Applied Knowledge Exam Readiness

Check out our preparation tips here.

When purchasing a demo question set, three questions are included. Retaking the same demo will result in repeat questions being seen.

When purchasing an Applied Knowledge Certification attempt, no demo questions are included.

You can purchase demo questions here. Three questions are provided at a cost of $39. If more than 1 demo question set is purchased, some questions will be repetitive.

Once purchased, Demo Questions can be accessed in the Assessments section of your GIAC Certifications Portal.

Demo Questions are available in your account for 10 weeks after purchase.

Demo Question purchases are non-refundable and non-transferable.

The best path forward is to mentally review your exam. Spend more time preparing in areas where you struggled before you schedule a retake. Review the retake policy.

The available demo questions for the GX-CS exam are as follows:

1) According to an organization's DLP log, an employee's Windows SAM file was exported from her computer to an external network. The IT department has provided you with the Windows Defender Windows Event Log from her computer. The file is here: C:\Users\Candidate\Desktop\saddle-399340\felicia.txt. What time did Windows Defender first detect the tool that was most likely used to collect the SAM file?

2) For your reference, the information below is in C:\Users\Candidate\Desktop\freeman-401700. What is the user name for the account whose SID is S-1-5-21-3427320942-3493994598-3580344411-1003?

3) The directory /home/giac/PasswordCracking/Addnumbers has a Linux passwd file, shadow file, and a wordlist, sqlmap.txt. Use hashcat with the wordlist to crack the passwords in the shadow file. What is the number resulting from of adding the last digit of each of the eleven crackable passwords together?Use pw-inspector to reduce the wordlist to only passwords with 12 characters that use numbers, lowercase, and uppercase letters. The passwords do not contain characters from the special or printable character sets.

4) The file ~/capture.pcap was captured from a corporate network environment. What version of python is supporting the second web server running on 192.168.26.146?

5) Examine the processes created by the open applications on the workstation. A pirated DLL injector was run on the the machine that employed signed dlls renamed to words beginning with the letter "b". Be sure to open Process Hacker 2 as admin using username: giac and password: giac. What is the original filename of the dll injected into mspaint.exe from the attacker's file folder?Note: You are performing an initial examination of the workstation as is - try not to disrupt any processes as you perform your investigation.

During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

The available demo questions for the GX-IA exam are as follows:

1) The file named top-secret.png was uploaded to the site http://tinypic.com and the traffic was captured in the PCAP file GSE-HTTP-topsecret.pcap. The web server changed only the name of the file when returning the file to the host during the data transmission. What is the new name of the file provided in the URL download link returned by the web server after the file was uploaded to the web site?

2) Which packet number in /home/giac/artifacts/elves.pcap is evidence that the attempted shellshock exploit was successful?

3) Navigate to ~/artifacts/ and use the .log file to decrypt TLS in encryptedStuff.pcapng. How many streams (tcp.stream udp.stream) were decrypted using the provided keys?

4) Using the file, /home/giac/monterey/email.silk, which is the daily byte count on 10/11/2018 for email activity on the 192.168.2.0/24 network?

5) Using the files located in the /home/giac/springdale/zeeklogs and /home/giac/springdale/zeeklogs/extract_files directories, what data is being displayed in the mindclone.php upload?

114.165.143.153 48991 10.10.10.5 80 POST /upload.php

114.165.143.153 48992 10.10.10.5 80 GET /uploads/team10.jpg

114.165.143.153 48993 10.10.10.5 80 POST /upload.php

114.165.143.153 48994 10.10.10.5 80 GET /uploads/inoshikacho.txt

114.165.143.153 48995 10.10.10.5 80 POST /upload.php

114.165.143.153 48996 10.10.10.5 80 GET /uploads/expansion.php

114.165.143.153 48997 10.10.10.5 80 GET /upload.htm

114.165.143.153 48998 10.10.10.5 80 POST /upload.php

114.165.143.153 48999 10.10.10.5 80 GET /uploads/mindclone.ph

114.165.143.153 49000 10.10.10.5 80 POST /upload.php

During the demo exam you will be provided with the VMs to interact with and answer options to help you verify if you can fully do the work needed to solve the questions.

1) An attacker has compressed and encoded a picture in a file called "secret".

Inspect the contents of the file /root/offbeat-398660/secret to determine how the attacker encoded it, and extract the image. The tool used to compress the image can also extract the image.

What letter is shown in the image?

Note: To view the image once you have extracted it, open it with xdg-open or a browser.

2) For your reference, the URL and schema below are in /giac/cold-402215. A PHP webpage that is vulnerable to SQL injection and is located at http://GSE-SQLTarget/badphp2.php?id=10001. A partial map of the schema for the database is below. How many records in the database have the first name Elliott?

3) The server at 192.168.1.12 hosts the website http://thejeffs.org and has recently been scanned for vulnerabilities. A list of several findings is provided in the file C:\Users\Candidate\Desktop\thejeffs_scan_2.txt. The Windows host has a variety of tools installed for scanning and the WSL bash subsystem to help with identification confirmation tasks. Which of the following findings still exists on the server?

4) Access 192.168.1.101. Another attacker previously compromised it and tried to establish persistence. What site did they use? Hint: The wordlist on the Desktop may be helpful.

5) Log on to the Debian host with username "root" and password "root". Edit the iptables firewall rule script /root/giac/ip_fw.sh to block inbound FTP, TCP port 21, on the local host (192.168.101.100).Once the rule has been written, run the ip_fw.sh script then launch netcat to connect to the host 192.168.101.200 on TCP port 8081. Which color is returned in the netcat session? Enter the color name in the text box.

1) According to the evidence located in the E:\Sunflower directory, an executable with the same name as a legitimate Windows binary was run, but it was not in its expected path. What is the file size in bytes of the executable?

2) Which method was used by the attacker to gain access to the j3Games Win10_1 host on 2023-03-01 at approximately 11:10AM PST (UTC -8)? Folders containing the disk image files, KAPE triage collection, timeline and memory files are located in E:\j3Games and can be accessed using the WSL bash shell in the /mnt/e/j3Games.

3) What drive letter was assigned to the successful remote network share connection established between Win10_1 and Win10_2?
Windows file location: E:\j3Games
Windows WSL bash file location: /mnt/e/j3Games

4) A Meterpreter session was running on the Win10_3 host during time the memory was collected. What is the destination port for the connection?
Provide the answer in numerical format only, for example 12345.
The artifacts are in the folder E:\Win10_3.
Volatility 2 (vol2.py)  and Volatility 3 (vol3.py) can be executed directly from the Windows command line.

5) Examine the data collected from the J3Games Win10_2 host. A program was run by cfinch at 18:25:24 on 2023-03-01. Which DLL was referenced by this program at runtime?
Folders containing the disk image files, KAPE triage collection, timeline and memory files are located in E:\j3Games and can be accessed using the WSL bash shell in the /mnt/e/j3Games.