CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 181:

  A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

  1 import requests

  2 import pathlib

  4 for url in pathlib.Path("urls.txt").read_text().split("\n"):

  5 response = requests.get(url)

  6 if response.status == 401:

  7 print("URL accessible")

  Which of the following changes is required?

  A. The condition on line 6
  B. The method on line 5
  C. The import on line 1
  D. The delimiter in line 3
  A. The condition on line 6

  ---

  Explanation

  Script Analysis:

  Line 1: import requests - Imports the requests library to handle HTTP requests.

  Line 2: import pathlib - Imports the pathlib library to handle file paths.

  Line 4: for url in pathlib.Path("urls.txt").read_text().split("\n"): - Reads the urls.txt file, splits its contents by newline, and iterates over each URL.

  Line 5: response = requests.get(url) - Sends a GET request to the URL and stores the response.

  Line 6: if response.status == 401: - Checks if the response status code is 401 (Unauthorized).

  Line 7: print("URL accessible") - Prints a message indicating the URL is accessible.

  Error Identification:

  The condition if response.status == 401: is incorrect for determining if a URL is publicly accessible. A 401 status code indicates that the resource requires authentication.

  Correct Condition:

  The correct condition should check for a 200 status code, which indicates that the request was successful and the resource is accessible.

  Corrected Script:

  Replace if response.status == 401: with if response.status_code == 200: to correctly identify publicly accessible URLs.

  References:

  In penetration testing, checking the accessibility of multiple URLs is a common task, often part of reconnaissance. Identifying publicly accessible resources can reveal potential entry points for further testing.

  The requests library in Python is widely used for making HTTP requests and handling responses.

  Understanding HTTP status codes is crucial for correctly interpreting the results of these requests.

  By changing the condition to check for a 200 status code, the script will correctly identify and print URLs that are publicly accessible.

• Question 182:

  Which of the following describes the process of determining why a vulnerability scanner is not providing results?

  A. Root cause analysis
  B. Secure distribution
  C. Peer review
  D. Goal reprioritization
  A. Root cause analysis

  ---

  Explanation

  Root cause analysis involves identifying the underlying reasons why a problem is occurring. In the context of a vulnerability scanner not providing results, performing a root cause analysis would help determine why the scanner is failing to deliver the expected output. Here's why option A is correct:

  Root Cause Analysis: This is a systematic process used to identify the fundamental reasons for a problem.

  It involves investigating various potential causes and pinpointing the exact issue that is preventing the vulnerability scanner from working correctly.

  Secure Distribution: This refers to the secure delivery and distribution of software or updates, which is not relevant to troubleshooting a vulnerability scanner.

  Peer Review: This involves evaluating work by others in the same field to ensure quality and accuracy, but it is not directly related to identifying why a tool is malfunctioning.

  Goal Reprioritization: This involves changing the priorities of goals within a project, which does not address the technical issue of the scanner not working.

  References from Pentest:

  Horizontall HTB: Demonstrates the process of troubleshooting and identifying issues with tools and their configurations to ensure they work correctly.

  Writeup HTB: Emphasizes the importance of thorough analysis to understand why certain security tools may fail during an assessment.

• Question 183:

  A penetration tester successfully clones a source code repository and then runs the following command:

  find . -type f -exec egrep -i "token|key|login" {} \;

  Which of the following is the penetration tester conducting?

  A. Data tokenization
  B. Secrets scanning
  C. Password spraying
  D. Source code analysis
  B. Secrets scanning

  ---

  Explanation

  Penetration testers search for hardcoded credentials, API keys, and authentication tokens in source code repositories to identify secrets leakage.

  Secrets scanning (Option B):

  The find and egrep command scans all files recursively for sensitive keywords like "token," "key," and

  "login".

  Attackers use tools like TruffleHog and GitLeaks to automate secret discovery.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Source Code Review and Secret Leakage"

  Incorrect options:

  Option A (Data tokenization): Tokenization replaces sensitive data with unique tokens, not scanning for credentials.

  Option C (Password spraying): Tries common passwords across multiple accounts, unrelated to scanning source code.

  Option D (Source code analysis): Broader than secrets scanning

  this question focuses specifically on credential discovery.

• Question 184:

  A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email.

  The next objective is to gain access to the network.

  Which of the following methods will MOST likely work?

  A. Try to obtain the private key used for S/MIME from the CEO's account.
  B. Send an email from the CEO's account, requesting a new account.
  C. Move laterally from the mail server to the domain controller.
  D. Attempt to escalate privileges on the mail server to gain root access.
  D. Attempt to escalate privileges on the mail server to gain root access.

• Question 185:

  During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

  -rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

  -rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

  -rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .

  zsh_history drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads Which of the following should the penetration tester investigate first?

  A. Documents
  B. .zsh_history
  C. .aws
  D. .ssh
  C. .aws

  ---

  Explanation

  In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well-known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles).

  PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.

  While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials.

  User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment's scope of access.

• Question 186:

  During a security audit, a penetration tester wants to run a process to gather information about a target network's domain structure and associated IP addresses.

  Which of the following tools should the tester use?

  A. Dnsenum
  B. Nmap
  C. Netcat
  D. Wireshark
  A. Dnsenum

  ---

  Explanation

  Dnsenum is a tool specifically designed to gather information about DNS, including domain structure and associated IP addresses. Here's why option A is correct:

  Dnsenum: This tool is used for DNS enumeration and can gather information about a domain's DNS records, subdomains, IP addresses, and other related information. It is highly effective for mapping out a target network's domain structure.

  Nmap: While a versatile network scanning tool, Nmap is more focused on port scanning and service detection rather than detailed DNS enumeration.

  Netcat: This is a network utility for reading and writing data across network connections, not for DNS enumeration.

  Wireshark: This is a network protocol analyzer used for capturing and analyzing network traffic but not specifically for gathering DNS information.

  References from Pentest:

  Anubis HTB: Shows the importance of using DNS enumeration tools like Dnsenum to gather detailed information about the target's domain structure.

  Forge HTB: Demonstrates the process of using specialized tools to collect DNS and IP information efficiently.

• Question 187:

  A tester runs an Nmap scan against a Windows server and receives the following results:

  Nmap scan report for win_dns.local (10.0.0.5) Host is up (0.014s latency) Port State Service 53/tcp open domain 161/tcp open snmp 445/tcp open smb-ds

  3389/tcp open rdp

  Which of the following TCP ports should be prioritized for using hash-based relays?

  A. 53
  B. 161
  C. 445
  D. 3389
  C. 445

  ---

  Explanation

  Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.

  Understanding Hash-Based Relays:

  NTLM Relay Attack: An attacker intercepts and relays NTLM authentication requests to another service, effectively performing authentication on behalf of the victim.

  SMB Protocol: Port 445 is used for SMB/CIFS traffic, which supports NTLM authentication.

  Prioritizing Port 445:

  Vulnerability: SMB is often targeted because it frequently supports NTLM authentication, making it susceptible to relay attacks.

  Tools: Tools like Responder and NTLMRelayX are commonly used to capture and relay NTLM hashes over SMB.

  Execution:

  Capture Hash: Use a tool like Responder to capture NTLM hashes.

  Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445.

  References from Pentesting Literature:

  Penetration testing guides frequently discuss targeting SMB (port 445) for hash-based relay attacks.

  HTB write-ups often include examples of NTLM relay attacks using port 445.

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 188:

  A penetration tester performs an assessment on the target company's Kubernetes cluster using kube-hunter.

  Which of the following types of vulnerabilities could be detected with the tool?

  A. Network configuration errors in Kubernetes services
  B. Weaknesses and misconfigurations in the Kubernetes cluster
  C. Application deployment issues in Kubernetes
  D. Security vulnerabilities specific to Docker containers
  B. Weaknesses and misconfigurations in the Kubernetes cluster

  ---

  Explanation

  kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations. Here's why option B is correct:

  Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.

  Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.

  Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.

  Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.

  References from Pentest:

  Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.

  Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.

  Conclusion:

  Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.

• Question 189:

  A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following output:

  

  Which of the following privileges should the tester use to achieve the goal?

  A. SeImpersonatePrivilege
  B. SeCreateGlobalPrivilege
  C. SeChangeNotifyPrivilege
  D. SeManageVolumePrivilege
  A. SeImpersonatePrivilege

  ---

  Explanation

  The SeImpersonatePrivilege allows a process to impersonate another user's security context, which is commonly used in token manipulation attacks for privilege escalation.

  Option A (SeImpersonatePrivilege) : Correct.

  Used in Juicy Potato or Rogue Potato attacks to escalate privileges.

  Option B (SeCreateGlobalPrivilege) : Allows creating global objects, but not privilege escalation.

  Option C (SeChangeNotifyPrivilege) : Enables traverse directory access, not privilege escalation.

  Option D (SeManageVolumePrivilege) : Used for disk management, not privilege escalation.

  References:

  CompTIA PenTest+ PT0-003 Official Guide - Windows Privilege Escalation via Token Impersonation

• Question 190:

  A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

  Nmap scan report for some_host

  Host is up (0.01s latency).

  PORT STATE SERVICE

  445/tcp open microsoft-ds

  Host script results:

  smb2-security-mode:

  Message signing disabled

  Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

  A. responder -I eth0 -dwv && ntlmrelayx.py -smb2support -tf <target>
  B. msf > use exploit/windows/smb/ms17_010_psexec msf > set <options> msf > run
  C. hydra -L administrator -P /path/to/passwdlist smb://<target>
  D. nmap --script smb-brute.nse -p 445 <target>
  A. responder -I eth0 -dwv && ntlmrelayx.py -smb2support -tf <target>

  ---

  Explanation

  The Nmap scan output indicates SMB (port 445) is open, and message signing is disabled. This makes the system vulnerable to NTLM relay attacks.

  Option A (responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>) : Correct.

  Responder poisons LLMNR and NBT-NS requests, capturing NTLM hashes. NTLMRelayX then relays captured hashes to an SMB service without message signing, allowing unauthorized access.

  This attack is stealthier than brute-force methods.

  Option B (ms17_010_psexec): This exploits EternalBlue, but we don't have confirmation that this system is vulnerable to MS17-010.

  Option C (hydra brute-force): SMB brute-force is noisy and will likely trigger alerts.

  Option D (smb-brute.nse): This brute-force attack is also loud and detectable.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?NTLM Relay&

  SMB Exploitation