OffSec OSCP PEN200 OffSec Certified Professional Exam, Exams of Technology

The OSCP (PEN-200) Exam, offered by Offensive Security, is a hands-on penetration testing certification requiring candidates to exploit multiple machines in a live lab environment. It emphasizes real-world offensive security skills, report writing, and independent problem-solving. OSCP is widely regarded as one of the most challenging and respected penetration testing certifications globally.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 93

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
OffSec OSCP PEN200 OffSec Certified
Professional Exam
Question 1. Which mindset is emphasized by OffSec to succeed in the OSCP labs?
A) “Quick and shallow”
B) “Try Harder”
C) “Automate everything”
D) “Ignore the rules”
Answer: B
Explanation: OffSec promotes the “Try Harder” mindset, encouraging persistence, deep
problem solving, and continual learning when obstacles arise.
Question 2. In a typical Rules of Engagement (RoE) document, which item is *not* usually
defined?
A) Scope of IP addresses
B) Allowed tools and techniques
C) Salary of the penetration tester
D) Time window for testing
Answer: C
Explanation: A RoE outlines scope, tools, timing, and reporting requirements; it never includes
compensation details.
Question 3. Which of the following is the most appropriate opening paragraph for an OSCP
executive summary?
A) Detailed technical commands used during exploitation
B) A highlevel overview of findings, risk rating, and remediation priorities
C) A list of every open port discovered
D) Source code of custom scripts written
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d

Partial preview of the text

Download OffSec OSCP PEN200 OffSec Certified Professional Exam and more Exams Technology in PDF only on Docsity!

Professional Exam

Question 1. Which mindset is emphasized by OffSec to succeed in the OSCP labs? A) “Quick and shallow” B) “Try Harder” C) “Automate everything” D) “Ignore the rules” Answer: B Explanation: OffSec promotes the “Try Harder” mindset, encouraging persistence, deep problem solving, and continual learning when obstacles arise. Question 2. In a typical Rules of Engagement (RoE) document, which item is not usually defined? A) Scope of IP addresses B) Allowed tools and techniques C) Salary of the penetration tester D) Time window for testing Answer: C Explanation: A RoE outlines scope, tools, timing, and reporting requirements; it never includes compensation details. Question 3. Which of the following is the most appropriate opening paragraph for an OSCP executive summary? A) Detailed technical commands used during exploitation B) A high‑level overview of findings, risk rating, and remediation priorities C) A list of every open port discovered D) Source code of custom scripts written Answer: B

Professional Exam

Explanation: Executive summaries should be concise, high‑level, and focus on risk and remediation for non‑technical stakeholders. Question 4. In Kali Linux, which command displays the current working directory? A) pwd B) ls C) cd D) cat Answer: A Explanation: pwd (print working directory) shows the absolute path of the current directory. Question 5. Which file stores user‑defined aliases in a default Kali installation? A) /etc/passwd B) /etc/hosts C) ~/.bashrc D) /var/log/syslog Answer: C Explanation: ~/.bashrc is executed for interactive non‑login shells and typically contains custom aliases. Question 6. To permanently start the SSH service on Kali at boot, which command is correct? A) systemctl enable ssh B) service ssh start C) sshd – enable D) rcconf sshd

Professional Exam

C) ip.addr == 80 D) udp.port == 80 Answer: B Explanation: The display filter http limits the view to packets identified as HTTP protocol. Question 10. Which shebang line correctly invokes Python 3 for a script on Kali? A) #!/usr/bin/python B) #!/usr/bin/env python C) #!/bin/python D) #!/usr/local/bin/python2. Answer: B Explanation: #!/usr/bin/env python3 uses the environment to locate the Python 3 interpreter, ensuring the script runs with Python 3. Question 11. What does the Bash built‑in $(command) construct do? A) Executes command in the background B) Performs arithmetic expansion C) Captures the command’s output for substitution D) Starts a new shell session Answer: C Explanation: $(command) runs the command and substitutes its standard output into the surrounding command line. Question 12. Which of the following OSINT techniques is best for discovering subdomains of a target domain? A) WHOIS lookup

Professional Exam

B) Reverse DNS lookup C) DNS zone transfer attempt D) Google Dork “site:example.com” Answer: C Explanation: Attempting a DNS zone transfer (AXFR) can reveal all subdomains if the DNS server is misconfigured. Question 13. Which Google Dork would help locate publicly exposed .git directories? A) intitle:"index of" .git B) filetype:gitconfig “password” C) inurl:.git “config” D) allinurl:.git “HEAD” Answer: C Explanation: inurl:.git "config" searches for URLs containing .git and the word “config,” often exposing Git configuration files. Question 14. When performing a passive WHOIS query, which piece of information is not typically returned? A) Registrant email address B) Domain creation date C) Open ports on the host D) Name server list Answer: C Explanation: WHOIS provides registration data, not network service information such as open ports.

Professional Exam

Explanation: Authenticated scans run with valid credentials, allowing the scanner to examine internal configurations, patch levels, and privileged services that unauthenticated scans cannot see. Question 18. Which CVE database provides a public API for automated vulnerability look‑ups? A) Exploit‑DB B) NVD (National Vulnerability Database) C) Metasploit Framework D) Packet Storm Answer: B Explanation: NVD offers a RESTful API that can be queried for CVE details, severity scores, and references. Question 19. When enumerating SMB shares with enum4linux, which option requests a list of user accounts? A) - U B) - S C) - G D) - a Answer: D Explanation: The -a (all) flag tells enum4linux to perform a full enumeration, including users, groups, and shares. Question 20. Which LDAP query can reveal all domain users in an Active Directory environment? A) (objectClass=person) B) (sAMAccountName=*)

Professional Exam

C) (userPrincipalName=) D) (memberOf=) Answer: B Explanation: The filter (sAMAccountName=*) matches any account with a SAM account name, effectively returning all domain user objects. Question 21. Which SNMP community string is considered the default read‑only community on many devices? A) private B) public C) admin D) community Answer: B Explanation: “public” is the default read‑only community string on many SNMP‑enabled devices, while “private” is often the default read‑write string. Question 22. Which SMTP command can be abused to enumerate valid email addresses on a misconfigured server? A) HELO B) VRFY C) DATA D) QUIT Answer: B Explanation: The VRFY command asks the server to verify whether a given mailbox exists, making it useful for enumeration.

Professional Exam

Explanation: The Spider crawls the target site, automatically discovering pages, parameters, and endpoints. Question 26. In Burp Suite, which payload type would you select to test for a classic SQL injection via numeric parameters? A) Fuzzing payloads B) Simple list – numbers 0‑ 9 C) Hex payloads D) Null bytes Answer: B Explanation: A simple list of numeric values (0‑9) is ideal for testing numeric-based SQL injection points. Question 27. Which HTTP header is most commonly manipulated to perform a reflected XSS attack? A) User-Agent B) Host C) Referer D) Cookie Answer: A Explanation: The User-Agent header is often reflected in page content without proper sanitization, making it a frequent vector for reflected XSS. Question 28. In a Local File Inclusion (LFI) attack, which PHP wrapper can be used to read arbitrary files? A) php://input B) file://

Professional Exam

C) data://text/plain, D) php://filter/convert.base64‑encode/resource= Answer: D Explanation: The php://filter wrapper can read a file and apply a base64 encoding filter, allowing attackers to bypass simple filters and retrieve file contents. Question 29. Which of the following is a typical indicator of a successful Remote File Inclusion (RFI) exploitation? A) The web server crashes immediately. B) The attacker’s PHP code is executed, displaying “Hello World” on the page. C) The target’s firewall logs a blocked request. D) The DNS resolution fails for the target domain. Answer: B Explanation: RFI works by including a remote script; if the script runs and outputs “Hello World,” the inclusion succeeded. Question 30. Which SQL injection technique does NOT rely on error messages from the database? A) Error‑based injection B) Union‑based injection C) Boolean‑based blind injection D) Time‑based blind injection Answer: C Explanation: Boolean‑based blind injection infers true/false conditions through page content differences, without needing error messages.

Professional Exam

Answer: B Explanation: script-src 'none' prevents any inline or external scripts from executing, blocking many reflected XSS payloads. Question 34. In a command injection vulnerability, which character is often used to terminate the original command and start a new one on Linux shells? A) & B) % C) $ D) # Answer: A Explanation: The ampersand (&) ends the current command and runs the following command in the background, a common technique for chaining commands. Question 35. Which of the following payloads would bypass a naive filter that blocks the word “cat” but allows “c@t”? A) c@t /etc/passwd B) cat /etc/passwd C) c!t /etc/passwd D) c#t /etc/passwd Answer: A Explanation: Replacing “a” with “@” evades simple string‑matching filters while still being interpreted as “cat” by the shell. Question 36. Which Linux command can be used to list all setuid binaries on a compromised host? A) find / - perm - 4000 - type f 2>/dev/null

Professional Exam

B) ls - l /usr/bin | grep s C) dpkg - l | grep setuid D) cat /etc/passwd | grep setuid Answer: A Explanation: find / - perm - 4000 - type f searches the entire filesystem for files with the setuid bit set. Question 37. Which of the following is a common post‑exploitation technique to maintain persistence on a Linux system? A) Adding a cron job that launches a reverse shell B) Deleting /etc/shadow C) Disabling the firewall D) Changing the hostname Answer: A Explanation: A cron job that periodically runs a reverse shell ensures the attacker can regain access even after a reboot. Question 38. In Windows, which service is frequently targeted for privilege escalation via unquoted service paths? A) wuauserv B) spoolsv.exe C) svchost.exe D) rpcss Answer: C Explanation: svchost.exe often runs many services; if a service’s executable path is unquoted and contains spaces, an attacker can place a malicious binary earlier in the path to achieve escalation.

Professional Exam

Answer: A Explanation: -sV probes open ports to determine service versions. Question 42. Which enumeration tool is specifically designed for extracting information from Microsoft Exchange servers? A) enum4linux B) smtp-user-enum C) ExchangeVulnScanner D) GetExchangeInfo.ps Answer: D Explanation: GetExchangeInfo.ps1 is a PowerShell script that gathers Exchange configuration and version details. Question 43. Which of the following is a valid reason to perform an unauthenticated scan before an authenticated one? A) To identify external attack surface visible to any attacker B) To obtain root credentials automatically C) To bypass firewalls D) To speed up scanning by using default credentials Answer: A Explanation: An unauthenticated scan simulates what an external attacker can see without any privileged access, helping to prioritize external vulnerabilities. Question 44. Which command can be used to enumerate users via SMB without authentication? A) smbclient - L //target – no-pass B) nmap - sU - p 137 target

Professional Exam

C) rpcclient - U "" target D) net view \target /all Answer: C Explanation: rpcclient - U "" target attempts an anonymous RPC connection, often revealing user accounts if the server allows null sessions. Question 45. In a web application, which HTTP method is typically used to upload files? A) GET B) POST C) HEAD D) TRACE Answer: B Explanation: File uploads are normally performed via POST requests containing multipart/form‑data. Question 46. Which of the following Burp Suite extensions helps automate parameter discovery? A) Autorize B) Intruder Payloads C) Param Miner D) Logger++ Answer: C Explanation: Param Miner identifies hidden or undocumented parameters by analyzing server responses.

Professional Exam

Explanation: --tables instructs sqlmap to retrieve the list of tables in the identified database. Question 50. Which of the following is a recommended practice when writing a penetration testing report? A) Use technical jargon exclusively. B) Include a clear executive summary, methodology, findings, and remediation. C) Provide raw packet captures without analysis. D) List every single command executed. Answer: B Explanation: A well‑structured report balances technical detail with actionable remediation and includes an executive summary for stakeholders. Question 51. Which Linux command is used to capture live traffic on interface eth0 and write to a file? A) tcpdump - i eth0 - w capture.pcap B) wireshark - i eth0 - o capture.pcap C) netcat - l eth0 > capture.pcap D) ping - i eth0 - w capture.pcap Answer: A Explanation: tcpdump - i eth0 - w capture.pcap captures packets on eth0 and saves them to the specified file. Question 52. Which of the following is the default password for the “root” user in the OffSec Kali VM (when first installed)? A) toor B) root

Professional Exam

C) kali D) password Answer: A Explanation: The default root password for Kali Linux is “toor” unless changed during setup. Question 53. Which of the following is a common sign that a web server is vulnerable to directory traversal? A) Accessing /etc/passwd via ../../../../etc/passwd returns file contents. B) The server returns a 404 for any unknown URL. C) The site uses HTTPS. D) The server header shows “Apache/2.4.41”. Answer: A Explanation: Successful retrieval of system files through path traversal (../) indicates a directory traversal vulnerability. Question 54. Which HTTP status code is most commonly associated with a successful login page that redirects? A) 200 OK B) 301 Moved Permanently C) 302 Found D) 403 Forbidden Answer: C Explanation: 302 Found is used for temporary redirects after form submissions, such as successful logins. Question 55. Which tool can be used to fuzz HTTP parameters for potential command injection?