pentest+ Practice Exam 2025: Latest Questions

During planning, a client states: "You may test our public web application, but you must not run any actions that could disrupt service." Which rule of engagement item MOST directly enforces this requirement?

A penetration tester is conducting DNS reconnaissance for a target domain and wants to identify the organization's authoritative name servers. Which record type should the tester query?

A tester discovers an exposed SMB share that allows anonymous read access. Which action is the BEST next step before attempting exploitation?

A tester must deliver results to executive stakeholders with limited technical background. Which report component is MOST appropriate for this audience?

A web application accepts a URL parameter and then fetches the resource server-side. The tester suspects SSRF. Which test is the MOST reliable indicator that SSRF is occurring?

A vulnerability scanner reports multiple findings on a Linux host, but the tester suspects false positives due to poor service detection. Which action is BEST to validate the findings?

A tester is asked to assess a cloud-hosted environment and is provided API access to query resources. Which approach BEST aligns with least privilege during planning and execution?

A tester identifies a login form that returns different error messages for "user not found" versus "invalid password." Which issue does this MOST directly enable?

A tester reviews a Python script used during engagement and sees the following snippet: import subprocess cmd = "ping -c 1 " + target subprocess.call(cmd, shell=True) The variable 'target' is sourced from user input. What is the MOST likely risk, and what is the BEST remediation?

A tester gains access to a Linux host in a segmented network. The only allowed outbound traffic is DNS to an internal resolver. The tester needs a low-bandwidth channel for command-and-control while minimizing detection. Which technique is MOST appropriate?

During a rules-of-engagement meeting, the client states that the test must not impact production availability and asks for a way to validate exploits without touching live systems. Which approach BEST satisfies this requirement?

A penetration tester is asked to confirm the presence of split tunneling on a remote access VPN connection without disrupting the user session. Which method is MOST appropriate?

A tester is preparing a report for executive leadership. Which deliverable is MOST appropriate for that audience?

A client permits active scanning but prohibits sending credentials to third-party services. The tester wants to identify exposed cloud object storage that allows anonymous reads. Which technique is MOST appropriate?

A tester runs a vulnerability scan and sees many hosts flagged with "ICMP unreachable" and "filtered" results. A manual check shows the systems are online and services are reachable from an internal jump box. What is the MOST likely cause?

A web application accepts XML input. The tester suspects an XXE issue but wants to avoid exfiltrating sensitive data. Which payload goal is the BEST first validation step?

A tester gains access to a Linux host and wants to check for misconfigured sudo privileges that could enable privilege escalation. Which command is MOST appropriate?

You need to communicate remediation steps for an internal finding where an application team can fix the issue in code, but operations must also adjust a deployment configuration. What is the BEST way to present this in the final report?

A tester reviews a Python snippet found on a target during an engagement: import os user = input("User: ") os.system("id " + user) Which issue is MOST likely present and why?

A tester captures an NTLMv2 challenge/response on an internal network. The rules of engagement prohibit password cracking and require minimizing impact. What is the BEST next step to attempt lateral movement while complying with the rules?

During planning, the client requires that any discovered critical vulnerability be shared with their SOC within 30 minutes, but all other findings should wait for the final report. Where should this requirement be documented to avoid scope disputes?

While enumerating an internal host, a tester sees port 445 open and suspects the target is vulnerable to SMB relay attacks. What is the most appropriate next step to validate exploitability without immediately attempting exploitation?

A tester is exploiting a file upload feature. The application blocks files ending in .php, but the tester can upload a file named shell.php.jpg and it is stored under the web root. Requests to /uploads/shell.php.jpg return the image content and do not execute code. Which change is MOST likely needed for successful code execution?

A penetration test report will be presented to both executives and the engineering team. Which approach BEST ensures the report is actionable for engineering while still consumable by leadership?

A tester reviews a Python script intended to validate JWTs in a web service. The script decodes the token and accepts it if the signature verification function returns True, but the algorithm field (alg) is taken directly from the token header without restriction. Which vulnerability is MOST likely present?