CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 91:

  A penetration tester performs the following command:

  curl -l -http2 https://www.comptia.org

  Which of the following snippets of output will the tester MOST likely receive?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  Explanation

  References:

  https://research.securitum.com/http-2-protocol-it-is-faster-but-is-it-also-safer/

• Question 92:

  A penetration tester must identify vulnerabilities within an ICS (Industrial Control System) that is not connected to the internet or enterprise network.

  Which of the following should the tester utilize to conduct the testing?

  A. Channel scanning
  B. Stealth scans
  C. Source code analysis
  D. Manual assessment
  D. Manual assessment

  ---

  Explanation

  Since the ICS is air-gapped (not connected to external networks), the best approach is manual assessment, which involves on-site testing, physical access, and reviewing configurations to identify vulnerabilities.

  Option A (Channel scanning): This is used for wireless networks, not for isolated ICS systems.

  Option B (Stealth scans): A stealth scan is a method to avoid detection while scanning, but it still requires network connectivity.

  Option C (Source code analysis): If the ICS is a proprietary system, source code might not be available.

  Also, vulnerabilities could exist outside the code, such as misconfigurations.

  Option D (Manual assessment): Correct. The ICS is offline, so a manual review of system settings, firmware, and configurations is the best approach.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?ICS&

  SCADA Testing

• Question 93:

  A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information:

  1. Server-side request forgery (SSRF) vulnerability in test.comptia.org

  2. Reflected cross-site scripting (XSS) vulnerability in test2.comptia.org

  3. Publicly accessible storage system named static_comptia_assets

  4. SSH port 22 open to the internet on test3.comptia.org

  5. Open redirect vulnerability in test4.comptia.org

  Which of the following attack paths should the tester prioritize first?

  A. Synchronize all the information from the public bucket and scan it with Trufflehog.
  B. Run Pacu to enumerate permissions and roles within the cloud-based systems.
  C. Perform a full dictionary brute-force attack against the open SSH service using Hydra.
  D. Use the reflected cross-site scripting attack within a phishing campaign to attack administrators.
  E. Leverage the SSRF to gain access to credentials from the metadata service.
  E. Leverage the SSRF to gain access to credentials from the metadata service.

  ---

  Explanation

  Leverage SSRF for Metadata Access:

  Server-side request forgery (SSRF) vulnerabilities allow attackers to force a server to send requests to internal resources. In cloud environments, SSRF can often be used to access the metadata service (e.g., AWS EC2 metadata) to retrieve credentials for cloud services.

  Once credentials are obtained, they can be used to access privileged systems that are not directly accessible from the internet.

  Why Not Other Options?

  Option A (Public bucket): Analyzing the bucket for sensitive data is useful but does not directly lead to privileged system access.

  Option B (Pacu): Pacu is used for AWS exploitation but requires credentials or misconfigured roles. SSRF can provide the credentials needed to run Pacu effectively.

  Option C (SSH brute force): Brute-forcing SSH is noisy and inefficient. Privileged systems are likely better protected than SSH open to the internet.

  Option D (Phishing via XSS): This is a longer-term attack and less direct compared to leveraging SSRF.

  References:

  Domain 3.0 (Attacks and Exploits) SSRF Exploitation and Cloud Metadata Access Techniques

• Question 94:

  A penetration tester must identify hosts without alerting an IPS. The tester has access to a local network segment.

  Which of the following is the most logical action?

  A. Performing reverse DNS lookups
  B. Utilizing Nmap using a ping sweep
  C. Conducting LLMNR poisoning using Responder
  D. Viewing the local routing table on the host
  A. Performing reverse DNS lookups

  ---

  Explanation

  When the objective is to identify hosts while minimizing the chance of triggering an IPS, PenTest+ prioritizes low-noise reconnaissance techniques over active probing. A reverse DNS lookup queries DNS PTR records for IP addresses and can reveal hostnames for systems that are already registered in internal DNS. This often generates traffic that appears similar to normal enterprise name-resolution activity and is typically less suspicious than broad ICMP echo sweeps or repeated port probes.

  An Nmap ping sweep is an overt discovery action that sends ICMP (and sometimes ARP/other probes) across a range and is more likely to be detected or rate-limited by monitoring and IPS controls. LLMNR poisoning with Responder is an active interception/credential capture technique that can be highly detectable and is not simply "host identification." Viewing the local routing table is very quiet, but it primarily reveals networks and routes, not a list of live hosts on the segment.

  Therefore, reverse DNS lookups are the most logical balance of effectiveness and stealth for identifying hosts.

• Question 95:

  A penetration tester conducts reconnaissance for a client's network and identifies the following system of interest:

  

  The tester notices numerous open ports on the system of interest.

  Which of the following best describes this system?

  A. A honeypot
  B. A Windows endpoint
  C. A Linux server
  D. An already-compromised system
  A. A honeypot

  ---

  Explanation

  A honeypot is a decoy system designed to attract attackers by exposing multiple services and vulnerabilities.

  Indicators of a honeypot (Option A):

  The system has an unusual combination of Windows (SMB, MSRPC) and Linux (Rsync, SSH) services.

  It exposes a large number of open ports, which is uncommon for a production server.

  Presence of "zeus-admin" (port 9090) suggests intentionally vulnerable services.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Honeypots and Decoys in Reconnaissance"

  Incorrect options:

  Option B (Windows endpoint): Windows would not normally run Rsync (873/tcp) or SSH (22/tcp).

  Option C (Linux server): Linux servers typically don't have NetBIOS (139/tcp) or MSRPC (135/tcp).

  Option D (Already-compromised system): Although possible, honeypots mimic compromised systems to lure attackers.

• Question 96:

  Which of the following should be included in scope documentation?

  A. Service accounts
  B. Tester experience
  C. Disclaimer
  D. Number of tests
  C. Disclaimer

  ---

  Explanation

  A disclaimer is a statement that limits the liability of the penetration tester and the client in case of any unintended consequences or damages caused by the testing activities. It should be included in the scope documentation to clarify the roles and responsibilities of both parties and to avoid any legal disputes or misunderstandings. Service accounts, tester experience, and number of tests are not essential elements of the scope documentation, although they may be relevant for other aspects of the penetration testing process.

  References:

  The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 1: Planning and Scoping Penetration Tests1

  The Official CompTIA PenTest+ Student Guide (Exam PT0- 002), Lesson 1: Planning and Scoping Penetration Tests2

  What is the Scope of a Penetration Test?3

• Question 97:

  As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands.

  Which of the following techniques would the penetration tester most likely use to access the sensitive data?

  A. Logic bomb
  B. SQL injection
  C. Brute-force attack
  D. Cross-site scripting
  B. SQL injection

  ---

  Explanation

  SQL injection (SQLi) is a technique that allows attackers to manipulate SQL queries to execute arbitrary commands on a database. It is one of the most common and effective methods for accessing sensitive data in internal applications that accept unexpected user inputs. Here's why option B is the most likely technique:

  Arbitrary Command Execution: The question specifies that the internal application accepts unexpected user inputs leading to arbitrary command execution. SQL injection fits this description as it exploits vulnerabilities in the application's input handling to execute unintended SQL commands on the database.

  Data Access: SQL injection can be used to extract sensitive data from the database, modify or delete records, and perform administrative operations on the database server. This makes it a powerful technique for accessing sensitive information.

  Common Vulnerability: SQL injection is a well-known and frequently exploited vulnerability in web applications, making it a likely technique that a penetration tester would use to exploit input handling issues in an internal application.

  References from Pentest:

  Luke HTB: This write-up demonstrates how SQL injection was used to exploit an internal application and access sensitive data. It highlights the process of identifying and leveraging SQL injection vulnerabilities to achieve data extraction.

  Writeup HTB: Describes how SQL injection was utilized to gain access to user credentials and further exploit the application. This example aligns with the scenario of using SQL injection to execute arbitrary commands and access sensitive data.

  Conclusion:

  Given the nature of the vulnerability described (accepting unexpected user inputs leading to arbitrary command execution), SQL injection is the most appropriate and likely technique that the penetration tester would use to access sensitive data. This method directly targets the input handling mechanism to manipulate SQL queries, making it the best choice.

• Question 98:

  During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format.

  Which of the following types of attacks would MOST likely be used to avoid account lockout?

  A. Mask
  B. Rainbow
  C. Dictionary
  D. Password spraying
  D. Password spraying

  ---

  Explanation

  Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Password spraying can avoid account lockout policies that limit the number of failed login attempts per account by spreading out the attempts over time and across different accounts. Password spraying can also increase the chances of success by using passwords that are likely to be used by many users, such as default passwords, seasonal passwords, or company names. Mask is a type of password cracking attack that involves using a mask or a pattern to generate passwords based on known or guessed characteristics of the password, such as length, case, or symbols. Rainbow is a technique of storing precomputed hashes of passwords in a table that can be used to quickly crack passwords by looking up the hashes. Dictionary is a type of password cracking attack that involves using a wordlist or a dictionary of common or likely passwords to try against an account.

• Question 99:

  A penetration tester performs the following scan:

  nmap -sU -p 53,161,162 192.168.1.51

  PORT STATE

  53/udp open|filtered

  161/udp open|filtered

  162/udp open|filtered

  The tester then manually uses snmpwalk against port 161 and receives valid SNMP responses.

  Which of the following best explains the scan result for port 161?

  A. The SNMP daemon delayed its response beyond Nmap's UDP scan timeout.
  B. Nmap marked the port as open|filtered because no response was received.
  C. The scanned host applied rate limiting to its responses to prevent UDP fingerprinting.
  D. The Nmap scan lacked root privileges, which reduced packet inspection accuracy.
  B. Nmap marked the port as open|filtered because no response was received.

  ---

  Explanation

  In PenTest+ network enumeration, UDP scanning is emphasized as inherently less reliable than TCP because many UDP services do not respond unless they receive an application-valid request, and many firewalls silently drop unsolicited UDP probes. With nmap -sU, if the scanner does not receive either (1) an application-layer UDP response indicating the service is listening or (2) an ICMP "port unreachable" message indicating the port is closed, Nmap cannot definitively classify the port. In that case, it reports open|filtered, meaning the port may be open but nonresponsive to the probe, or traffic may be filtered.

  SNMP commonly requires a correct community string and properly formed requests before returning data.

  snmpwalk generates valid SNMP queries and can succeed even when Nmap's generic probe yields no reply, resulting in an open| filtered label. Root privilege issues do not explain this state, and rate limiting is possible but not the best fit given the standard UDP classification behavior.

• Question 100:

  During an assessment, a penetration tester runs the following command:

  setspn.exe -Q /

  Which of the following attacks is the penetration tester preparing for?

  A. LDAP injection
  B. Pass-the-hash
  C. Kerberoasting
  D. Dictionary
  C. Kerberoasting

  ---

  Explanation

  Kerberoasting is an attack that involves requesting service tickets for service accounts from a Kerberos service, extracting the service tickets, and attempting to crack them offline to retrieve the plaintext passwords.

  Understanding Kerberoasting:

  Purpose: To obtain service account passwords by cracking the encrypted service tickets (TGS tickets) offline.

  Service Principal Names (SPNs): SPNs are used in Kerberos authentication to uniquely identify a service instance.

  Command Breakdown:

  setspn.exe -Q /: This command queries all SPNs in the domain.

  Use Case: Identifying accounts with SPNs that can be targeted for Kerberoasting.

  Kerberoasting Steps:

  Identify SPNs: Use setspn.exe to list service accounts with SPNs.

  Request TGS Tickets: Request TGS tickets for the identified SPNs.

  Extract Tickets: Use tools like Mimikatz to extract the service tickets.

  Crack Tickets: Use password cracking tools like Hashcat to crack the extracted tickets offline.

  References from Pentesting Literature:

  Kerberoasting is a well-documented attack method in penetration testing guides, specifically targeting service accounts in Active Directory environments.

  HTB write-ups often detail the use of Kerberoasting for gaining credentials from service accounts.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups