Question 1

An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.

Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?

Options :

A : Use SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and then fetch the role name and token.

B : Submit gopher://169.254.169.254:80/_GET%20/... to craft precise TCP requests to metadata endpoint.

C : Use SSRF to query http://metadata.google.internal instead.

D : Use SSRF to initiate a reverse shell back to you.

Answer: B

Question 2

* * * * * tar -czf /root/backup.tar /home/user/*

Which filenames trigger escalation? (Select all that apply)

Options :

A : --checkpoint=1

B : --checkpoint-action=exec=sh shell.sh

C : normal.txt

D : ../../etc/passwd

E : ; bash

Answer: A,B

Question 3

You gain SELECT access via SQLi on MySQL. You want SUPER privileges.

What technique applies?

Options :

A : Exploit INTO OUTFILE to drop reverse shell

B : Abuse SET GLOBAL general_log_file + write webshell

C : Elevate using UNION SELECT grant_option_priv

D : Modify mysql.user directly with injected UPDATE

Answer: D

Question 4

During a penetration test, you find a reflected XSS in a GET parameter ?q=. The web app sets a HttpOnly session cookie. Which of the following BEST allows you to hijack the victim’s authenticated session?

Options :

A : Steal cookies with document.cookie

B : Inject JS to perform CSRF requests using victim’s session

C :

D : Bruteforce the session token using ffuf

Answer: B

Question 5

A server validates Host headers strictly to cdn.example.com. You want SSRF against localhost.

Which technique is MOST effective?

Options :

A : Use 127.0.0.1 directly

B : Use localhost.example.co

C : Use a DNS rebinding domain that resolves to 127.0.0.1 after initial validation

D : Use %2elocalhost encoding

Answer: C

Confidently Practice Online with Free OSWA Exam Cram

Buying Options: