312-50v13 Questions Bank

The most direct technique demonstrated is D. Compromising secrets, because the attackers abused exposed API keys to authenticate to the cloud provider and execute unauthorized cloud commands. In CEH-aligned cloud attack paths, “secrets” commonly include API keys, access tokens, secret keys, passwords, certificates, and service account credentials. When these secrets are exposed (for example, hard-coded in source code, leaked in public repositories, stored insecurely in endpoints, or logged accidentally), an attacker can use them to gain the same privileges as the legitimate account or service identity.

Once valid API keys are obtained, attackers typically perform actions consistent with the compromised identity’s permissions: spinning up compute, modifying IAM policies, accessing storage, disabling logging, creating new credentials, and pivoting across services. The incident description mentions both resource abuse and lateral movement. Resource abuse is a frequent consequence of stolen cloud credentials because attackers can provision infrastructure on the victim’s account (often for botnets, staging, or other activities). Lateral movement inside the cloud environment can happen when the compromised keys grant access to additional services or when the attacker uses the initial foothold to discover and access other roles, instances, or secrets (for example, by querying metadata services, reading configuration stores, or enumerating IAM privileges).

Why the other options are less accurate: Cryptojacking specifically refers to illicit cryptocurrency mining using hijacked resources; while “resource abuse” could include mining, the key distinguishing factor in the question is the use of exposed API keys to issue commands, which is fundamentally credential/secret compromise. Enumerating S3 buckets is a reconnaissance activity focused on object storage discovery and misconfigurations, not the central mechanism here. A wrapping attack relates to specific cloud/identity token wrapping scenarios and is not indicated by exposed API keys.

Therefore, the incident most clearly demonstrates compromising secrets (exposed API keys).

CEH v13 stresses the importance of passive reconnaissance when the goal is to avoid any interaction with the target’s systems. Job postings frequently reveal detailed information such as internal technologies, OS platforms, security tools, IDS brands, virtualization environments, scripting languages, and cloud services. CEH explicitly notes job ads as one of the richest passive intelligence sources because organizations inadvertently disclose their tech stack, often mentioning required experience with specific network components, databases, protocols, or internal tools. Options B and D involve direct interaction, violating the passive reconnaissance requirement. WHOIS lookups (Option C) provide DNS registrar information but do not reveal internal network details. Job postings, social media recruitment materials, and HR documentation are discussed in CEH as critical OSINT resources used during the footprinting phase to gather actionable intelligence while maintaining complete stealth. Thus, analyzing job postings is the correct method.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR ' T ' = ' T ' ; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = ' input ' ;

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR ' T ' = ' T ' ; -- ' ;

The expression ' T ' = ' T ' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.