Gaining Access Practice

Turn findings into footholds by exploiting vulnerabilities and misconfigurations within clearly defined rules of engagement.

1. Question

Exploiting an SQL injection vulnerability to dump user credentials from a database BEST fits which phase?

ReconnaissanceScanningGaining accessCovering tracks

2. Question

Which of the following is the MOST appropriate initial action after successfully obtaining a low-privilege shell on a target system?

Immediately attempt to wipe all logsIdentify your current context and enumerate local privilegesPublicly disclose the compromise on social mediaInstall multiple backdoors for redundancy

3. Question

A client application passes a JWT in a cookie. Which weakness would MOST likely allow you to gain access as another user?

Using HTTPS for all trafficStrong JWT signing key rotationJWTs signed with a guessable or hard-coded secretShort token expiration times

4. Question

Which action BEST represents exploiting a misconfiguration to gain access?

Using default credentials on an exposed admin interfaceSearching LinkedIn for employee namesRunning a ping sweep of the networkReviewing TLS certificates in a browser

5. Question

Why is it important to align exploitation attempts with clearly defined rules of engagement?

To ensure you can exploit as many systems as possibleTo remain within legal and contractual boundaries while demonstrating riskTo guarantee that no monitoring system will detect your activityTo avoid having to write remediation steps

6. Question

Which approach is MOST appropriate when you discover valid credentials belonging to a highly privileged user during a test?

Immediately log in everywhere possible with those credentialsAttempt a limited, scoped login to validate impact, then stop and documentShare the credentials with other testers informallyIgnore the finding because privileged users are expected

7. Question

Which of the following MOST clearly demonstrates chaining vulnerabilities to gain access?

Using a single buffer overflow exploit to gain rootCombining weak password policy with credential reuse on a VPNRunning a simple port scan against the DMZChecking HTTP response headers for security flags

8. Question

You exploit an RCE vulnerability on a web server, but outbound connections are heavily restricted. What is the MOST appropriate next step?

Attempt to establish a reverse shell over allowed protocols like HTTPSImmediately run a full network scan from the compromised hostTry to brute-force the firewall configurationAbandon the foothold as unusable

9. Question

Which factor is MOST important when deciding whether to fully exploit a vulnerability during a pentest?

How interesting the exploit is to the testerWhether exploitation is explicitly allowed and safe within scopeThe number of potential CVEs referencedThe age of the discovered vulnerability

10. Question

Why might you simulate credential stuffing against a staging environment rather than production?

Staging is always more vulnerable than productionIt is impossible to test credential attacks safely in productionStaging can be configured for safe testing without risking real accountsStaging systems are typically unmonitored

Score: 0.0 / 10 (0 of 10 correct)