pentest+ Advanced Practice Exam: Hard Questions 2025

You are contracted to perform an external penetration test against a financial services firm. The SOW allows exploitation only if the client’s monitoring team validates each step in real time. The client also requires that testing does not trigger account lockouts or denial-of-service conditions. During planning, you discover the target uses a third-party identity provider (IdP) and the login portal enforces aggressive lockout after five failed attempts, including for API-based auth. Which approach best satisfies the constraints while still enabling credential-related testing?

A client authorizes an internal assessment in a segmented environment with strict egress controls. Your scanning host is in a management VLAN that can reach all subnets, but only via a firewall that silently drops unsolicited inbound traffic from most VLANs. Your initial Nmap scan shows many hosts as down, yet the client insists they are reachable from jump hosts within each VLAN. Which technique most reliably enumerates live hosts across VLANs under these conditions while minimizing false negatives?

During reconnaissance of a SaaS web app, you observe the following behavior: a GraphQL endpoint returns HTTP 200 even for invalid queries, and error details are suppressed in production. Introspection appears disabled. You need to enumerate the schema and identify sensitive fields with minimal requests to avoid triggering WAF thresholds. What is the most effective approach?

A vulnerability scanner flags a critical RCE in a Linux web server package, but the system owner claims it is patched via backported security fixes and cannot be updated due to vendor support constraints. You must validate exploitability without crashing the service. Which method provides the strongest evidence while minimizing operational risk?

You gain initial access to a Linux container running in a Kubernetes cluster. The container has a service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. The PodSecurity settings prevent privileged pods, but you suspect the service account is over-permissioned. The cluster API is reachable only internally. What is the best next step to determine whether you can laterally move or escalate within the cluster?

During an internal engagement, you intercept NTLM authentication to an internal web application and obtain a NetNTLMv2 hash. Password cracking is not feasible within the allowed timeframe, and the client forbids brute-force attacks. You need to demonstrate impact by achieving authenticated access to a file server without obtaining plaintext credentials. Which technique is most appropriate?

You discover a web application uses JWTs for API authorization. The token header includes "alg":"RS256" and the app fetches the signing key from a "jku" URL in the header to support key rotation. The server allows outbound HTTPS but only to a small set of domains via an allowlist. You suspect a key confusion or key injection issue. What is the most likely exploitable weakness to test given this design?

You obtain limited database access via SQL injection in a production application. The client allows proof of data exposure but prohibits exfiltration of full records containing PII. You need to demonstrate risk credibly and safely. Which approach best balances evidentiary value with constraints?

While drafting the final report, you have two high-impact findings: (1) an unauthenticated RCE on an internet-facing asset with low likelihood due to strong WAF rules and tight network allowlists, and (2) a moderate-impact internal privilege escalation with high likelihood and multiple confirmed paths. The client’s leadership wants a single prioritized remediation plan. Which reporting approach best aligns with industry-standard risk communication for technical and executive audiences?

You are reviewing a custom Python utility used by a DevOps team to pull build artifacts. The script executes a shell command constructed from user input: cmd = "curl -s " + url + " | tar -xz -C " + dest os.system(cmd) The tool runs as a privileged CI user on a build server. The team argues the URL is validated by a regex that only checks it starts with 'https://'. What is the most critical issue to report, and what is the best remediation direction?