A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?
A. SAST
B. Sidecar
C. Unauthenticated
D. Host-based
Correct Answer: C
To see any vulnerabilities that may be visible from outside of the organization, the penetration tester should perform an unauthenticated scan.
Unauthenticated Scan:
Comparison with Other Scans:
Pentest References:
By performing an unauthenticated scan, the penetration tester can identify vulnerabilities that an external attacker could exploit without needing any credentials or internal access.
Question 192:
A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past. Which of the following tools should the penetration tester use?
A. Censys.io
B. Shodan
C. Wayback Machine
D. SpiderFoot
Correct Answer: C
The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security
weaknesses by searching for subdomains that might have existed in the past.
Accessing the Wayback Machine:
Navigating Archived Pages:
Identifying Subdomains:
Tool Integration:
Real-World Example:
References from Pentesting Literature:
Step-by-Step ExplanationReferences:
HTB Official Writeups
Question 193:
During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?
A. Clear the Windows event logs.
B. Modify the system time.
C. Alter the log permissions.
D. Reduce the log retention settings.
Correct Answer: A
During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are
removed. Here's a detailed explanation of why clearing the Windows event logs is the best method for this scenario:
Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential
security incidents.
Why Clear Windows Event Logs:
Method to Clear Event Logs:
shell
Copy code
wevtutil cl System wevtutil cl Security wevtutil cl Application uk.co.certification.simulator.questionpool.PList@18e830ed Alternative Options and Their Drawbacks: Case References: In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester's actions remain undetected.
Question 194:
A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?
A. Testing window
B. Terms of service
C. Authorization letter
D. Shared responsibilities
Correct Answer: A
The rules of engagement define the scope, limitations, and conditions under which a penetration test is conducted. Here's why option A is correct:
Testing Window: This specifies the time frame during which the penetration testing activities are authorized to occur. It is a crucial part of the rules of engagement to ensure the testing does not disrupt business operations and is conducted
within agreed-upon hours.
Terms of Service: This generally refers to the legal agreement between a service provider and user, not specific to penetration testing engagements. Authorization Letter: This provides formal permission for the penetration tester to perform
the assessment but is not a component of the rules of engagement. Shared Responsibilities: This refers to the division of security responsibilities between parties, often seen in cloud service agreements, but not specifically a function of the
rules of engagement.
References from Pentest:
Luke HTB: Highlights the importance of clearly defining the testing window in the rules of engagement to ensure all parties are aligned. Forge HTB: Demonstrates the significance of having a well-defined testing window to avoid disruptions
and ensure compliance during the assessment.
Question 195:
During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?
A. SQL injection
B. SSRF
C. XSS
D. Server-side template injection
Correct Answer: C
Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users. Here's why option C is correct:
XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user's browser. The scenario describes injecting a JavaScript prompt, which is a typical XSS payload. SQL Injection:
This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.
SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution. Server-Side Template Injection: This involves injecting code into server-
side templates, not JavaScript that executes in the user's browser.
References from Pentest:
Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications.
Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser.
Question 196:
A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?
A. Cryptographic flaws
B. Protocol scanning
C. Cached pages
D. Job boards
Correct Answer: D
To conduct reconnaissance and identify hardware and software used by a client, job boards are an effective resource. Companies often list the technologies they use in job postings to attract qualified candidates. These listings can provide
valuable insights into the specific hardware and software platforms the client is utilizing.
Reconnaissance:
Job Boards:
Examples of Job Boards:
Pentest References:
OSINT (Open Source Intelligence): Using publicly available sources to gather information about a target.
Job boards are a key source of OSINT, providing indirect access to the internal technologies of a company.
This information can be used to tailor subsequent phases of the penetration test, such as vulnerability scanning and exploitation, to the specific technologies identified. By examining job boards, a penetration tester can gain insights into the
hardware and software environments of the target, making this a valuable reconnaissance tool.
Question 197:
A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input:
ip = IP("192.168.50.2")
tcp = TCP(sport=RandShort(), dport=80, flags="S")
raw = RAW(b"X"*1024)
p = ip/tcp/raw
send(p, loop=1, verbose=0)
Which of the following attack types is most likely being used in the test?
A. MDK4
B. Smurf attack
C. FragAttack
D. SYN flood
Correct Answer: D
A SYN flood attack exploits the TCP handshake by sending a succession of SYN requests to a target's system. Each request initializes a connection that the target system must acknowledge, thus consuming resources.
Understanding the Script:
Purpose of SYN Flood:
Detection and Mitigation:
References from Pentesting Literature:
Step-by-Step ExplanationReferences:
Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups
Which of the following is the penetration tester most likely trying to do?
A. Change the system's wallpaper based on the current user's preferences.
B. Capture the administrator's password and transmit it to a remote server.
C. Conditionally stage and execute a remote script.
D. Log the internet browsing history for a systems administrator.
Correct Answer: C
Script Breakdown:
Purpose:
Why This is the Best Choice:
References from Pentesting Literature:
References:
Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups
Question 199:
During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?
A. sqlmap -u www.example.com/?id=1 --search -T user
C. sqlmap -u www.example.com/?id=1 --tables -D accounts
D. sqlmap -u www.example.com/?id=1 --schema --current-user --current-db
Correct Answer: B
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the
contents of the specified database table. Here's a breakdown of the options:
www.example.com/?id=1 --schema --current-user --current-db References from Pentest:
Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes. Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by
dumping specific columns from the database.
Question 200:
A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitability?
A. curl ?param=http://169.254.169.254/latest/meta-data/