CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 201:

  A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete.

  Which of the following tools can the tester use to accelerate the test and achieve similar results?

  A. TruffleHog
  B. Postman
  C. Wfuzz
  D. WPScan
  C. Wfuzz

  ---

  Explanation

  Burp Suite Community Edition imposes limitations that can slow high-volume Intruder activities, particularly when performing repetitive request mutation such as parameter fuzzing, directory/file discovery, or input testing with wordlists. In PenTest+ tooling guidance, testers are expected to select alternative tools when a platform constraint reduces efficiency while still keeping the testing objective the same. Wfuzz is designed specifically for fast web fuzzing: it can rapidly send large volumes of HTTP requests while varying parameters, headers, paths, or payload positions using wordlists, and it supports filtering/matching responses (status codes, response size, strings) to identify interesting results-functionally similar to many Intruder use cases.

  TruffleHog focuses on discovering exposed secrets in repositories and artifacts, not accelerating web request fuzzing. Postman is primarily an API client for building and replaying requests, but it is not optimized as a high-speed fuzzing engine. WPScan targets WordPress-specific enumeration and vulnerability checks and won't provide general-purpose Intruder-like fuzzing across arbitrary web applications. Therefore, Wfuzz is the best option to speed up and achieve comparable fuzzing outcomes.

• Question 202:

  A penetration tester obtains the following output during an Nmap scan:

  

  Which of the following should be the next step for the tester?

  A. Search for vulnerabilities on msrpc.
  B. Enumerate shares and search for vulnerabilities on the SMB service.
  C. Execute a brute-force attack against the Remote Desktop Services.
  D. Execute a new Nmap command to search for another port.
  B. Enumerate shares and search for vulnerabilities on the SMB service.

  ---

  Explanation

  The presence of SMB (port 445) and MSRPC (port 135) indicates potential Windows network services that could be vulnerable to misconfigurations or exploits.

  Enumerate shares and search for vulnerabilities on SMB (Option B):

  SMB (Server Message Block) allows file and printer sharing. Misconfigured or open shares could contain sensitive data.

  Tools like enum4linux or smbclient can be used to list available shares and check for anonymous access.

  SMB vulnerabilities (e.g., EternalBlue - CVE-2017-0144) can be exploited for remote code execution.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "SMB Enumeration and Exploitation"

  Incorrect options:

  Option A (Search vulnerabilities on msrpc): MSRPC (Microsoft Remote Procedure Call) is not commonly exploited directly unless an SMB or RDP vulnerability is found.

  Option C (Brute-force RDP): Brute-force attacks generate excessive failed login attempts, triggering security alerts.

  Option D (Search for another port): The open ports already provide sufficient attack vectors.

• Question 203:

  SIMULATION

  A penetration tester performs several Nmap scans against the web application for a client.

  INSTRUCTIONS

  Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

  The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.

  Two best remediation options:

  Restrict direct communications to App01.example.com to only approved components.

  Require an additional authentication header value between CDN.example.com and App01.example.com.

  Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it. Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.

  Nmap Scan Observations:

  CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

  App Server has open ports for HTTP, HTTPS, and filtered for MySQL. DB Server has all ports filtered, typical for a database server that should not be directly accessible.

  These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

• Question 204:

  Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

  A. Preserving artifacts
  B. Reverting configuration changes
  C. Keeping chain of custody
  D. Exporting credential data
  A. Preserving artifacts

  ---

  Explanation

  Preserving artifacts ensures that key outputs from the penetration test, such as logs, screenshots, captured data, and any generated reports, are retained for analysis, reporting, and future reference.

  Importance of Preserving Artifacts:

  Documentation: Provides evidence of the test activities and findings.

  Verification: Allows for verification and validation of the test results.

  Reporting: Ensures that all critical data is available for the final report.

  Types of Artifacts:

  Logs: Capture details of the tools used, commands executed, and their outputs.

  Screenshots: Visual evidence of the steps taken and findings.

  Captured Data: Includes network captures, extracted credentials, and other sensitive information.

  Reports: Interim and final reports summarizing the findings and recommendations.

  Best Practices:

  Secure Storage: Ensure artifacts are stored securely to prevent unauthorized access.

  Backups: Create backups of critical artifacts to avoid data loss.

  Documentation: Maintain detailed documentation of all artifacts for future reference.

  References from Pentesting Literature:

  Preserving artifacts is a standard practice emphasized in penetration testing methodologies to ensure comprehensive documentation and reporting of the test.

  HTB write-ups often include references to preserved artifacts to support the findings and conclusions.

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 205:

  A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following.

  

  The client is concerned about the availability of its consumer-facing production application.

  Which of the following hosts should the penetration tester select for additional manual testing?

  A. Server 1
  B. Server 2
  C. Server 3
  D. Server 4
  C. Server 3

  ---

  Explanation

  Since the client is worried about the availability of its consumer-facing application, the perimeter network web server (Server 3) is the most critical because:

  It is internet-facing, making it a prime target for attackers.

  A compromise could lead to data breaches, downtime, or service disruptions.

  Even though it has fewer vulnerabilities (14 vs. 92 on the QA server), its exposure is higher.

  Option A (Development sandbox server): Internal and not publicly accessible.

  Option B (Back-office file transfer server): Important, but not consumer-facing.

  Option C (Perimeter web server): Correct. Publicly accessible and critical to operations.

  Option D (Developer QA server): May have more vulnerabilities, but it is less critical.

  References:

  CompTIA PenTest+ PT0-003 Official Guide - Prioritizing Vulnerability Testing.

• Question 206:

  A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials.

  Which of the following should the tester use?

  A. route.exe print
  B. netstat.exe -ntp
  C. net.exe commands
  D. strings.exe -a
  C. net.exe commands

  ---

  Explanation

  To further enumerate users on a Windows machine using native operating system commands, the tester should use net.exe commands. The net command is a versatile tool that provides various network functionalities, including user enumeration. net.exe: net user uk.co.certification.simulator.questionpool.PList@a43cf82 net localgroup administrators

  Enumerating Users:

  References:

  Using net.exe commands, the penetration tester can effectively enumerate user accounts and group memberships on the compromised Windows machine, aiding in further exploitation and privilege escalation.

• Question 207:

  A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives' accounts that are in the scope of work.

  Which of the following should the tester do to get access to these accounts?

  A. Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.
  B. Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.
  C. Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.
  D. Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.
  A. Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

  ---

  Explanation

  To bypass two-factor authentication (2FA) and gain access to the executives' accounts, the tester should use Evilginx with a typosquatting domain. Evilginx is a man-in-the-middle attack framework used to bypass 2FA by capturing session tokens.

  Phishing with Evilginx:

  Evilginx is designed to proxy legitimate login pages, capturing credentials and 2FA tokens in the process.

  It uses "phishlets" which are configurations that simulate real login portals.

  Typosquatting:

  Typosquatting involves registering domains that are misspelled versions of legitimate domains (e.g., example. co instead of example.com).

  This technique tricks users into visiting the malicious domain, thinking it's legitimate.

  Steps:

  Configure an External Domain: Register a typosquatting domain similar to the company's domain.

  Set Up Evilginx: Install and configure Evilginx on a server. Use a phishlet that mimics the company's mail portal.

  Send Phishing Emails: Craft phishing emails targeting the executives, directing them to the typosquatting domain.

  Capture Credentials and 2FA

  Tokens: When executives log in, Evilginx captures their credentials and session tokens, effectively bypassing 2FA.

  References:

  Phishing: Social engineering technique to deceive users into providing sensitive information.

  Two-Factor Authentication Bypass: Advanced phishing attacks like those using Evilginx can capture and reuse session tokens, bypassing 2FA mechanisms.

  OSINT and Reconnaissance: Identifying key targets (executives) and crafting convincing phishing emails based on gathered information.

  Using Evilginx with a typosquatting domain allows the tester to bypass 2FA and gain access to high-value accounts, demonstrating the effectiveness of advanced phishing techniques.

• Question 208:

  During a test of a custom-built web application, a penetration tester identifies several vulnerabilities.

  Which of the following would be the most interested in the steps to reproduce these vulnerabilities?

  A. Operations staff
  B. Developers
  C. Third-party stakeholders
  D. C-suite executives
  B. Developers

  ---

  Explanation

  The developers would be the most interested in the steps to reproduce the web application vulnerabilities, because they are responsible for fixing the code and implementing security best practices. The steps to reproduce the vulnerabilities would help them understand the root cause of the problem, test the patches, and prevent similar issues in the future. The other options are less interested in the technical details of the vulnerabilities, as they have different roles and responsibilities. The operations staff are more concerned with the availability and performance of the web application, the third-party stakeholders are more interested in the business impact and risk assessment of the vulnerabilities, and the C-suite executives are more focused on the strategic and financial implications of the vulnerabilities 123.

• Question 209:

  During a penetration test, a tester captures information about an SPN account.

  Which of the following attacks requires this information as a prerequisite to proceed?

  A. Golden Ticket
  B. Kerberoasting
  C. DCShadow
  D. LSASS dumping
  B. Kerberoasting

  ---

  Explanation

  Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment. Here's a detailed explanation:

  Understanding SPN Accounts:

  SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.

  Kerberoasting Attack:

  Prerequisite: Knowledge of the SPN account.

  Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account's NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.

  Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.

  Comparison with Other Attacks:

  Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.

  DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.

  LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.

  Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.

• Question 210:

  A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.

  Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

  Host | CVSS | EPSS

  Target 1 | 4 | 0.6

  Target 2 | 2 | 0.3

  Target 3 | 1 | 0.6

  Target 4 | 4.5 | 0.4

  A. Target 1: CVSS Score = 4 and EPSS Score = 0.6
  B. Target 2: CVSS Score = 2 and EPSS Score = 0.3
  C. Target 3: CVSS Score = 1 and EPSS Score = 0.6
  D. Target 4: CVSS Score = 4.5 and EPSS Score = 0.4
  A. Target 1: CVSS Score = 4 and EPSS Score = 0.6

  ---

  Explanation

  Based on the CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scores, Target 1 is the most likely to get attacked.

  CVSS:

  Definition: CVSS provides a numerical score to represent the severity of a vulnerability, helping to prioritize the response based on the potential impact.

  Score Range: Scores range from 0 to 10, with higher scores indicating more severe vulnerabilities.

  EPSS:

  Definition: EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

  Score Range: EPSS scores range from 0 to 1, with higher scores indicating a higher likelihood of exploitation.

  Analysis:

  Target 1: CVSS = 4, EPSS = 0.6

  Target 2: CVSS = 2, EPSS = 0.3

  Target 3: CVSS = 1, EPSS = 0.6

  Target 4: CVSS = 4.5, EPSS = 0.4

  Target 1 has a moderate CVSS score and a high EPSS score, indicating it has a significant vulnerability that is quite likely to be exploited.

  References:

  Vulnerability Prioritization: Using CVSS and EPSS scores to prioritize vulnerabilities based on severity and likelihood of exploitation.

  Risk Assessment: Understanding the balance between impact (CVSS) and exploit likelihood (EPSS) to identify the most critical targets for remediation or attack.

  By focusing on Target 1, which has a balanced combination of severity and exploitability, the penetration tester can address the most likely target for attacks based on the given scores.