All Practice Exams
100+ Free PT1 Practice Questions
TryHackMe Junior Penetration Tester (PT1) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What type of command injection payload would you use to verify blind command injection on a Linux server by causing a time delay?
A
B
C
D
to track
Same family resources
Explore More TryHackMe Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: PT1 Exam
48 hours
Exam Duration
TryHackMe
750 pts
Passing Score
TryHackMe
$297
Exam Cost
TryHackMe
3 domains
Engagements (Web/Network/AD)
TryHackMe
1 retake
Free Retake Included
TryHackMe
3 months
Premium Subscription Included
TryHackMe
The TryHackMe PT1 is a 48-hour practical penetration testing exam with three engagements: web (OWASP Top 10), network (SMB/RDP/FTP/SNMP), and Active Directory. You need 750 points to pass plus a professional report. The exam costs $297 including one free retake and a 3-month Premium subscription. Recommended prep: complete the Jr Penetration Tester learning path (~80 hours) on TryHackMe before attempting.
Sample PT1 Practice Questions
Try these sample questions to test your PT1 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which Nmap flag is used to perform a SYN stealth scan (half-open scan) against a target?
A.-sS
B.-sT
C.-sU
D.-sA
Explanation: The -sS flag performs a TCP SYN scan (also called a stealth or half-open scan). Nmap sends a SYN packet and waits for a SYN-ACK to confirm the port is open, then sends a RST to tear down the connection without completing the handshake. This is faster and stealthier than a full TCP connect scan (-sT).
2Which Nmap flag enables version detection for discovered services?
A.-sV
B.-O
C.-A
D.-p-
Explanation: The -sV flag enables Nmap's service/version detection, which probes open ports to determine the service name, version number, and sometimes OS information. This is essential for identifying exploitable software versions during reconnaissance.
3What Nmap Scripting Engine (NSE) script category is best used to check for known vulnerabilities on open ports?
A.discovery
B.auth
C.vuln
D.brute
Explanation: The 'vuln' NSE script category contains scripts that check for specific known vulnerabilities (e.g., ms17-010 for EternalBlue). Running --script vuln against a host will attempt to identify exploitable services by matching them against known CVEs and vulnerability signatures.
4During SMB enumeration, which tool is commonly used on Linux to gather shares, users, and OS information from a Windows SMB host?
A.enum4linux
B.Hydra
C.Nikto
D.Gobuster
Explanation: enum4linux is a Linux tool that wraps Samba utilities to enumerate SMB (Server Message Block) information from Windows and Samba hosts. It can retrieve share lists, user accounts, group memberships, password policy, and OS details — all critical for planning SMB-based attacks.
5Which default TCP port does the SMB protocol use on Windows systems?
A.139
B.389
C.445
D.3389
Explanation: SMB (Server Message Block) operates on TCP port 445 in modern Windows versions (Windows 2000+). Port 139 is used by the older NetBIOS Session Service (SMB over NetBIOS). Port 445 allows direct SMB communication without NetBIOS and is the primary target during SMB enumeration.
6What does the Nmap script 'smb-enum-shares' reveal about a target Windows system?
A.Available SMB shares and their access permissions
B.Open TCP ports and service banners
C.Active user sessions on the system
D.The SMB dialect version in use
Explanation: The smb-enum-shares NSE script queries a target for all available SMB shares and shows the share name, type (disk, IPC, printer), comment, and access level (READ/WRITE/NONE). Discovering readable or writable shares without authentication is a common misconfiguration that pentesters exploit.
7An FTP server responds to an anonymous login attempt with '230 Login successful'. What does this indicate from a penetration testing perspective?
A.Anonymous FTP access is enabled, allowing unauthenticated file listing or download
B.The server uses encrypted FTP (FTPS) and requires a certificate
C.The server only allows local network connections
D.The FTP service is running behind a firewall and requires VPN
Explanation: FTP response code 230 means 'User logged in, proceed.' When this follows an anonymous login (username: anonymous, password: any email), it means the FTP server allows unauthenticated access. This is a common misconfiguration that can expose sensitive files. Testers should enumerate available files and check for write access.
8Which SNMP version sends community strings and data in cleartext, making it vulnerable to network sniffing?
A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.Both SNMPv1 and SNMPv2c
Explanation: Both SNMPv1 and SNMPv2c use community strings (like 'public' or 'private') as their only authentication mechanism, and they transmit all data in cleartext over UDP port 161. An attacker on the network can capture these packets and read community strings to gain read or write access to SNMP-managed devices. SNMPv3 added authentication and encryption.
9What tool can enumerate SNMP OIDs and retrieve system information using the default 'public' community string?
A.snmpwalk
B.crackmapexec
C.enum4linux
D.netdiscover
Explanation: snmpwalk is a command-line utility that uses SNMP GETNEXT requests to walk through all OIDs (Object Identifiers) accessible with a given community string. Running 'snmpwalk -v2c -c public <target> .' can retrieve system description, hostname, running processes, network interfaces, and installed software — all useful for enumeration.
10When performing RDP reconnaissance, which Nmap script checks whether the target's Remote Desktop Protocol service is vulnerable to the BlueKeep exploit (CVE-2019-0708)?
A.rdp-enum-encryption
B.rdp-vuln-ms12-020
C.rdp-vuln-ms17-010
D.rdp-vuln-ms19-0708
Explanation: The rdp-vuln-ms19-0708 NSE script checks for CVE-2019-0708 (BlueKeep), a critical pre-authentication Remote Code Execution vulnerability in Windows RDP affecting Windows 7, XP, Server 2003/2008. BlueKeep was classified as wormable and rated CVSS 9.8. The script probes whether the target is patched without attempting exploitation.
About the PT1 Practice Questions
Verified exam format metadata for TryHackMe Junior Penetration Tester (PT1) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.