During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:
Import-Module .PrintNightmare.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print"
The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

1. A. Log off and log on with "hacker".
2. B. Attempt to add another user.
3. C. Bypass the execution policy.
4. D. Add a malicious printer driver.

Correct Answer: A
In the scenario where a penetration tester uses the PrintNightmare exploit to create a new user with administrative privileges but still experiences low-privilege access, the tester should log off and log on with the new "hacker" account to escalate privileges correctly.
✑ PrintNightmare Exploit:
✑ Commands Breakdown:
✑ Issue:
✑ Solution:
Pentest References:
✑ Privilege Escalation: After gaining initial access, escalating privileges is crucial to gain full control over the target system.
✑ Session Management: Understanding how user sessions work and ensuring that new privileges are recognized by starting a new session.
✑ The use of the PrintNightmare exploit highlights a specific technique for privilege escalation within Windows environments.
By logging off and logging on with the new "hacker" account, the penetration tester can ensure the new administrative privileges are fully applied, allowing for further enumeration and exploitation of the target system.
=================

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?

1. A. Enable monitoring mode using Aircrack-ng.
2. B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.
3. C. Run KARMA to break the password.
4. D. Research WiGLE.net for potential nearby client access points.

Correct Answer: A
Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.
✑ Preparation:
✑ Enable Monitoring Mode:
Step-by-Step Explanationairmon-ng start wlan0
✑ uk.co.certification.simulator.questionpool.PList@3327f1d6 iwconfig
✑ Capture WPA2 Handshakes: airodump-ng wlan0mon
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

1. A. Configuration changes were not reverted.
2. B. A full backup restoration is required for the server.
3. C. The penetration test was not completed on time.
4. D. The penetration tester was locked out of the system.

Correct Answer: A
✑ Debugging Mode:
✑ Common Causes:
✑ Best Practices:
✑ References from Pentesting Literature: References:
✑ Penetration Testing - A Hands-on Introduction to Hacking
✑ HTB Official Writeups
=================

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

1. A. schtasks.exe
2. B. rundll.exe
3. C. cmd.exe
4. D. chgusr.exe
5. E. sc.exe
6. F. netsh.exe

Correct Answer: AE
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
✑ schtasks.exe:
schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc daily /ru SYSTEM
✑ sc.exe:
sc create backdoor binPath= "C:\path\to\backdoor.exe" start= auto
✑ Other Utilities:
Pentest References:
✑ Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.
✑ Windows Tools: Understanding how to leverage built-in Windows tools like
schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
=================

A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access.
Which of the following techniques should the tester use?

1. A. Credential stuffing
2. B. MFA fatigue
3. C. Dictionary attack
4. D. Brute-force attack

Correct Answer: A
To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.
✑ Credential Stuffing:
✑ Other Techniques:
Pentest References:
✑ Password Attacks: Understanding different types of password attacks and their implications on account security.
✑ Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.
By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.
=================