Practice questions · Cybersecurity
Offensive Security Certified Professional (OSCP): Practice Questions
Original concept-check questions for the OSCP (Offensive Security Certified Professional). The real exam is hands-on; these are concept checks on the underlying skills behind the PEN-200 course: enumeration, exploitation, privilege escalation, Active Directory, tunnelling and more. Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks, not real exam questions, and contain no operational attack instructions.
Answered 0 · Correct 0
-
On most OSCP targets, the step that unlocks the most progress is:
Correct answer: D. Thorough enumeration is what reveals the path forward, which is why it drives most OSCP progress. Firing a single exploit immediately skips the step that tells you which exploit is even relevant; rebooting the target is not something you control or benefit from; and writing the report first has nothing to attack yet. -
What is the purpose of enumeration in a penetration test?
Correct answer: C. Enumeration systematically gathers details (services, accounts, shares) so you understand what you are working with. Encrypting the target's data describes ransomware behaviour, not enumeration; deleting logs is covering tracks; and submitting the report is the documentation step at the end, not discovery. -
An open port discovered during enumeration most directly indicates that:
Correct answer: C. An open port suggests a listening service worth investigating further. It says nothing about patch level, so 'fully patched' is unsupported; it does not reveal whether a user is online; and an open port is unrelated to whether encryption is enabled or disabled. -
Service version detection during enumeration is useful mainly because it helps you:
Correct answer: A. Knowing the exact service and version lets you focus on weaknesses that actually apply to it, which is the point of version detection. It does not change the target's CPU performance, it cannot reset a password by itself, and it does not encrypt traffic. -
In a penetration test, 'exploitation' refers to:
Correct answer: D. Exploitation means using a weakness you have identified to gain access. Backing up files is unrelated, documenting a network diagram is part of reporting or planning, and patching a vulnerability is a defensive action that removes the weakness rather than using it. -
Why is enumerating a service thoroughly important before attempting to exploit it?
Correct answer: B. Thorough enumeration shows which weaknesses genuinely apply, so you do not waste time on irrelevant ones. It does not guarantee administrative access, it is not a reporting requirement, and it does not encrypt the connection. -
A 'proof of concept' in an exploitation context is best described as:
Correct answer: A. A proof of concept demonstrates that a weakness really can be used in the way claimed. It is not a legal contract, not a switch configuration, and not a firewall; those are unrelated to demonstrating a weakness. -
Why is publicly available exploit code often modified before use in a lab engagement?
Correct answer: B. Public code frequently needs adapting to the exact target, and a careful operator reads and understands untrusted code before running it. Making it 'run faster on any CPU' is not the reason; removing licence terms is not a security motivation; and reading exploit code is not illegal. -
SQL injection is possible when a web application:
Correct answer: C. SQL injection occurs when untrusted input is placed directly into a query without validation or parameterisation. Using HTTPS protects data in transit but does not prevent injection; the number of users is irrelevant; and the operating system does not determine whether queries are built safely. -
Cross-site scripting (XSS) involves:
Correct answer: A. XSS injects scripts into web pages that other users then load in their browsers. Cracking Wi-Fi passwords is a wireless attack, sending packets to a switch relates to network-layer activity, and encrypting a database is unrelated to script injection. -
A directory-traversal weakness allows an attacker to:
Correct answer: C. Directory traversal uses sequences like ../ to reach files outside the intended web root. It does not speed up the server, it does not by itself create administrator accounts, and it has nothing to do with issuing TLS certificates. -
The most reliable defence against SQL injection is:
Correct answer: B. Parameterised queries separate code from data so input cannot alter the query, which addresses the root cause of SQL injection. A faster server does nothing for security, hiding the login page is security by obscurity, and a longer admin password protects credentials but not the query itself. -
Client-side attacks differ from server-side attacks in that they:
Correct answer: D. Client-side attacks depend on a user doing something, rather than directly exploiting a listening service. They do not require physical access, they are not limited to Wi-Fi, and they can certainly be defended against through user awareness and technical controls. -
A common defensive control that reduces the impact of client-side attacks is:
Correct answer: C. Patching closes the weaknesses client-side attacks target, and limiting privileges reduces what an attack can achieve. Disabling logging removes visibility, giving everyone administrator rights increases impact, and turning off the firewall weakens defences. All of those make things worse, not better. -
Why are client-side attacks relevant even when a network has a strong perimeter firewall?
Correct answer: A. Client-side attacks usually hinge on a user interacting with content, often initiating outbound activity that a perimeter firewall is not built to block. Firewalls do not stop working at night, they are configurable, and client-side attacks specifically depend on a user, so 'require no user at all' is incorrect. -
Privilege escalation means:
Correct answer: D. Privilege escalation is moving from limited access to higher (often administrative) rights. Scanning ports is enumeration, sending a phishing email is social engineering, and encrypting a hard drive is unrelated to gaining more rights. -
Local privilege escalation differs from initial access because it assumes the operator:
Correct answer: C. Local privilege escalation starts from an existing foothold and aims to gain higher rights on that same machine. Having no access yet describes initial access, being physically at the keyboard is not implied, and a legitimate administrator already has the rights and would not need to escalate. -
On the OSCP exam, why is privilege escalation practice on both Linux and Windows important?
Correct answer: C. The exam features both Linux and Windows targets and awards points for escalation, so you need to be comfortable on both. It is not Windows-only or Linux-only, and escalation is definitely scored, so 'never scored' is wrong. -
A conceptual reason misconfigured file permissions can enable privilege escalation is that:
Correct answer: B. If a low-privilege user can alter a file or process that executes with higher privileges, that can be leveraged to gain those privileges. Misconfigured permissions do not change disk size, do not speed up the network, and do not encrypt anything automatically. -
Active Directory (AD) is best described as:
Correct answer: D. Active Directory is Microsoft's directory service that manages users, computers and permissions across a Windows network. It is not a web application firewall, not a Linux package manager, and not an encryption algorithm. -
On the OSCP exam, the Active Directory set is worth:
Correct answer: B. The Active Directory set is worth 40 of the 100 points, with standalone machines making up the other 60. It is therefore not 10 points, not the whole exam, and certainly not unscored. -
The OSCP Active Directory portion uses an 'assumed compromise' model, meaning you:
Correct answer: C. Assumed compromise gives you an initial foothold so the exam can test pivoting and escalation rather than initial access. You are not required to break in from the internet first, you may well need to reach the domain controller, and the task is hands-on rather than only reading documentation. -
Why does lateral movement matter when working through an Active Directory environment?
Correct answer: D. AD environments are networks of related hosts, so progressing typically means moving from one compromised machine to the next. AD is not usually a single machine, lateral movement does not encrypt the domain, and it does not disable logging by default. -
Pivoting in a penetration test refers to:
Correct answer: B. Pivoting uses a host you control as a stepping stone to reach otherwise unreachable machines. It is not about rotating a monitor, restarting a router, or changing your ISP-assigned IP; those do not give access to internal hosts. -
Port forwarding is used in an engagement primarily to:
Correct answer: D. Port forwarding redirects traffic through a host you control so you can reach an internal service. It does not encrypt the entire internet, change monitor resolution, or format a disk; those are unrelated. -
Tunnelling is most useful when you need to:
Correct answer: A. Tunnelling encapsulates traffic so it can travel through an intermediary you control to reach internal hosts. Making a web page load faster, printing remotely, and defragmenting a disk are unrelated to reaching otherwise unreachable systems. -
Why are pivoting and tunnelling especially relevant to the OSCP Active Directory set?
Correct answer: A. Parts of a chained AD environment are often reachable only via hosts you already control, which is exactly where pivoting and tunnelling come in. The AD machines are not all directly reachable, AD certainly uses a network, and tunnelling has nothing to do with submitting the report. -
Within the OSCP exam, the use of Metasploit is:
Correct answer: A. OffSec places specific rules around how Metasploit may be used in the exam. It is therefore neither completely unrestricted nor forbidden in every form, and it is not required on every machine. Knowing the current rules is the key point. -
Metasploit is best described as:
Correct answer: D. Metasploit is a framework that organises exploitation-related modules used in testing. It is not a spreadsheet application, a backup utility, or a password manager; those serve entirely different purposes. -
Why is it valuable to understand manual techniques rather than relying only on an automated framework like Metasploit for OSCP?
Correct answer: B. Understanding the manual approach helps when framework use is limited by the rules or when a target needs adapting beyond what a module offers. Automated tools are not illegal, frameworks do work, and manual techniques are not always faster. The real benefit is flexibility and understanding.
Practice questions FAQ
- Are these real OSCP exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.