CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 131:

  During an engagement, a penetration tester discovers a web application vulnerability that affects multiple devices. The tester creates and runs the following script:

  #!/bin/sh

  for addr in $(cat targets)

  do

  curl http://$addr//atod.php?execf=echo%20%22ssh-ed25519%20AAAC3NzaC1lZDI1NTE5AAAA...

  %22%20%3E%3E%20/root/authorized_users done Which of the following best describes what the tester is attempting to do?

  A. Staging payloads to make bind shells
  B. Creating a backdoor on several weak targets
  C. Adding a password for the root user on the targets
  D. Generating SSH keys to decrypt data on each target
  B. Creating a backdoor on several weak targets

  ---

  Explanation

  The script iterates through a list of target hosts and sends an HTTP request to a vulnerable endpoint (atod.php) with a parameter (execf=) that appears to trigger remote command execution on each device.

  The command being issued is echo "ssh-ed25519 ..." followed by an append redirection operator (>>) into a file under /root/authorized_users. The ssh-ed25519 string is the format of an SSH public key, and appending a public key into an "authorized users/keys" style file is a common persistence technique that allows the tester (or an attacker) to authenticate via SSH without knowing a password.

  In PenTest+ terms, this is establishing persistence/backdoor access after exploitation by planting an authentication mechanism that can be reused later. It is not creating a bind shell (no listener is set up), not changing a root password (no passwd or hash modification is shown), and not generating keys for decryption (the key material is being written to an authorization file for access). The loop indicates the intent is to apply this across multiple affected devices.

• Question 132:

  A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building.

  Which of the following techniques would be BEST to use to gain confidential information?

  A. Badge cloning
  B. Dumpster diving
  C. Tailgating
  D. Shoulder surfing
  B. Dumpster diving

• Question 133:

  A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering.

  Which of the following types of scans did the tester use to identify the libraries?

  A. IAST
  B. SBOM
  C. DAST
  D. SAST
  B. SBOM

  ---

  Explanation

  kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations. Here's why option B is correct:

  Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.

  Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.

  Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.

  Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.

  References from Pentest:

  Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.

  Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.

  Conclusion:

  Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.

• Question 134:

  While performing a penetration testing exercise, a tester executes the following command:

  bash

  Copy code

  PS c:\tools> c:\hacks\PsExec.exe \\server01.

  comptia.org -accepteula cmd.exe Which of the following best explains what the tester is trying to do?

  A. Test connectivity using PSExec on the server01 using CMD.exe.
  B. Perform a lateral movement attack using PsExec.
  C. Send the PsExec binary file to the server01 using CMD.exe.
  D. Enable CMD.exe on the server01 through PsExec.
  B. Perform a lateral movement attack using PsExec.

  ---

  Explanation

  PsExec is a Windows Sysinternals tool that allows users to execute commands on a remote system without needing an interactive login session. The command above is executing cmd.exe on a remote Windows Active Directory domain machine (server01.cor.ptia.org).

  Option A (Test connectivity using PsExec): The command does not check connectivity; it executes a command remotely.

  Option B (Perform a lateral movement attack): Correct. Lateral movement occurs when an attacker moves from one compromised machine to another within a network, using valid credentials. PsExec is often used for this purpose.

  Option C (Send the PsExec binary): The command runs cmd.exe remotely, but it does not transfer PsExec itself.

  Option D (Enable cmd.exe): cmd.exe is already enabled by default on most Windows systems.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Lateral Movement with PsExec

• Question 135:

  A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website's response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test.

  Which of the following BEST describes the purpose of checking with the penetration tester?

  A. Situational awareness
  B. Rescheduling
  C. DDoS defense
  D. Deconfliction
  D. Deconfliction

  ---

  Explanation

  https://redteam.guide/docs/definitions/Deconfliction

  is the process of coordinating activities and communicating information to avoid interference, confusion, or conflict among different parties involved in an operation. The network engineer contacted the penetration tester to check if the GET requests were part of the test, and to avoid any potential misunderstanding or disruption of the test or the website. The other options are not related to the purpose of checking with the penetration tester.

• Question 136:

  During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network.

  Which of the following attacks would the tester most likely perform to gain access?

  A. KARMA attack
  B. Beacon flooding
  C. MAC address spoofing
  D. Eavesdropping
  C. MAC address spoofing

  ---

  Explanation

  MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.

  Understanding MAC Address Spoofing:

  Purpose:

  Tools and Techniques:

  Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55 uk.co.certification.simulator.questionpool.PList@2fc317d6

  Impact:

  Detection and Mitigation: References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 137:

  A penetration tester launches an attack against company employees. The tester clones the company's intranet log-in page and sends the link via email to all employees.

  Which of the following best describes the objective and tool selected by the tester to perform this activity?

  A. Gaining remote access using BeEF
  B. Obtaining the list of email addresses using theHarvester
  C. Harvesting credentials using SET
  D. Launching a phishing campaign using Gophish
  C. Harvesting credentials using SET

  ---

  Explanation

  The tester is conducting a phishing attack by cloning the company's login page to steal employee credentials.

  Option A (BeEF): BeEF is used for browser exploitation, not phishing.

  Option B (theHarvester): Used for OSINT, gathering emails, but does not conduct phishing attacks.

  Option C (SET - Social Engineering Toolkit): Correct.

  SET allows testers to clone web pages and perform phishing attacks.

  Option D (GoPhish): GoPhish is a phishing simulation tool, but SET is specifically designed for credential harvesting.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Social Engineering&

  Phishing Attacks

• Question 138:

  As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting.

  Which of the following techniques would be best for the tester to use?

  A. Establishing a reverse shell
  B. Executing a process injection attack
  C. Creating a scheduled task
  D. Performing a credential-dumping attack
  C. Creating a scheduled task

  ---

  Explanation

  To maintain access to a compromised system after rebooting, a penetration tester should create a scheduled task. Scheduled tasks are designed to run automatically at specified times or when certain conditions are met, ensuring persistence across reboots.

  Persistence Mechanisms:

  Scheduled Task: Creating a scheduled task ensures that a specific program or script runs automatically according to a set schedule or in response to certain events, including system startup. This makes it a reliable method for maintaining access after a system reboot.

  Reverse Shell: While establishing a reverse shell provides immediate access, it typically does not survive a system reboot unless coupled with another persistence mechanism.

  Process Injection: Injecting a malicious process into another running process can provide stealthy access but may not persist through reboots.

  Credential Dumping: Dumping credentials allows for re-access by using stolen credentials, but it does not ensure automatic access upon reboot.

  Creating a Scheduled Task:

  On Windows, the schtasks command can be used to create scheduled tasks. For example:

  schtasks /create /tn "Persistence" /tr "C:\path\to\malicious.exe" /sc onlogon /ru SYSTEM

  On Linux, a cron job can be created by editing the crontab:

  (crontab -l; echo "@reboot /path/to/malicious.sh") | crontab -

  References:

  Maintaining persistence is a key objective in post-exploitation. Scheduled tasks (Windows Task Scheduler) and cron jobs (Linux) are commonly used techniques.

  References to real-world scenarios include creating scheduled tasks to execute malware, keyloggers, or reverse shells automatically on system startup.

  By creating a scheduled task, the penetration tester ensures that their access method (e.g., reverse shell, malware) is executed automatically whenever the system reboots, providing reliable persistence.

• Question 139:

  Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

  A. NDA
  B. MSA
  C. SOW
  D. MOU
  C. SOW

• Question 140:

  Which of the following best explains why communication is a vital phase of a penetration test?

  A. To discuss situational awareness
  B. To build rapport with the emergency contact
  C. To explain the data destruction process
  D. To ensure the likelihood of future assessments
  A. To discuss situational awareness

  ---

  Explanation

  Communication is a vital phase of a penetration test to ensure all parties involved are aware of the test's progress, findings, and any potential impact on business operations. Discussing situational awareness involves sharing real-time insights about the security posture, any vulnerabilities found, and potential risks.

  This enables the organization to make informed decisions, mitigate risks promptly, and ensure the test aligns with business objectives and constraints.