



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
OSCP practice questions for 2025–2026 help learners develop ethical hacking and penetration testing skills. They cover topics such as network scanning, vulnerability assessment, exploitation, privilege escalation, web application security, and post-exploitation. Reviewing correct answers improves understanding of attack methods and defensive techniques while reinforcing hands-on problem-solving. Regular practice prepares candidates for the practical OSCP examination and strengthens real-world cybersecurity knowledge, making learners more confident and competent in identifying and securing system vulnerabilities.
Typology: Exams
1 / 6
This page cannot be seen from the preview
Don't miss anything!




What is a SID for and where does it come from - ANS-The SID for local accounts and groups is generated by the LSA, the domain controller generates it for domain users and groups. The SID is immutable. Parts of an SID - ANS-S-R-X-Y S - a literal S which indicates that the string is an SID R - the revision which is always 1 X - the identifier authority indicates what kind of entity created the SID, whether it be the local computer or the domain controller. Y - the sub authorities of the identifier authority, it is the domain identifier and the relative identifier (RID) Well-known SIDs - ANS-These are SIDs with an RID under 1000, these identify generic groups etc in a domain. RID - ANS-The relative identifier is the part of an SID the uniquely identifies that asset in a domain. Primary Non-Auth Windows Privilege Escalation Strategies - ANS-Service Binary Hijacking Service DLL Hijacking Unquoted Service Paths
Scheduled Tasks Exploits Get-CimInstance Usage Caveat - ANS-When running this command via bindshell or WinRM we will get a permission denied error. Using an interactive logon like RDP solves this problem. Enumerate windows permissions from the commandline with these two commands: - ANS-icacls get-acl Why is it that sometimes service binaries are world writeable? - ANS-When creating a new service, sometimes people set the directory permissions of the service to be full because they don't know what permissions will be needed. What are the default actions for powerup.ps1's exploit functions? - ANS-They will add a user named john and a password that is Password123! What are the methods for performing a successful DLL hijacking? - ANS-- You can directly overwrite the DLL in use, and write your own functions to add yourself as an admin user.
Where are credentials and other configuration pieces of information often stored on Unix systems? - ANS-dot files - in the user's home directory these are files which start with a period, "." How can we look for passwords of processes that run often? - ANS-watch - n 1 "ps - aux | grep pass" or pspy64s - and look for password How would we run TCPdump to look for passwords being sent in cleartext? - ANS-sudo tcpdump - i lo - A | grep "pass" How can /etc/passwd be exploited? - ANS-In the past password hashes were written to /etc/passwd, if you can write a password hash to /etc/passwd you can gain access to someone's account. You create the pasword with the following command: openssl passwd w00t echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd What are some example ways of abusing sudo? - ANS-If you see you can run a script with sudo, modify the script? Can you modify what is run if there is *, like the arguments? Do you see anything on GTFO bins for the binary? Is there a path vulnerability? How do you start socat listening on 2345 and forward the data to 10.4.5.215 on port 5432? - ANS-socat - ddd TCP-LISTEN:2345,fork TCP:10.4.50.215: How do you create an SSH local port forward on 4455 to 172.16.50.217 445 through 10.4.50.215 without getting an interactive shell? - ANS-ssh - N - L 0.0.0.0:4455:172.16.50.217:445 [email protected].
What is RSAT? - ANS-These are the remote server administration tools which allow you to run commands like get-aduser. They are only installed on domain controllers by default. How can unrolled AD privilege vulnerabilities be exploited? - ANS-In bloodhound you should look at your unrolled groups and see if there are any privileges that have been unintentionally given to your account, In one example, you may be a part of a group, which is a part of a group, which is a part of the account administrators group. Since you are inevitably a part of the account administrators group, you might be able to make accounts. How do you list all the computers in the domain in powerview? - ANS-Get- NetComputer How can we find out information about the account lockout policy? - ANS-net accounts How can we spray passwords using SMB and crackmapexec? - ANS-crackmapexec smb 192.168.50.75 - u users.txt - p 'Nexus123!' - d corp.com -- continue-on-success What is the difference between AS-REP roasting and kerberoasting? - ANS-Both kerberoasting and AS-REP roasting rely on cracking a ticket as they are encrypted with the password of the target account. AS-REP Roast attacks target TGTs for user accounts where pre-authentication is disabled. Whereas Kerberoasting attacks target TGS tickets for service accounts with SPNs, requiring a valid AD account for ticket requests. In short, for an AS-REP roast attack, you do not need a valid TGT in the target domain, but you do need on for a kerberoast attack. What does preauthentication do and how does it relate to AS-REP Roasting? - ANS-If preauthentication is disabled for an account, that means that anyone will be able to request a TGT for that account. Essentially accounts that are not even on the network would be able to impersonate that account. If you acquire one of these TGT tickets, since it is encrypted with the password of the account that owns it, you would be able to crack the TGT to get the account's password.