





















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The OSCP (PEN-200) Exam, offered by Offensive Security, is a hands-on penetration testing certification requiring candidates to exploit multiple machines in a live lab environment. It emphasizes real-world offensive security skills, report writing, and independent problem-solving. OSCP is widely regarded as one of the most challenging and respected penetration testing certifications globally.
Typology: Exams
1 / 93
This page cannot be seen from the preview
Don't miss anything!






















































































Question 1. Which mindset is emphasized by OffSec to succeed in the OSCP labs? A) “Quick and shallow” B) “Try Harder” C) “Automate everything” D) “Ignore the rules” Answer: B Explanation: OffSec promotes the “Try Harder” mindset, encouraging persistence, deep problem solving, and continual learning when obstacles arise. Question 2. In a typical Rules of Engagement (RoE) document, which item is not usually defined? A) Scope of IP addresses B) Allowed tools and techniques C) Salary of the penetration tester D) Time window for testing Answer: C Explanation: A RoE outlines scope, tools, timing, and reporting requirements; it never includes compensation details. Question 3. Which of the following is the most appropriate opening paragraph for an OSCP executive summary? A) Detailed technical commands used during exploitation B) A high‑level overview of findings, risk rating, and remediation priorities C) A list of every open port discovered D) Source code of custom scripts written Answer: B
Explanation: Executive summaries should be concise, high‑level, and focus on risk and remediation for non‑technical stakeholders. Question 4. In Kali Linux, which command displays the current working directory? A) pwd B) ls C) cd D) cat Answer: A Explanation: pwd (print working directory) shows the absolute path of the current directory. Question 5. Which file stores user‑defined aliases in a default Kali installation? A) /etc/passwd B) /etc/hosts C) ~/.bashrc D) /var/log/syslog Answer: C Explanation: ~/.bashrc is executed for interactive non‑login shells and typically contains custom aliases. Question 6. To permanently start the SSH service on Kali at boot, which command is correct? A) systemctl enable ssh B) service ssh start C) sshd – enable D) rcconf sshd
C) ip.addr == 80 D) udp.port == 80 Answer: B Explanation: The display filter http limits the view to packets identified as HTTP protocol. Question 10. Which shebang line correctly invokes Python 3 for a script on Kali? A) #!/usr/bin/python B) #!/usr/bin/env python C) #!/bin/python D) #!/usr/local/bin/python2. Answer: B Explanation: #!/usr/bin/env python3 uses the environment to locate the Python 3 interpreter, ensuring the script runs with Python 3. Question 11. What does the Bash built‑in $(command) construct do? A) Executes command in the background B) Performs arithmetic expansion C) Captures the command’s output for substitution D) Starts a new shell session Answer: C Explanation: $(command) runs the command and substitutes its standard output into the surrounding command line. Question 12. Which of the following OSINT techniques is best for discovering subdomains of a target domain? A) WHOIS lookup
B) Reverse DNS lookup C) DNS zone transfer attempt D) Google Dork “site:example.com” Answer: C Explanation: Attempting a DNS zone transfer (AXFR) can reveal all subdomains if the DNS server is misconfigured. Question 13. Which Google Dork would help locate publicly exposed .git directories? A) intitle:"index of" .git B) filetype:gitconfig “password” C) inurl:.git “config” D) allinurl:.git “HEAD” Answer: C Explanation: inurl:.git "config" searches for URLs containing .git and the word “config,” often exposing Git configuration files. Question 14. When performing a passive WHOIS query, which piece of information is not typically returned? A) Registrant email address B) Domain creation date C) Open ports on the host D) Name server list Answer: C Explanation: WHOIS provides registration data, not network service information such as open ports.
Explanation: Authenticated scans run with valid credentials, allowing the scanner to examine internal configurations, patch levels, and privileged services that unauthenticated scans cannot see. Question 18. Which CVE database provides a public API for automated vulnerability look‑ups? A) Exploit‑DB B) NVD (National Vulnerability Database) C) Metasploit Framework D) Packet Storm Answer: B Explanation: NVD offers a RESTful API that can be queried for CVE details, severity scores, and references. Question 19. When enumerating SMB shares with enum4linux, which option requests a list of user accounts? A) - U B) - S C) - G D) - a Answer: D Explanation: The -a (all) flag tells enum4linux to perform a full enumeration, including users, groups, and shares. Question 20. Which LDAP query can reveal all domain users in an Active Directory environment? A) (objectClass=person) B) (sAMAccountName=*)
C) (userPrincipalName=) D) (memberOf=) Answer: B Explanation: The filter (sAMAccountName=*) matches any account with a SAM account name, effectively returning all domain user objects. Question 21. Which SNMP community string is considered the default read‑only community on many devices? A) private B) public C) admin D) community Answer: B Explanation: “public” is the default read‑only community string on many SNMP‑enabled devices, while “private” is often the default read‑write string. Question 22. Which SMTP command can be abused to enumerate valid email addresses on a misconfigured server? A) HELO B) VRFY C) DATA D) QUIT Answer: B Explanation: The VRFY command asks the server to verify whether a given mailbox exists, making it useful for enumeration.
Explanation: The Spider crawls the target site, automatically discovering pages, parameters, and endpoints. Question 26. In Burp Suite, which payload type would you select to test for a classic SQL injection via numeric parameters? A) Fuzzing payloads B) Simple list – numbers 0‑ 9 C) Hex payloads D) Null bytes Answer: B Explanation: A simple list of numeric values (0‑9) is ideal for testing numeric-based SQL injection points. Question 27. Which HTTP header is most commonly manipulated to perform a reflected XSS attack? A) User-Agent B) Host C) Referer D) Cookie Answer: A Explanation: The User-Agent header is often reflected in page content without proper sanitization, making it a frequent vector for reflected XSS. Question 28. In a Local File Inclusion (LFI) attack, which PHP wrapper can be used to read arbitrary files? A) php://input B) file://
C) data://text/plain, D) php://filter/convert.base64‑encode/resource= Answer: D Explanation: The php://filter wrapper can read a file and apply a base64 encoding filter, allowing attackers to bypass simple filters and retrieve file contents. Question 29. Which of the following is a typical indicator of a successful Remote File Inclusion (RFI) exploitation? A) The web server crashes immediately. B) The attacker’s PHP code is executed, displaying “Hello World” on the page. C) The target’s firewall logs a blocked request. D) The DNS resolution fails for the target domain. Answer: B Explanation: RFI works by including a remote script; if the script runs and outputs “Hello World,” the inclusion succeeded. Question 30. Which SQL injection technique does NOT rely on error messages from the database? A) Error‑based injection B) Union‑based injection C) Boolean‑based blind injection D) Time‑based blind injection Answer: C Explanation: Boolean‑based blind injection infers true/false conditions through page content differences, without needing error messages.
Answer: B Explanation: script-src 'none' prevents any inline or external scripts from executing, blocking many reflected XSS payloads. Question 34. In a command injection vulnerability, which character is often used to terminate the original command and start a new one on Linux shells? A) & B) % C) $ D) # Answer: A Explanation: The ampersand (&) ends the current command and runs the following command in the background, a common technique for chaining commands. Question 35. Which of the following payloads would bypass a naive filter that blocks the word “cat” but allows “c@t”? A) c@t /etc/passwd B) cat /etc/passwd C) c!t /etc/passwd D) c#t /etc/passwd Answer: A Explanation: Replacing “a” with “@” evades simple string‑matching filters while still being interpreted as “cat” by the shell. Question 36. Which Linux command can be used to list all setuid binaries on a compromised host? A) find / - perm - 4000 - type f 2>/dev/null
B) ls - l /usr/bin | grep s C) dpkg - l | grep setuid D) cat /etc/passwd | grep setuid Answer: A Explanation: find / - perm - 4000 - type f searches the entire filesystem for files with the setuid bit set. Question 37. Which of the following is a common post‑exploitation technique to maintain persistence on a Linux system? A) Adding a cron job that launches a reverse shell B) Deleting /etc/shadow C) Disabling the firewall D) Changing the hostname Answer: A Explanation: A cron job that periodically runs a reverse shell ensures the attacker can regain access even after a reboot. Question 38. In Windows, which service is frequently targeted for privilege escalation via unquoted service paths? A) wuauserv B) spoolsv.exe C) svchost.exe D) rpcss Answer: C Explanation: svchost.exe often runs many services; if a service’s executable path is unquoted and contains spaces, an attacker can place a malicious binary earlier in the path to achieve escalation.
Answer: A Explanation: -sV probes open ports to determine service versions. Question 42. Which enumeration tool is specifically designed for extracting information from Microsoft Exchange servers? A) enum4linux B) smtp-user-enum C) ExchangeVulnScanner D) GetExchangeInfo.ps Answer: D Explanation: GetExchangeInfo.ps1 is a PowerShell script that gathers Exchange configuration and version details. Question 43. Which of the following is a valid reason to perform an unauthenticated scan before an authenticated one? A) To identify external attack surface visible to any attacker B) To obtain root credentials automatically C) To bypass firewalls D) To speed up scanning by using default credentials Answer: A Explanation: An unauthenticated scan simulates what an external attacker can see without any privileged access, helping to prioritize external vulnerabilities. Question 44. Which command can be used to enumerate users via SMB without authentication? A) smbclient - L //target – no-pass B) nmap - sU - p 137 target
C) rpcclient - U "" target D) net view \target /all Answer: C Explanation: rpcclient - U "" target attempts an anonymous RPC connection, often revealing user accounts if the server allows null sessions. Question 45. In a web application, which HTTP method is typically used to upload files? A) GET B) POST C) HEAD D) TRACE Answer: B Explanation: File uploads are normally performed via POST requests containing multipart/form‑data. Question 46. Which of the following Burp Suite extensions helps automate parameter discovery? A) Autorize B) Intruder Payloads C) Param Miner D) Logger++ Answer: C Explanation: Param Miner identifies hidden or undocumented parameters by analyzing server responses.
Explanation: --tables instructs sqlmap to retrieve the list of tables in the identified database. Question 50. Which of the following is a recommended practice when writing a penetration testing report? A) Use technical jargon exclusively. B) Include a clear executive summary, methodology, findings, and remediation. C) Provide raw packet captures without analysis. D) List every single command executed. Answer: B Explanation: A well‑structured report balances technical detail with actionable remediation and includes an executive summary for stakeholders. Question 51. Which Linux command is used to capture live traffic on interface eth0 and write to a file? A) tcpdump - i eth0 - w capture.pcap B) wireshark - i eth0 - o capture.pcap C) netcat - l eth0 > capture.pcap D) ping - i eth0 - w capture.pcap Answer: A Explanation: tcpdump - i eth0 - w capture.pcap captures packets on eth0 and saves them to the specified file. Question 52. Which of the following is the default password for the “root” user in the OffSec Kali VM (when first installed)? A) toor B) root
C) kali D) password Answer: A Explanation: The default root password for Kali Linux is “toor” unless changed during setup. Question 53. Which of the following is a common sign that a web server is vulnerable to directory traversal? A) Accessing /etc/passwd via ../../../../etc/passwd returns file contents. B) The server returns a 404 for any unknown URL. C) The site uses HTTPS. D) The server header shows “Apache/2.4.41”. Answer: A Explanation: Successful retrieval of system files through path traversal (../) indicates a directory traversal vulnerability. Question 54. Which HTTP status code is most commonly associated with a successful login page that redirects? A) 200 OK B) 301 Moved Permanently C) 302 Found D) 403 Forbidden Answer: C Explanation: 302 Found is used for temporary redirects after form submissions, such as successful logins. Question 55. Which tool can be used to fuzz HTTP parameters for potential command injection?