WebDev-Container01 - Docker host for staging web apps; CVSS 9.4 (CVE-2023-4103)
The rules of engagement allow you to exploit only two additional hosts. According to best-practice target prioritization, which single factor should carry the most weight when deciding which host to attack next?
It lists the highest CVSS score of the remaining vulnerabilities.
The host provides a daily-used business function essential to payroll processing.
Its software version appeared in an exploit database update last year.
It is running an operating system that is no longer supported.
High-value asset identification drives target choice. Even if another host shows a slightly higher CVSS score or is running unsupported software, compromising the payroll database server would have the greatest immediate business impact. Professional penetration-testing standards (e.g., NIST SP 800-115) recommend assessing high-impact systems before others, so the production HR-SQL01 host should be selected first. The other considerations are important but secondary because they do not directly reflect business criticality.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the CVSS score and why is it important?
Open an interactive chat with Bash
Why is business function prioritization more critical than CVSS scores?
Open an interactive chat with Bash
What should a pen tester consider when targeting systems apart from CVSS scores?