CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 141:

  A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet.

  Which of the following is the BEST action for the tester to take?

  A. Check the scoping document to determine if exfiltration is within scope.
  B. Stop the penetration test.
  C. Escalate the issue.
  D. Include the discovery and interaction in the daily report.
  B. Stop the penetration test.

  ---

  Explanation

  "Another reason to communicate with the customer is to let the customer know if something unexpected arises while doing the pentest, such as if a critical vulnerability is found on a system, a new target system is found that is outside the scope of the penetration test targets, or a security breach is discovered when doing the penetration test. You will need to discuss how to handle such discoveries and who to contact if those events occur. In case of such events, you typically stop the pentest temporarily to discuss the issue with the customer, then resume once a resolution has been determined."

• Question 142:

  During an assessment, a penetration tester runs the following command from a Linux machine:

  GetUsersSPNs.py -dc-ip 172.16.1.1 DOMAIN.LOCAL/aholliday -request

  Which of the following is the penetration tester trying to do?

  A. Crack the user password for aholliday
  B. Download all TGS tickets for offline processing
  C. Perform a pass-the-hash attack using the hash for aholliday
  D. Perform password spraying
  B. Download all TGS tickets for offline processing

  ---

  Explanation

  The GetUserSPNs.py script (part of Impacket) is used in Kerberoasting attacks. It requests Service Principal Names (SPNs) for users with associated services, retrieves TGS tickets , and then allows offline cracking of those tickets.

  From the CompTIA PenTest+ PT0-003 Study Guide (Chapter 8 ?Post-Exploitation) :

  "Kerberoasting involves requesting service tickets for SPNs, which can then be cracked offline to retrieve service account passwords."

  References:

  Chapter 8, CompTIA PenTest+ PT0-003 Official Study Guide

• Question 143:

  A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.

  Which of the following can be done with the pcap to gain access to the server?

  A. Perform vertical privilege escalation.
  B. Replay the captured traffic to the server to recreate the session.
  C. Use John the Ripper to crack the password.
  D. Utilize a pass-the-hash attack.
  D. Utilize a pass-the-hash attack.

• Question 144:

  During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing.

  Which of the following tools should the tester use?

  A. Mimikatz
  B. ZAP
  C. OllyDbg
  D. SonarQube
  B. ZAP

  ---

  Explanation

  Dynamic Application Security Testing (DAST):

  Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.

  Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.

  ZAP (Zed Attack Proxy):

  Description: An open-source DAST tool developed by OWASP.

  Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.

  Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities that may not be visible in static code analysis.

  Other Tools:

  Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems.

  OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.

  SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for dynamic testing.

  References:

  Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.

  OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.

  By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.

• Question 145:

  A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines.

  Which of the following documents could hold the penetration tester accountable for this action?

  A. ROE
  B. SLA
  C. MSA
  D. NDA
  D. NDA

• Question 146:

  A penetration tester is trying to get unauthorized access to a web application and executes the following command:

  GET /foo/images/file?

  id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd Which of the following web application attacks is the tester performing?

  A. Insecure Direct Object Reference
  B. Cross-Site Request Forgery
  C. Directory Traversal
  D. Local File Inclusion
  C. Directory Traversal

  ---

  Explanation

  The attacker is attempting to access restricted files by navigating directories beyond their intended scope.

  Directory Traversal (Option C):

  The request uses encoded "../" sequences (%2e%2e%2f = ../) to move up directories and access /etc/ passwd.

  This is a classic directory traversal attack aimed at accessing system files.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Directory Traversal Attacks"

  Incorrect options:

  Option A (Insecure Direct Object Reference - IDOR): IDOR exploits direct access to objects (e.g., changing user_id=123 to user_id=456), not directory navigation.

  Option B (CSRF): CSRF forces users to execute unwanted actions, unrelated to directory access.

  Option D (Local File Inclusion - LFI): LFI involves including local files (e.g., executing PHP scripts), but this attack only reads a file.

• Question 147:

  A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

  

  Which of the following is the penetration tester conducting?

  A. Port scan
  B. Brute force
  C. Credential stuffing
  D. DoS attack
  B. Brute force

  ---

  Explanation

  The output shows multiple login attempts with different passwords for the same username "root" on the IP address 192.168.1.112. This is indicative of a brute force attack, where an attacker systematically tries various password combinations to gain unauthorized access.

  References:

  The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 4: Conducting Passive Reconnaissance

  The Official CompTIA PenTest+ Student Guide (Exam PT0-002), Lesson 4:Conducting Active Reconnaissance.

• Question 148:

  During an assessment, a penetration tester runs the following command:

  dnscmd.exe /config /serverlevelplugindll C:\Users\necad-TA\Documents\adduser.dll

  Which of the following is the penetration tester trying to achieve?

  A. DNS enumeration
  B. Privilege escalation
  C. Command injection
  D. A list of available users
  B. Privilege escalation

  ---

  Explanation

  The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.

  Privilege escalation (Option B):

  The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.

  By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.

  This technique is a DLL hijacking attack.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Windows Privilege Escalation Techniques"

  Incorrect options:

  Option A (DNS enumeration): The command modifies DNS settings rather than querying them.

  Option C (Command injection): The attacker is not injecting arbitrary shell commands.

  Option D (List of users): The command does not retrieve user information.et unauthorized access to

• Question 149:

  A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past.

  Which of the following tools should the penetration tester use?

  A. Censys.io
  B. Shodan
  C. Wayback Machine
  D. SpiderFoot
  C. Wayback Machine

  ---

  Explanation

  The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.

  Accessing the Wayback Machine:

  Go to the Wayback Machine website: archive.org/web.

  Enter the URL of the target website you want to explore.

  Navigating Archived Pages:

  The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.

  Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.

  Identifying Subdomains:

  Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.

  Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.

  Tool Integration:

  Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.

  Real-World Example:

  During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.

  References from Pentesting Literature:

  In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.

  References:

  HTB Official Writeups

• Question 150:

  A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials.

  Which of the following should the tester use?

  A. route.exe print
  B. netstat.exe -ntp
  C. net.exe commands
  D. strings.exe -a
  C. net.exe commands

  ---

  Explanation

  To further enumerate users on a Windows machine using native operating system commands, the tester should use net.exe commands. The net command is a versatile tool that provides various network functionalities, including user enumeration.

  net.exe:

  net user: This command displays a list of user accounts on the local machine.

  net user net localgroup: This command lists all local groups, and by specifying a group name, it can list the members of that group.

  net localgroup administrators Enumerating Users:

  List All Users: The net user command provides a comprehensive list of all user accounts configured on the system.

  Group Memberships: The net localgroup command can be used to see which users belong to specific groups, such as administrators.

  References:

  Post-Exploitation: After gaining initial access, enumerating user accounts helps understand the structure and potential targets for privilege escalation.

  Windows Commands: Leveraging built-in commands like net for enumeration ensures that no additional tools need to be uploaded to the target system, reducing the risk of detection.

  Using net.exe commands, the penetration tester can effectively enumerate user accounts and group memberships on the compromised Windows machine, aiding in further exploitation and privilege escalation.