1. You are performing an internal vulnerability assessment.

during the initial

phases, you were able to discover a number of database servers,
however you were unable to compromise any of them nor take control over them. What
would you include on your final report regarding the aforementioned servers?

2. Upload a working exploit for the following vulnerability:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6066 to Dropbox (or any
similar service) and
share it with us. Also provide the step-by-step process you have taken to create
the exploit.

3. Name 5 common methods with high success rates for compromising an MS workstation
in an internal assessment.

4. Name as many Microsoft privilege escalation techniques as possible (where the

goal of the escalation is to obtain Domain admin access) that are executed after
you gain the following access on each of the following:
1. Local administrative privilege on a target workstation (member of the MS domain)
2. SA access on a target MSSQL database (member of the MS domain)
3. TOMCAT web admin access on a Tomcat console running on a server that is a member
of the MS domain
4. Workstation that is not a member of the domain

5. Is using active directory to push randomly generated strong passwords on the

local administrator's accounts across the domain members a good or bad practice?
Please elaborate your answer

6. How do viruses and malware communicate to their command and control server
within an environment which uses a transparent proxy with AD authentication?
Please provide as much technical details in your answer as possible and mention as
many technique that you know of

7. Describe as many techniques as possible which allows the attacker to logon to

the victim's email (through OWA) without knowing the victim's password.

8. In a WIFI assessment, describe as many methods for compromising WPA2-Corporate

access point

9. Name two different methods for protecting against buffer and stack overflows
other than patching. The required solution should be on a Microsoft system

10. Consider a WIFI assessment. your target is the CEO's wireless access point
residing at the 12th floor. given you are not allowed to physically go to that
floor,
how can you compromise the wireless network considering the far distance?

11. Assume that you are performing a web based penetration test. Also consider that
you have no knowledge of the server's PHP code nor database structure.

Describe your step by step approach (with technical details) on how to retrieve the
application's username and password.

Consider the below hints baring in mind that we are assuming you do not know this
info so your answer must be as per to this assumption.Those details are merely
provided to you for the sake of constructing your scenario.

Hint 1: The member's table name is "users" the username column name is "username",
the password column name is "password".
Hint 2: Below is the target server code:
<?php
if (isset($_GET['Submit']))
{
// Retrieve article

$page_id = $_GET['page_id'];
$page_id = mysql_real_escape_string($page_id);

$page_record = "SELECT page_title, page_body FROM articles WHERE article_id =

$page_id";
$results = mysql_query($page_record);

$title=mysql_result($result,0,"page_title");
$body=mysql_result($result,0,"page_body");

echo "<h1>$title</h1><br />";

echo "$body<br />";
}
?>
12. Consider the same previous target (both source code, database structure and
your level of knowledge on the application being zero).
but this time, you do not have any records in the articles table hence you will
always retrieve a blank page when trying to fetch an article. Describe which
technique you should use in order to retrieve the user's credentials.

13. Provide us with code that executes a cross site request forgery based on a
"POST" request

14. Assume you were able to inject JavaScript into the target website (stored XSS).

Your goal is to use JQUERY (to be stealthy) and gather the key strokes of the
victim, once the user clicks any submit button on the infected page,
you want to send the logged key strokes to your malicious website. You cannot use
$.ajax() nor $.post() due to cross domain restrictions in all modern browsers.
Describe a method on which you can bypass that through JQUERY in order to remain
stealthy.
Assume you were able to inject JavaScript into the target website (stored XSS).
Your goal is to use
JQUERY (to be stealthy) and gather the key strokes of the victim, once the user
clicks any submit button on the infected page,
you want to send the logged key strokes to your malicious website. You cannot use
$.ajax() nor $.post() due to cross domain restrictions
in all modern browsers. Describe a method on which you can bypass that through
JQUERY in order to remain stealthy.

15. What are the risks of allowing your web application to be loaded within an
IFRAME of another FQDN?

16. Provide as many examples (that work on a fully patched browser) for injecting
JavaScript without using script tags

17. Assume you are performing a web based vulnerability assessment. You found that
when passing the following value on your request "xxxxxxxxxxxxxx" you
are observing that it's getting reflected within an image tag like so:

<img src="/images/image.jpg" alt="xxxxxxxxxxxxxx" />

As a next step, you tried using the following events to complete your XSS POC:

" onmouseover="alert(123)
" onclick="alert(123)
" onclick="alert(123)
" ondblclick="alert(123)
" onmousedown="alert(123)
" onmousemove="alert(123)
" onmouseout="alert(123)
" onmouseup="alert(123)
" onkeydown="alert(123)
" onkeypress="alert(123)
" onkeyup="alert(123)

However all were blocked by a web application firewall. Assuming the above evens
are all the events that the WAF would block and it also blocks ">" character.

How can you bypass the WAF?

18. Provide us with an IFRAME code that can be used for clickjacking. We are not
specific about what you need to clickjack, just show us an example of any site of
choice.