CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 121:

  Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

  A. OWASP ZAP
  B. Nmap
  C. Nessus
  D. BeEF
  E. Hydra
  F. Burp Suite
  A. OWASP ZAP
  F. Burp Suite

• Question 122:

  Which of the following tools would be best suited to perform a cloud security assessment?

  A. OpenVAS
  B. Scout Suite
  C. Nmap
  D. ZAP
  E. Nessus
  B. Scout Suite

  ---

  Explanation

  The tool that would be best suited to perform a cloud security assessment is Scout Suite, which is an open-source multi-cloud security auditing tool that can evaluate the security posture of cloud environments, such as AWS, Azure, GCP, or Alibaba Cloud. Scout Suite can collect configuration data from cloud providers using APIs and assess them against security best practices or benchmarks, such as CIS Foundations. Scout Suite can generate reports that highlight security issues, risks, or gaps in the cloud environment, and provide recommendations for remediation or improvement. The other options are not tools that are specifically designed for cloud security assessment. OpenVAS is an open-source vulnerability scanner that can scan hosts and networks for vulnerabilities and generate reports with findings and recommendations. Nmap is an open-source network scanner and enumerator that can scan hosts and networks for ports, services, versions, OS, or other information 1. ZAP is an open-source web application scanner and proxy that can scan web applications for vulnerabilities and perform attacks such as SQL injection or XSS. Nessus is a commercial vulnerability scanner that can scan hosts and networks for vulnerabilities and generate reports with findings and recommendations.

• Question 123:

  Which of the following frameworks can be used to classify threats?

  A. PTES
  B. STRIDE
  C. OSSTMM
  D. OCTAVE
  B. STRIDE

  ---

  Explanation

  STRIDE is a threat classification model created by Microsoft that breaks down threats into six categories:

  Spoofing

  Tampering

  Repudiation

  Information disclosure

  Denial of Service

  Elevation of privilege

  It is specifically designed for threat modeling.

  PTES is a general pentesting methodology.

  OSSTMM is a framework for operational security testing.

  OCTAVE is a risk assessment methodology, not focused on threat classification.

  References:

  PT0-003 Objective 3.1 ?Understand and apply threat modeling methodologies like STRIDE.

• Question 124:

  A penetration tester would like to collect permission details for objects within the domain. The tester has a valid AD user and access to an internal PC.

  Which of the following sets of steps is the best way for the tester to accomplish the desired outcome?

  A. Escalate privileges. Execute Rubeus. Run a Cypher query on Rubeus to get the results.
  B. Run SharpHound. Install CrackMapExec. Perform a CrackMapExec database query on CME to get the results.
  C. Run SharpHound. Install BloodHound. Perform a Cypher query on BloodHound to get the results.
  D. Escalate privileges. Get Windows Registry data. Perform a query to get results.
  C. Run SharpHound. Install BloodHound. Perform a Cypher query on BloodHound to get the results.

  ---

  Explanation

  To collect permission details for objects within an Active Directory domain, the PenTest+ workflow most closely aligns with using SharpHound (the BloodHound data collector) followed by BloodHound analysis.

  SharpHound is executed from a domain-joined or internally reachable system using a valid AD account to enumerate domain relationships, including group membership, sessions, local admin rights, and--most importantly for this question--object control and ACL-based permissions (for example, rights that allow modifying users, resetting passwords, adding group members, or controlling GPOs). BloodHound then imports this collected graph data and allows the tester to run Cypher queries to identify effective privileges, abuse paths, and misconfigurations that enable privilege escalation or lateral movement.

  Rubeus is primarily focused on Kerberos ticket operations (TGT/TGS manipulation, roasting, delegation abuse) and is not a Cypher-query permission-mapping platform. CrackMapExec supports network/AD operations, but it is not the standard toolchain for graph-based permission path analysis described in PenTest+. Registry collection is unrelated to enumerating domain object permissions.

• Question 125:

  openssl passwd password

  $1$OjxLvZ85$Fdr51vn/Z4zXWsQR/Xrj.

  The tester then adds the following line to the world-writable script:

  echo 'root2:$1$0jxLvZ85$Fdr51vn/Z4zXWsQR/Xrj .

  : 1001:1001:,,,:/root:/bin/bash">> /etc/passwd Which of the following should the penetration tester do to enable this exploit to work correctly?

  A. Use only a single redirect to /etc/password.
  B. Generate the password using md5sum.
  C. Log in to the host using SSH.
  D. Change the 1001 entries to 0.
  D. Change the 1001 entries to 0.

  ---

  Explanation

  The attacker's goal is to create an account entry in /etc/passwd that grants root privileges. In Unix/Linux, the UID and GID determine privileges; UID 0 is the root account. The line the tester appended sets UID/ GID to 1001:1001, which does not grant root privileges. Changing those numeric fields to 0:0 (UID 0, GID 0. will cause the new account to be treated as root when the entry is parsed by the system, enabling a root-level login with the supplied hash.

  Additional correctness notes (non-exploitating guidance):

  The appended line must match the exact /etc/passwd format (no stray spaces or malformed punctuation).

  The password hash must match the system's expected scheme; openssl passwd produced an MD5-style hash ($1$...) -- ensure the hash is correctly copied (case/character fidelity matters).

  Modifying /etc/passwd in this way is destructive and illegal without explicit authorization; in an authorized testing engagement, these details are taught to illustrate how misconfigurations lead to privilege escalation.

  Why other choices are incorrect:

  Option A: The redirect >> /etc/passwd (append) is appropriate for adding a line; switching to a single redirect is not the central issue.

  Option B: md5sum would produce a raw MD5 digest, not the salted hash format expected by /etc/shadow// etc /passwd entries.

  Option C: Logging in via SSH does not enable the exploit; creating the user with UID 0 is the required change.

  CompTIA PT0-003 Mapping:

  Domain 3.0 Attacks and Exploits -- local privilege escalation techniques and understanding of OS account mechanics.

• Question 126:

  A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested.

  Which of the following should the tester do next?

  A. Report the finding.
  B. Analyze the finding.
  C. Remove the threat.
  D. Document the finding and continue testing.
  A. Report the finding.

  ---

  Explanation

  Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.

  Advanced Persistent Threat (APT):

  Immediate Reporting:

  Other Actions:

  References:

  Incident Response: Understanding the importance of immediate reporting and collaboration with the organization's security team upon discovering critical threats like APTs. Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats. By reporting the finding immediately, the penetration tester ensures that the organization's security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.

• Question 127:

  SIMULATION

  A previous penetration test report identified a host with vulnerabilities that was successfully exploited. Management has requested that an internal member of the security team reassess the host to determine if the vulnerability still exists.

  

  Part 1:

  Analyze the output and select the command to exploit the vulnerable service.

  Part 2:

  Analyze the output from each command.

  Select the appropriate set of commands to escalate privileges.

  Identify which remediation steps should be taken.

  

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  The command that would most likely exploit the services is:

  hydra -l lowpriv -P 500-worst-passwords.txt -t 4 ssh://192.168.10.2:22

  The appropriate set of commands to escalate privileges is:

  echo "root2:5ZOYXRFHVZ7OY::0:0:root:/root:/bin/bash" >> /etc/passwd

  The remediations that should be taken after the successful privilege escalation are:

  Remove the SUID bit from cp.

  Make backup script not world-writable.

  Comprehensive Step-by-Step

  Explanation of the Simulation Part 1: Exploiting Vulnerable Service

  Nmap Scan Analysis

  bash

  Copy code

  Port State Service

  22/tcp open ssh

  23/tcp closed telnet

  80/tcp open http

  111/tcp closed rpcbind

  445/tcp open samba

  3389/tcp closed rdp

  Ports open are SSH (22), HTTP (80), and Samba (445).

  Enumerating Samba Shares

  makefile

  Copy code

  user:[games] rid:[0x3f2]

  user:[nobody] rid:[0x1f5]

  user:[bind] rid:[0x4ba]

  user:[proxy] rid:[0x42]

  user:[syslog] rid:[0x4ba]

  user:[www-data] rid:[0x42a]

  user:[root] rid:[0x3e8]

  user:[news] rid:[0x3fa]

  user:[lowpriv] rid:[0x3fa]

  We identify a user lowpriv.

  Selecting Exploit Command

  Executing the Hydra Command

  Part 2: Privilege Escalation and Remediation

  Finding SUID Binaries and Configuration Files

  Selecting Privilege Escalation Command

  Executing the Privilege Escalation Command

  Remediation Steps Post-Exploitation

  Execution and Verification

  Verifying Hydra Attack:

  Verifying Privilege Escalation:

  Implementing Remediation:

  By following these detailed steps, one can replicate the simulation and ensure a thorough understanding of both the exploitation and the necessary remediations.

• Question 128:

  During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

  snmpwalk -v 2c -c public 192.168.1.23

  Which of the following is the tester trying to do based on the command they used?

  A. Bypass defensive systems to collect more information.
  B. Use an automation tool to perform the attacks.
  C. Script exploits to gain access to the systems and host.
  D. Validate the results and remove false positives.
  D. Validate the results and remove false positives.

  ---

  Explanation

  The command snmpwalk -v 2c -c public 192.168.1.23 is used to query SNMP (Simple Network Management Protocol) data from a device. Here's the purpose in the context provided:

  SNMP Enumeration:

  Function: snmpwalk is used to retrieve a large amount of information from the target device using SNMP.

  Version: -v 2c specifies the SNMP version.

  Community String: -c public specifies the community string, which is essentially a password for SNMP queries.

  Purpose of the Command:

  Validate Results: The tester uses SNMP to gather detailed information about the network devices to confirm the findings of the vulnerability scanner and remove any false positives.

  Detailed Information: SNMP can provide detailed information about device configurations, network interfaces, and other settings that can validate the scanner's results.

  Comparison with Other Options:

  Bypassing Defensive Systems (A): Not directly related to SNMP enumeration.

  Using Automation Tools (B): While SNMPwalk is automated, the primary purpose here is validation.

  Script Exploits (C): SNMPwalk is not used for scripting exploits but for information gathering.

  By using snmpwalk, the tester is validating the results from the vulnerability scanner and removing any false positives, ensuring accurate reporting.

• Question 129:

  A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

  Which of the following is the BEST way to ensure this is a true positive?

  A. Run another scanner to compare.
  B. Perform a manual test on the server.
  C. Check the results on the scanner.
  D. Look for the vulnerability online.
  B. Perform a manual test on the server.

• Question 130:

  A company wants to perform a BAS (Breach and Attack Simu-lation) to measure the efficiency of the corporate security controls.

  Which of the following would most likely help the tester with simple command examples?

  A. Infection Monkey
  B. Exploit-DB
  C. Atomic Red Team
  D. Mimikatz
  C. Atomic Red Team

  ---

  Explanation

  Breach and Attack Simulation (BAS) tools emulate real-world attacks to test security controls.

  Atomic Red Team (Option C):

  Atomic Red Team is an open-source BAS framework that provides simple commands to simulate MITRE

  ATT&CK?techniques.

  It allows controlled adversary simulations without real exploitation.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Breach and Attack Simulation Tools"

  Incorrect options:

  Option A (Infection Monkey): Also a BAS tool but focuses on automated lateral movement, not simple commands.

  Option B (Exploit-DB): A repository of exploits but not a BAS tool.

  Option D (Mimikatz): Used for credential dumping, not BAS testing.