflected cross-site scripting payload on the login portal
- A directory traversal against the web root
- An SMTP open-relay test
- A DCSync operation that requests account password data via the replication interface
Correct answer: A DCSync operation that requests account password data via the replication interface
A DCSync operation is correct because it uses the domain replication interface to request account secrets directly, extracting hashes without copying the database file. Cross-site scripting, directory traversal, and an SMTP relay test are unrelated to pulling domain hashes via replication.
- A tester reaches the domain controller and dumps the krbtgt account hash. Why is capturing that specific account's hash a significant milestone for full domain compromise?
- The krbtgt hash enables forging golden tickets, granting durable, arbitrary-privilege access across the domain
- The krbtgt hash only unlocks the print queue
- The krbtgt hash is useless once dumped
- The krbtgt hash merely changes the desktop theme
Correct answer: The krbtgt hash enables forging golden tickets, granting durable, arbitrary-privilege access across the domain
Enabling golden-ticket forging is correct because the krbtgt hash is the key the Key Distribution Center uses for TGTs, so possessing it lets the tester forge tickets for any user with durable access. It is not limited to a print queue, is highly useful rather than useless, and has nothing to do with desktop themes.
- A tester maps the typical chain to the domain controller and is asked which sequence reflects a realistic progression on the AD set. Which ordering is soundest?
- Compromise the domain controller first, then look for a foothold on the client
- Foothold on the client, enumerate the domain, harvest and reuse credentials, move laterally and pivot to internal hosts, then escalate to compromise the domain controller
- Submit the report, then begin enumeration of the client
- Crack the krbtgt key before obtaining any access to the network
Correct answer: Foothold on the client, enumerate the domain, harvest and reuse credentials, move laterally and pivot to internal hosts, then escalate to compromise the domain controller
Foothold, enumerate, harvest, pivot, then compromise the domain controller is correct because the AD set is a chained progression where each step unlocks the next toward the domain controller. Compromising the domain controller first is not possible without access, the report comes after testing, and the krbtgt key cannot be cracked before reaching the network.
- A tester reaches the domain controller and, before attempting any exploitation, wants to confirm which host is actually the domain controller among several internal machines. Which indicator most reliably identifies a domain controller during enumeration?
- It is the only host running a public-facing web shop
- It has the lowest IP address on the subnet by rule
- It exposes directory and authentication services such as LDAP and Kerberos and advertises the domain's directory role
- It is the host with the largest disk
Correct answer: It exposes directory and authentication services such as LDAP and Kerberos and advertises the domain's directory role
Exposing LDAP and Kerberos and advertising the directory role is correct because domain controllers run the directory and authentication services, which is the reliable fingerprint during enumeration. Running a web shop, having the lowest IP, or having the largest disk are not dependable indicators of the domain controller role.
- A tester wants to recall what a service principal name (SPN) actually identifies in Active Directory, since it underpins one of the iconic AD attacks. Which description is accurate?
- The plaintext password of a service account
- A firewall rule controlling outbound traffic
- A web URL path for an application
- A unique identifier that associates a service instance with the account running it, used by Kerberos to issue service tickets
Correct answer: A unique identifier that associates a service instance with the account running it, used by Kerberos to issue service tickets
An identifier associating a service instance with its account is correct because Kerberos uses the SPN to know which account's key encrypts a requested service ticket, which is exactly what Kerberoasting abuses. An SPN is not a plaintext password, not a firewall rule, and not a web URL path.
- A tester recovers a credential and uses it to authenticate over SMB to enumerate shares on multiple internal hosts at once, hunting for readable files and additional credentials. Why is authenticated SMB share enumeration valuable on the AD set?
- Accessible shares often contain scripts, configuration files, or backups that leak credentials and reveal further targets
- Listing shares automatically grants domain admin
- Share enumeration forges Kerberos tickets
- It only works after the domain controller is already owned
Correct answer: Accessible shares often contain scripts, configuration files, or backups that leak credentials and reveal further targets
Shares leaking credentials and revealing targets is correct because authenticated SMB enumeration frequently surfaces scripts, configs, and backups containing secrets that advance the attack. It does not grant domain admin, does not forge tickets, and does not require owning the domain controller first.
- A tester finds an account flagged in BloodHound as having an SPN and also being marked as not requiring pre-authentication. Which analysis best captures the dual opportunity this presents?
- The two settings cancel each other out, so neither attack works
- The account is both Kerberoastable via its SPN and AS-REP roastable via the missing pre-authentication, giving two independent offline-cracking avenues
- Only the domain controller can read these flags, so they are useless to the tester
- Both flags mean the account is already a decoy and should be ignored
Correct answer: The account is both Kerberoastable via its SPN and AS-REP roastable via the missing pre-authentication, giving two independent offline-cracking avenues
Being both Kerberoastable and AS-REP roastable is correct because the SPN enables a TGS request and the disabled pre-authentication enables an AS-REP request, giving two paths to crackable material. The settings do not cancel out, ordinary authenticated users can read these attributes, and the flags do not indicate a decoy.
- A tester explains to a teammate why password spraying is a useful early technique against the domain even with no credentials, given a list of valid usernames. Which reasoning is correct?
- Spraying instantly cracks the krbtgt key
- Spraying guarantees domain admin on the first attempt
- Trying one common password across many accounts has a good chance of finding a weak credential while staying under lockout thresholds
- Spraying only works against web applications, not the domain
Correct answer: Trying one common password across many accounts has a good chance of finding a weak credential while staying under lockout thresholds
Trying a common password across many accounts while staying under lockout is correct because spreading a single guess broadly often finds a weak password without locking accounts, providing a first foothold credential. It does not crack the krbtgt key, does not guarantee domain admin, and works against domain authentication, not only web apps.
- A tester recalls which built-in domain group's membership most directly equates to full control of the domain, making it the prize for privilege analysis. Which group is it?
- Domain Guests
- Authenticated Users
- Domain Computers
- Domain Admins
Correct answer: Domain Admins
Domain Admins is correct because membership in that group confers administrative control over the domain and its controllers, making it the high-value target. Domain Guests is low-privilege, Authenticated Users includes every domain account broadly, and Domain Computers holds machine accounts; none equals domain-wide administrative control.
- A tester captures a Kerberos service ticket and wants to confirm it is genuinely Kerberoastable material rather than something unusable. Which characteristic confirms it can be cracked offline?
- Its encrypted portion is keyed from the target service account's password, so candidate passwords can be tested against it without contacting the domain
- It contains the domain controller's IP in plaintext only
- It must be replayed live to the service to be useful
- It is only crackable while connected to the domain controller
Correct answer: Its encrypted portion is keyed from the target service account's password, so candidate passwords can be tested against it without contacting the domain
The encrypted portion being keyed from the service password is correct because that is what allows offline guessing of candidate passwords with no domain contact. The presence of an IP does not make it crackable, it does not need live replay to be crackable, and offline cracking specifically does not require connectivity to the domain controller.
- A tester wants to recall the standard Kerberos ports they expect to find open on a domain controller during enumeration. Which port is the primary Kerberos authentication port?
- Port 443
- Port 88
- Port 3306
- Port 8080
Correct answer: Port 88
Port 88 is correct because Kerberos authentication runs on port 88, which the tester expects open on a domain controller. Port 443 is HTTPS, 3306 is MySQL, and 8080 is a common alternate web port; none is the Kerberos authentication port.
- A tester reuses a recovered domain credential to authenticate to a second host where the account is a local administrator, then dumps that host's memory for more credentials. Which analysis explains how this advances domain compromise?
- Dumping a second host's memory deletes the domain database
- Local administrator access on one host always equals domain admin
- Each newly compromised host can yield fresh credentials, and chaining these reuses progressively expands access toward the domain controller
- Reusing the credential locks every account in the domain
Correct answer: Each newly compromised host can yield fresh credentials, and chaining these reuses progressively expands access toward the domain controller
Chaining credential reuse to expand access is correct because compromising each host can surface new credentials that unlock further hosts, steadily advancing toward the domain controller. Dumping memory does not delete the domain database, local admin on one host is not automatically domain admin, and reuse does not lock all accounts.
- A tester recovers a low-privileged foothold and wants to determine which other domain users are local administrators on which machines so they can plan targeted lateral movement. Which enumeration outcome supplies this directly?
- A list of the web server's installed fonts
- The TLS handshake timing of an internal portal
- The number of printers shared on the network
- A mapping of local-admin rights across hosts that shows which accounts can execute commands on which machines
Correct answer: A mapping of local-admin rights across hosts that shows which accounts can execute commands on which machines
A mapping of local-admin rights across hosts is correct because knowing which accounts administer which machines tells the tester exactly where reused credentials enable remote execution for lateral movement. Installed fonts, TLS handshake timing, and printer counts do not inform local-admin-based lateral movement planning.
- A tester forges a golden ticket and injects it, then tries to access a resource and succeeds even though the impersonated account does not really have a logon session. Which analysis explains why the forged ticket is honored?
- Because the ticket is encrypted and signed with the legitimate krbtgt key, the Key Distribution Center and services trust it as authentic
- Because services never validate ticket signatures
- Because the resource was already open to everyone
- Because the golden ticket disables all authentication checks domain-wide
Correct answer: Because the ticket is encrypted and signed with the legitimate krbtgt key, the Key Distribution Center and services trust it as authentic
Trust deriving from the legitimate krbtgt key is correct because services accept a TGT that is properly encrypted and signed with the krbtgt key, so a forged ticket is indistinguishable from a real one. Services do validate tickets, the resource was not necessarily open to all, and the golden ticket does not globally disable authentication.
- A tester is asked why simply resetting the krbtgt password only once may not fully invalidate existing golden tickets, and why the recommended remediation resets it twice. Which reasoning is correct?
- Resetting once deletes the domain controller, so a second reset rebuilds it
- The domain keeps the current and previous krbtgt keys valid, so a single reset leaves the previous key usable; resetting twice rotates out both keys
- Two resets are needed because the first one is always silently ignored
- A single reset crashes Kerberos, so two are required to restart it
Correct answer: The domain keeps the current and previous krbtgt keys valid, so a single reset leaves the previous key usable; resetting twice rotates out both keys
The previous key remaining valid after one reset is correct because the domain retains the current and prior krbtgt keys for continuity, so a golden ticket signed with the prior key still works until a second reset rotates it out. Resetting does not delete or rebuild the domain controller, the first reset is not ignored, and it does not crash Kerberos.
- A tester dumps credentials with Mimikatz and finds the host stored a reversibly recoverable plaintext password in memory from an interactive logon. Why are plaintext recoveries especially convenient compared with hashes?
- Plaintext passwords cannot be used to authenticate anywhere
- Plaintext is only useful for Pass-the-Hash
- A recovered plaintext can be used directly with any authentication method, including Kerberos services, without cracking or hash-specific techniques
- Plaintext must still be cracked before use
Correct answer: A recovered plaintext can be used directly with any authentication method, including Kerberos services, without cracking or hash-specific techniques
Plaintext working with any authentication method is correct because a recovered password can authenticate via NTLM or Kerberos directly, with no cracking and no hash-only limitations. Plaintext does authenticate, is broadly useful rather than only for Pass-the-Hash, and needs no cracking since it is already the password.
- A tester wants to recall what the
NTDS.dit file is and where it resides, since extracting it is a route to all domain hashes. Which description is accurate?- It is a local browser cache on each workstation
- It is the web application's session store
- It is a configuration file on the attacker's Kali box
- It is the Active Directory database file stored on the domain controller, containing all domain objects and password hashes
Correct answer: It is the Active Directory database file stored on the domain controller, containing all domain objects and password hashes
Being the AD database on the domain controller is correct because NTDS.dit holds all domain objects and their password hashes, making it the prize for full compromise. It is not a workstation browser cache, not a web session store, and not a file on the attacker's machine.
- A tester gains administrative access to a domain controller and wants to extract the domain hash store directly from the system. Which pairing of artifacts is required to recover hashes from the directory database offline?
- A copy of the
NTDS.dit database together with the system registry hive holding the boot key needed to decrypt it - A copy of
robots.txt and the web access log - A favicon file and a TLS certificate
- An SSH known_hosts file and a wordlist
Correct answer: A copy of the NTDS.dit database together with the system registry hive holding the boot key needed to decrypt it
NTDS.dit plus the system hive boot key is correct because the database is encrypted with a key derived from the SYSTEM registry hive, so both are needed to recover hashes offline. robots.txt and access logs, a favicon and certificate, and an SSH known_hosts file with a wordlist are unrelated to decrypting the directory database.
- A tester explains the relationship between a TGT and a TGS to a teammate to clarify the Kerberos flow underpinning the AD attacks. Which sequence is correct?
- The client first obtains a TGS, then exchanges it for a TGT
- The client first obtains a TGT by authenticating to the Key Distribution Center, then presents that TGT to request a TGS for a specific service
- The client uses an NTLM hash to obtain a TGS without any TGT
- The client receives both a TGT and a TGS only after the report is submitted
Correct answer: The client first obtains a TGT by authenticating to the Key Distribution Center, then presents that TGT to request a TGS for a specific service
Obtaining a TGT then using it to get a TGS is correct because Kerberos issues a TGT after initial authentication, which the client presents to request service tickets. The order is not reversed, NTLM is a separate protocol from the Kerberos ticket flow, and ticket issuance has nothing to do with report submission.
- A tester sets up a SOCKS tunnel and notices a DNS-related issue when resolving internal hostnames through proxychains. Which configuration consideration most directly addresses resolving internal names over the tunnel?
- Hardcoding the domain controller's BIOS serial number
- Switching all tools to UDP scanning
- Enabling proxychains to perform remote DNS so name lookups happen through the proxy rather than on the attacker box
- Disabling the tunnel during lookups
Correct answer: Enabling proxychains to perform remote DNS so name lookups happen through the proxy rather than on the attacker box
Enabling remote DNS through proxychains is correct because internal names cannot be resolved locally, so directing DNS lookups through the proxy lets them resolve on the internal side of the tunnel. A BIOS serial number is irrelevant, switching to UDP scanning does not fix name resolution, and disabling the tunnel removes the only path to internal DNS.
- A tester recovers a TGT for a privileged user by dumping a host's memory and injects it on the attacker's tooling to act as that user. Which term names this reuse of a ticket-granting ticket?
- Pass-the-Hash
- Kerberoasting
- NTLM relay
- Pass-the-Ticket
Correct answer: Pass-the-Ticket
Pass-the-Ticket is correct because injecting a stolen TGT to authenticate as its owner is the definition of the technique. Pass-the-Hash reuses an NTLM hash, Kerberoasting requests and cracks service tickets, and NTLM relay forwards a live authentication; none describes reusing a stolen TGT.
- A tester compromises the client machine of the AD set and must decide what to prioritize to advance. Which first action most logically builds toward the second host and domain controller?
- Enumerate the domain and harvest any credentials or tickets present on the client to enable movement to the next host
- Immediately attempt to read
NTDS.dit from the client - Forge a golden ticket from the client with no krbtgt key
- Submit the report before touching the second host
Correct answer: Enumerate the domain and harvest any credentials or tickets present on the client to enable movement to the next host
Enumerating and harvesting credentials on the client is correct because the client typically yields the credentials, tickets, or attack paths needed to move to the second host. NTDS.dit lives on the domain controller not the client, forging a golden ticket needs the krbtgt key, and the report comes after testing.
- A tester wants to recall what distinguishes a member server from a domain controller in the AD set. Which statement is accurate?
- A member server hosts the directory database while the domain controller only runs applications
- A member server is domain-joined and runs services but does not host the directory database, while the domain controller hosts the directory and authenticates the domain
- Both host the directory database identically
- A member server is never part of the domain
Correct answer: A member server is domain-joined and runs services but does not host the directory database, while the domain controller hosts the directory and authenticates the domain
A member server running services without hosting the directory is correct because only domain controllers hold the directory database and authenticate the domain, whereas member servers are joined participants. The roles are not reversed, member servers do not host the directory database, and they are part of the domain.
- A tester reasons about why credential reuse is so effective across an Active Directory environment compared with isolated standalone machines. Which analysis is soundest?
- Because each machine in a domain forces a unique unrelated password that never overlaps
- Because domains disable all authentication, making credentials irrelevant
- Because the domain centralizes identity, the same domain account and its secrets are honored across many hosts, so one harvested credential frequently unlocks multiple machines
- Because credential reuse only works on workgroup machines, not domains
Correct answer: Because the domain centralizes identity, the same domain account and its secrets are honored across many hosts, so one harvested credential frequently unlocks multiple machines
Centralized identity making one credential broadly valid is correct because the domain accepts the same account and secrets across many hosts, so a single harvested credential often reaches multiple machines. Domains do not force unique unrelated passwords per machine, do not disable authentication, and credential reuse is precisely what domains amplify versus standalone hosts.
- A tester pivots into an internal subnet and wants to scan it through a SOCKS proxy, but full TCP-connect scans are slow over the tunnel. Which adjustment best balances reliability over a SOCKS proxy?
- Switch to ICMP-only discovery through the proxy
- Send raw SYN scans expecting the proxy to relay them
- Run a UDP-only scan of all 65535 ports through the proxy
- Use TCP connect scans with no ping and limit the scan to the specific ports of interest to keep the proxied traffic manageable
Correct answer: Use TCP connect scans with no ping and limit the scan to the specific ports of interest to keep the proxied traffic manageable
TCP connect, no-ping, targeted ports is correct because SOCKS proxies carry TCP connections and full-connect scans of selected ports work reliably while staying manageable over the tunnel. ICMP-only discovery and raw SYN scans do not traverse a SOCKS proxy, and a UDP-only scan of all ports is both unreliable through SOCKS and impractically slow.
- A tester recovers an NTLM hash and considers cracking it versus passing it. The environment uses unique, randomized local administrator passwords on each machine. Which analysis best informs the decision?
- Because each machine has a unique local admin password, a passed local hash will not unlock other machines, so the hash's value is limited to its own host unless it is a domain account
- Unique random local passwords mean the hash works everywhere by design
- Randomized local passwords make Pass-the-Hash impossible against the same host
- The hash automatically becomes a golden ticket
Correct answer: Because each machine has a unique local admin password, a passed local hash will not unlock other machines, so the hash's value is limited to its own host unless it is a domain account
Unique local passwords limiting the local hash to its own host is correct because with randomized local admin passwords, a local hash will not authenticate to other machines, so the tester must rely on domain accounts for lateral movement. Unique passwords do not make the hash work everywhere, Pass-the-Hash still works on its own host, and a hash is not a golden ticket.
- A tester explains why mapping the domain with a graph tool before attacking improves efficiency on the time-limited AD set. Which justification is soundest?
- The graph guarantees the domain controller is unpatched and exploitable
- The graph reveals the shortest chains of rights that lead to high privilege, so the tester pursues edges that actually reach the domain controller instead of guessing
- The graph forges tickets so no further work is needed
- The graph removes the need to obtain any credentials
Correct answer: The graph reveals the shortest chains of rights that lead to high privilege, so the tester pursues edges that actually reach the domain controller instead of guessing
Revealing the shortest viable chains is correct because graphing rights shows which sequences of edges actually lead to high privilege, focusing limited time on productive paths. The graph does not guarantee an unpatched domain controller, does not forge tickets, and does not eliminate the need for credentials.
- A tester recovers a credential for a user that BloodHound shows has a path consisting of several chained rights ending at a Domain Admin. How should the tester act on this multi-hop path?
- Ignore the path because multi-hop paths never work
- Reset the entire domain to clear the path
- Abuse each right in sequence along the path, taking over each intermediate object until reaching control of the Domain Admin account
- Wait for the path to resolve itself automatically
Correct answer: Abuse each right in sequence along the path, taking over each intermediate object until reaching control of the Domain Admin account
Abusing each right in sequence is correct because a BloodHound path is a chain of abusable edges, so the tester walks the path, leveraging each right to take the next object until reaching Domain Admin. Multi-hop paths do work, resetting the domain is not the tester's action, and the path does not resolve on its own.
- A tester crafts an AS-REP Roasting attempt and must supply the correct cracking mode so Hashcat or John interprets the captured AS-REP. What general requirement applies to cracking the captured AS-REP?
- Provide the krbtgt key to begin cracking
- Connect to the domain controller throughout the crack
- Submit the AS-REP to a web application firewall
- Supply a wordlist and select the hash mode that matches the AS-REP format so candidate passwords are tested against the encrypted blob
Correct answer: Supply a wordlist and select the hash mode that matches the AS-REP format so candidate passwords are tested against the encrypted blob
A wordlist plus the matching AS-REP hash mode is correct because the cracker must interpret the AS-REP format to test candidate passwords against its encrypted portion offline. The krbtgt key is not needed, no domain controller connection is required during offline cracking, and a web application firewall is unrelated.
- A tester explains how a silver ticket differs in stealth from a golden ticket when targeting one specific service on the AD set. Which analysis is accurate?
- A silver ticket is forged with the target service account's key and can be used without contacting the domain controller for that service, so it can be stealthier but is limited to that one service
- A silver ticket always contacts the domain controller for every request, making it noisier than a golden ticket
- A silver ticket works domain-wide like a golden ticket
- A silver ticket requires the krbtgt key just like a golden ticket
Correct answer: A silver ticket is forged with the target service account's key and can be used without contacting the domain controller for that service, so it can be stealthier but is limited to that one service
Being service-key-based, domain-controller-light, and service-scoped is correct because a silver ticket is forged with a service account's key and presented straight to that service, avoiding domain controller interaction but only reaching that one service. It does not contact the domain controller for every request, is not domain-wide, and does not require the krbtgt key.
- A tester recalls why the domain controller is usually placed on an internal, non-routable segment in the AD set rather than being directly reachable from the attacker. Which reasoning fits the exam design?
- It is placed internally so it can be scanned directly with no tunnel
- Placing it internally forces the tester to demonstrate pivoting and credential chaining through intermediate hosts to reach it, reflecting real-world segmentation
- Internal placement makes it the first machine attacked
- Internal placement means it cannot be compromised at all
Correct answer: Placing it internally forces the tester to demonstrate pivoting and credential chaining through intermediate hosts to reach it, reflecting real-world segmentation
Internal placement forcing pivoting and chaining is correct because putting the domain controller behind segmentation requires the tester to prove pivoting and credential reuse to reach it, mirroring real networks. It is not directly scannable without a tunnel, is reached last rather than first, and is still compromisable through the chain.
- A tester debates whether to relay a captured NTLM authentication or attempt to crack the underlying hash, given the captured material is a strong challenge-response that resists cracking. Which factor favors relaying instead?
- Relaying requires first cracking the hash anyway
- Relaying only works if the password is weak
- Relaying uses the live authentication directly, so a crack-resistant credential is irrelevant as long as a suitable, signing-free target is available to authenticate to
- Relaying forges a golden ticket from the challenge-response
Correct answer: Relaying uses the live authentication directly, so a crack-resistant credential is irrelevant as long as a suitable, signing-free target is available to authenticate to
Relaying using the live authentication directly is correct because the relay forwards the active exchange to a target without ever recovering the secret, so crack resistance does not matter when a signing-free, authorized target exists. Relaying does not require cracking first, does not depend on a weak password, and does not forge a golden ticket.
- A tester has compromised a pivot and wants persistent, flexible access to the entire internal subnet for running multiple tools over time. Which combination provides that durable, broad internal reach?
- A single local forward of one port, which alone covers the whole subnet
- An ICMP tunnel that carries all TCP tools natively
- A golden ticket, which provides network routing into the subnet
- A SOCKS proxy through the pivot (via SSH dynamic forwarding or Chisel) configured into proxychains, so any TCP tool can be routed into the subnet on demand
Correct answer: A SOCKS proxy through the pivot (via SSH dynamic forwarding or Chisel) configured into proxychains, so any TCP tool can be routed into the subnet on demand
A SOCKS proxy with proxychains is correct because a dynamic SOCKS tunnel gives broad, flexible access so any TCP tool can reach arbitrary internal hosts on demand. A single local forward covers only one destination, an ICMP tunnel does not natively carry arbitrary TCP tools here, and a golden ticket is a credential forgery, not network routing.
- A tester wants to recall what proxychains fundamentally does for command-line tools during a pivot. Which description is accurate?
- It intercepts the network connections a tool makes and forces them through one or more configured proxies, such as a SOCKS proxy exposed by a tunnel
- It cracks passwords for any tool it wraps
- It compiles tools to run faster on the pivot
- It encrypts the attacker's local disk
Correct answer: It intercepts the network connections a tool makes and forces them through one or more configured proxies, such as a SOCKS proxy exposed by a tunnel
Intercepting connections and forcing them through configured proxies is correct because proxychains redirects a tool's network traffic through the configured proxy chain, enabling pivoted access. It does not crack passwords, does not compile tools, and does not encrypt the attacker's disk.
- A tester reaches a domain controller through chained pivots and authenticates with harvested Domain Admin credentials. Which outcome most directly represents completing the 20-point domain controller objective on the AD set?
- Listing the domain controller's open ports through the tunnel
- Gaining administrative control of the domain controller and demonstrating access to the domain's account data
- Reading a single public file on the domain controller's web service
- Confirming the domain controller responds to a ping through the proxy
Correct answer: Gaining administrative control of the domain controller and demonstrating access to the domain's account data
Gaining administrative control and demonstrating access to domain account data is correct because the domain controller objective is achieved by full administrative compromise that proves control of the directory. Listing ports, reading a public file, or confirming a ping are minor enumeration steps that fall short of compromising the domain controller.
- A tester recalls a practical reason WinRM is often preferred over PsExec-style execution for lateral movement when stealth matters. Which characteristic supports that preference?
- WinRM never authenticates, so it leaves no trace
- WinRM only works once per domain
- WinRM uses native remote management that generates less conspicuous activity than installing and starting a remote service, so it can blend into normal administration
- WinRM requires the domain controller to be offline
Correct answer: WinRM uses native remote management that generates less conspicuous activity than installing and starting a remote service, so it can blend into normal administration
WinRM generating less conspicuous activity is correct because it relies on native remote management rather than installing a service, so it can resemble legitimate administration. It does still authenticate and leave traces, is not limited to one use per domain, and does not require the domain controller offline.
- A tester recalls that Kerberos relies on a central component on the domain controller that issues both ticket-granting tickets and service tickets. What is that component called?
- The Domain Name System resolver
- The Dynamic Host Configuration server
- The Windows Update agent
- The Key Distribution Center (KDC)
Correct answer: The Key Distribution Center (KDC)
The Key Distribution Center is correct because the KDC, running on the domain controller, issues TGTs and service tickets in Kerberos. A DNS resolver translates names, a DHCP server assigns addresses, and the Windows Update agent fetches patches; none issues Kerberos tickets.