👴Junior to Senior Pentester Interview Prep

On this page i'll try to provide a curated list of interview questions for penetration testers that i'll find online and by asking real seniors around me, spanning from junior to senior levels. Designed to help prepare for interviews, these questions cover a range of topics, that are, in my opinion, essential for a successful career in pentesting.

Try explaining reverse shell via SQL injection to grandma after that

Let's start by having a good understanding of common web attacks ->

OWASP Top Ten Web Application Security Risks | OWASP

SQLi

This attack allows attackers to interfere with the queries that an application makes to its database. By manipulating input fields, attackers can execute arbitrary SQL code, potentially accessing or modifying data without proper authorization.

CSRF

Cross-Site Request Forgery (CSRF) is a web security vulnerability that tricks users into performing unwanted actions on a web application in which they are authenticated. By exploiting the trust a website has in the user's browser, attackers can execute malicious actions like changing account details or initiating transactions without the user's consent.

SSRF

Server-Side Request Forgery (SSRF) is a web security vulnerability where an attacker can make the server perform unintended requests to internal or external resources. By manipulating server-side code, attackers can potentially access internal systems, retrieve sensitive information, or exploit other vulnerabilities within the network.

LFI

Local File Inclusion (LFI) is a web security vulnerability that allows an attacker to include files from the server's filesystem into the web application's output. This can lead to the disclosure of sensitive information, execution of arbitrary code, and other malicious actions by exploiting improperly validated user input.

RFI

Remote File Inclusion (RFI) is a web security vulnerability that enables an attacker to include remote files into a web application. This can result in the execution of malicious scripts from external sources, leading to unauthorized actions, data theft, and full system compromise. RFI exploits improper validation of user-supplied input in file inclusion functions.

XSS

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts execute in the context of a victim's browser, enabling attackers to steal sensitive information, hijack user sessions, deface websites, or redirect users to malicious sites. XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute arbitrary JavaScript code in the victim's browser.

Path Traversal

It allows attackers to access files or directories outside the web server's root directory. By manipulating input parameters that reference files or directories, attackers can navigate through the file system, potentially accessing sensitive files, executing arbitrary commands, or compromising the server. Path traversal vulnerabilities arise when an application fails to properly sanitize user-supplied input used in file operations, allowing attackers to bypass access restrictions and access files they are not authorized to view.

XXE

XXE (XML External Entity) attacks exploit vulnerabilities in applications parsing XML input, allowing attackers to include external entities like files or URLs that can disclose sensitive information or cause denial of service.

🕸️BSCP

It's crucial to know how the attack works, at least in theory and being able to tell the difference with the ones that could be similare:

---

Difference Between LFI and RFI

Local File Inclusion (LFI):

• Involves including files that are already present on the server's filesystem.

• Exploits vulnerabilities where user input is used to include files directly from the server.

• Example: Accessing /etc/passwd file on the server through a vulnerable parameter.

Remote File Inclusion (RFI):

• Involves including files from remote servers.

• Exploits vulnerabilities where user input is used to include files from external URLs.

• Example: Including a malicious script hosted on an attacker-controlled server into a web application.

---

What are the main types of XSS

Reflected XSS (Non-Persistent XSS)

• Description: Occurs when user input is immediately returned by the web application in the response without proper sanitization.

• Attack Scenario: An attacker crafts a malicious link or URL that, when clicked by a victim, executes a script in the victim's browser.

• Impact: Can lead to session hijacking, cookie theft, or redirecting users to malicious websites.

2. Stored XSS (Persistent XSS)

• Description: Also known as Persistent XSS, it occurs when user input containing malicious scripts is stored on the server and then retrieved and displayed to other users later.

• Attack Scenario: An attacker posts a malicious script (e.g., in a forum post, comment, or message) that is stored on the server. When other users view the content, the script executes in their browsers.

• Impact: More severe as it affects multiple users and can lead to widespread attacks such as defacement of websites, data theft, or distribution of malware.

3. DOM-Based XSS

• Description: This type of XSS occurs when the vulnerability exists within the client-side JavaScript code rather than the server-side code.

• Attack Scenario: Malicious code is injected into the DOM (Document Object Model) environment, typically through client-side scripts like JavaScript. The attack payload is processed by the client-side code and executed in the victim's browser.

• Impact: Difficult to detect with traditional server-side defenses; can lead to the same consequences as other XSS types, depending on the vulnerability's exploitation.

---

What are the different penetration phases?

(kudos to THM for this one)

The five phases in pentesting are reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.

1. Reconnaissance - Pose as the hacker to gain information about a company, including details of the network topology, operating systems and applications, user accounts, etc.

2. Enumeration / Scanning - Identify the potential ways to hack into a company using various tools to identify open ports. For example, finding a web server that may be potentially vulnerable.

3. Exploitation - Leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.

4. Privilege Escalation - Once you have successfully exploited a system or application (known as a foothold), you would then attempt to expand your access to a system.

5. Post-Exploitation - This stage involves gathering any final information as a privileged user, and covering your tracks by removing logs and any evidence that the system was accessed. You would also conduct a report to detail your findings.

---

Explain Tor Browser & Tor network

• Ports Used: Tor uses port 9050 for SOCKS proxy connections, allowing applications to route their traffic through the Tor network. Port 9001 is used for directory connections, enabling nodes to share information about their existence and current state within the network.

• Three Connection Phases:

  1. Entry Node: When a user initiates a connection to the Tor network, they select an entry node (also known as a guard node). This node establishes an encrypted connection with the user's device, ensuring that data leaving the device is protected from surveillance or monitoring.

  2. Middle Nodes: After the data is encrypted by the entry node, it passes through a series of randomly selected middle nodes. Each middle node only knows the IP address of the previous and next nodes in the chain, adding layers of encryption that prevent anyone from tracing the complete path of the data.

  3. Exit Node: Once the data reaches the last middle node, it is decrypted and forwarded to an exit node. The exit node establishes a connection to the destination website or service requested by the user. From the perspective of the destination, the traffic appears to originate from the exit node, masking the user's original IP address.