CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 151:

  A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine.

  Which of the following commands should the tester use to do this task from the tester's host?

  A. attacker_host$ nmap -sT <target_cidr> | nc -n <compromised_host> 22
  B. attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0<backpipe | nc <target_cidr> 80 | tee backpipe
  C. attacker_host$ nc -nlp 8000 | nc -n <target_cidr> attacker_host$ nmap -sT 127.0.0.1
  D. attacker_host$ proxychains nmap -sT <target_cidr>
  D. attacker_host$ proxychains nmap -sT <target_cidr>

  ---

  Explanation

  ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.

  Understanding ProxyChains:

  Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).

  Usage: It's commonly used to anonymize network traffic and perform actions through an intermediate proxy.

  Command Breakdown:

  proxychains nmap -sT <target_cidr>: This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.

  Nmap Scan (-sT): This option specifies a TCP connect scan.

  Setting Up ProxyChains:

  Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.

  Adding Proxy: Add the compromised host as a SOCKS proxy.

  Step-by-Step Explanationplaintext

  Copy code

  socks4 127.0.0.1 1080 Execution:

  Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).

  Run ProxyChains with Nmap: Execute the command on the attacker's host.

  proxychains nmap -sT <target_cidr>

  References from Pentesting Literature:

  ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.

  HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate systems.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 152:

  HOTSPOT

  A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

  INSTRUCTIONS

  Select the tool the penetration tester should use for further investigation.

  Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  Explanation

  The tool the penetration tester should use for the further investigation is WPScan The two entries in the robots.txt file that the penetration tester should recommend for removal are 14 Allow: /admin 15 Allow: /wp-admin

• Question 153:

  Which of the following tools would be best to use to conceal data in various kinds of image files?

  A. Kismet
  B. Snow
  C. Responder
  D. Metasploit
  B. Snow

  ---

  Explanation

  Snow is a tool designed for steganography, which is the practice of concealing messages or information within other non-secret text or data. In this context, Snow is specifically used to hide data within whitespace of text files, which can include the whitespace areas of images saved in formats that support text descriptions or metadata, such as certain PNG or JPEG files. While the other tools listed (Kismet, Responder, Metasploit) are powerful in their respective areas (network sniffing, LLMNR/NBT-NS poisoning, and exploitation framework), they do not offer functionality related to data concealment in image files or steganography.

• Question 154:

  A penetration tester has been asked to conduct a blind web application test against a customer's corporate website.

  Which of the following tools would be best suited to perform this assessment?

  A. ZAP
  B. Nmap
  C. Wfuzz
  D. Trufflehog
  A. ZAP

  ---

  Explanation

  A blind web application test means that the tester has no prior knowledge of the application's internal workings. The best tool for automated scanning and vulnerability detection is a web application proxy such as OWASP ZAP.

  ZAP (Option A):

  OWASP Zed Attack Proxy (ZAP) is a widely used web application scanner for finding common vulnerabilities (e.g., SQL injection, XSS, authentication flaws).

  It provides passive and active scanning features to test web applications for security weaknesses.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Web Application Testing Tools"

  Incorrect options:

  Option B (Nmap): Nmap is a network scanning tool, not specialized for web application testing.

  Option C (Wfuzz): Wfuzz is a fuzzer for brute-force attacks, but it is not a full web vulnerability scanner.

  Option D (Trufflehog): Trufflehog is used for secrets detection in repositories, not web testing.

• Question 155:

  Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?

  A. OWASP Top 10
  B. MITRE ATT&CK
  C. Cyber Kill Chain
  D. Well-Architected Framework
  B. MITRE ATT&CK

• Question 156:

  While conducting OSINT, a penetration tester discovers the client's administrator posted part of an unsanitized firewall configuration to a troubleshooting message board.

  Which of the following did the penetration tester most likely use?

  A. HTML scraping
  B. Public code repository scanning
  C. Wayback Machine
  D. Search engine enumeration
  D. Search engine enumeration

  ---

  Explanation

  Search engine enumeration refers to using advanced search operators (e.g., Google Dorking) to find sensitive or misconfigured data exposed publicly on the internet. In this case, the administrator inadvertently posted firewall configuration details, and a tester likely used specific search queries to discover this data.

  According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 3 ?Passive Reconnaissance and OSINT) :

  "Search engine enumeration, often using dorking techniques, can uncover publicly available but sensitive data, such as configuration files, credentials, or documents unintentionally published online."

  References:

  Chapter 3, CompTIA PenTest+ PT0-003 Official Study Guide

• Question 157:

  Which of the following techniques is the best way to avoid detection by data loss prevention tools?

  A. Encoding
  B. Compression
  C. Encryption
  D. Obfuscation
  C. Encryption

  ---

  Explanation

  Data Loss Prevention (DLP) tools monitor network traffic and files for sensitive information leaks. The most effective way to bypass DLP is to use encryption, since DLP systems cannot inspect encrypted content.

  Option A (Encoding) : Base64 or Hex encoding can sometimes bypass filters, but many DLP tools detect common encoding schemes.

  Option B (Compression) : Compression can change file signatures, but modern DLP systems can inspect compressed files.

  Option C (Encryption) : Correct.

  Strong encryption prevents DLP tools from analyzing file contents.

  Option D (Obfuscation) : Code obfuscation may work for source code leaks, but DLP solutions use heuristics to detect patterns.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Bypassing Security Controls

• Question 158:

  A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant.

  The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.

  Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

  A. PLCs will not act upon commands injected over the network.
  B. Supervisors and controllers are on a separate virtual network by default.
  C. Controllers will not validate the origin of commands.
  D. Supervisory systems will detect a malicious injection of code/commands.
  C. Controllers will not validate the origin of commands.

  ---

  Explanation

  PLCs are programmable logic controllers that execute logic operations on input signals from sensors and output signals to actuators. They are often connected to supervisory systems that provide human-machine interfaces and data acquisition functions. If both systems are connected to the company intranet, they are exposed to potential attacks from internal or external adversaries. A valid assumption is that controllers will not validate the origin of commands, meaning that an attacker can send malicious commands to manipulate or sabotage the industrial process. The other assumptions are not valid because they contradict the facts or common practices.

• Question 159:

  A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence.

  Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)

  A. IP addresses and subdomains
  B. Zone transfers
  C. DNS forward and reverse lookups
  D. Internet search engines
  E. Externally facing open ports
  F. Shodan results
  A. IP addresses and subdomains
  D. Internet search engines

  ---

  Explanation

  Option A: IP addresses and subdomains. This is correct. IP addresses and subdomains are useful information for a penetration tester to identify the scope and range of the company's web presence. IP addresses can reveal the location, network, and service provider of the company's web servers, while subdomains can indicate the different functions and features of the company's website. A penetration tester can use tools like whois, Netcraft, or DNS lookups to find IP addresses and subdomains associated with the company's domain name.

  Option D: Internet search engines. This is correct. Internet search engines are powerful tools for a penetration tester to perform passive information gathering around the company's web presence. Search engines can provide a wealth of information, such as the company's profile, history, news, social media accounts, reviews, products, services, customers, partners, competitors, and more. A penetration tester can use advanced search operators and keywords to narrow down the results and find relevant information. For example, using the site: operator can limit the results to a specific domain or subdomain, while using the intitle: operator can filter the results by the title of the web pages.

• Question 160:

  Which of the following components of a penetration test report most directly contributes to prioritizing remediations?

  A. Proof of concept
  B. Risk scoring
  C. Attack narrative
  D. Executive summary
  B. Risk scoring

  ---

  Explanation

  Risk scoring is the report element that most directly enables an organization to prioritize remediation work because it translates technical findings into an ordered view of business risk. In PenTest+ reporting guidance, testers are expected to communicate not only what is vulnerable but also how severe the issue is and how likely it is to be exploited, often incorporating factors such as exploitability, impact, exposure, and the presence of compensating controls. This produces a defensible ranking that helps stakeholders decide what to fix first when time and resources are limited.

  Proof of concept supports validation by demonstrating that exploitation is possible, but it does not inherently provide comparative urgency across multiple findings. An attack narrative explains the path the tester used to achieve objectives (useful for understanding chaining and scope impact), but it is typically descriptive rather than a prioritization mechanism. The executive summary is aimed at leadership-level communication and overall posture, yet it usually depends on underlying risk ratings to justify what should be addressed first. Therefore, risk scoring most directly drives remediation prioritization.