Knowledge checks

Scenario quizzes

Quick checks that validate your understanding and feed the same point and badge progression system as labs and hubs.

1. In a CTF web lab, a normal user can access /admin by changing a role value in a request. What vulnerability is most likely present?

Broken access control Clickjacking only DNS cache poisoning Port knocking

2. A SIEM correlation rule fires on impossible travel. Which fields are most important to validate?

User, source locations, timestamps, device, VPN/proxy indicators, and MFA status Only the user's display name The dashboard color theme The size of the SIEM index

3. Which control best reduces the risk of password spraying against cloud accounts?

MFA, conditional access, lockout tuning, and monitoring failed logons Only hiding the login page URL Increasing password length without monitoring Disabling all logs to reduce noise

4. What does the tcpdump flag "-C 100" do when writing a packet capture to disk?

Capture only the first 100 bytes of each packet Stop capture after 100 packets Rotate output file every 100MB Use 100 as the capture buffer size

5. A server is running an unknown service on port 8443. Which Nmap command best identifies its version?

nmap -p 8443 target nmap -sV -sC -p 8443 target nmap -O target nmap --script all target

6. Which Nmap flag attempts OS detection?

-O -sV -Pn -oN

7. Which item should be included in a secure lab disclaimer?

Permission to attack any public IP A reminder that labs are simulated and only authorized targets may be tested Instructions to disable logging A promise that all commands are undetectable

8. In SQLMap, what is the purpose of the "--level" flag?

Sets the output verbosity level (1-5) Controls the depth of database enumeration Sets the thoroughness of injection tests performed Limits the number of requests sent

9. A SOC analyst sees many failed VPN logins followed by one success from the same IP. What should be triaged first?

Whether the destination firewall has enough disk space The successful login account, source IP, MFA result, and post-login activity Only the user agent string from the failed attempts The number of open browser tabs on the analyst machine

10. Which MITRE ATT&CK tactic best matches an attacker trying to keep access after reboot?

Reconnaissance Persistence Collection Impact