CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 231:

  During an assessment, a penetration tester sends the following request:

  

  Which of the following attacks is the penetration tester performing?

  A. Directory traversal
  B. API abuse
  C. Server-side request forgery
  D. Privilege escalation
  B. API abuse

  ---

  Explanation

  This attack attempts to manipulate the API by fuzzing the authorization token (Authorization: Bearer (FUZZ)). This suggests an attempt to bypass authentication or escalate privileges by using an invalid, stolen, or guessed token--a form of API abuse.

  Option A (Directory traversal): Involves manipulating file paths (e.g., ../../../etc/passwd), but this attack targets API authentication.

  Option B (API abuse): Correct. Fuzzing the authorization token suggests an attempt to bypass authentication or test for weak API security.

  Option C (Server-side request forgery - SSRF): SSRF manipulates backend requests to make unauthorized HTTP calls, which is not evident here.

  Option D (Privilege escalation): While API abuse may lead to privilege escalation, fuzzing the token alone does not directly escalate privileges.

  References:

  CompTIA PenTest+ PT0-003 Official Guide - API Security Testing&

  Authentication Bypasses

• Question 232:

  A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization.

  Which of the following scans should the penetration tester perform?

  A. SAST
  B. Sidecar
  C. Unauthenticated
  D. Host-based
  C. Unauthenticated

  ---

  Explanation

  To see any vulnerabilities that may be visible from outside of the organization, the penetration tester should perform an unauthenticated scan.

  Unauthenticated Scan:

  Definition: An unauthenticated scan is conducted without providing any credentials to the scanning tool. It simulates the perspective of an external attacker who does not have any prior access to the system.

  Purpose: Identifies vulnerabilities that are exposed to the public and can be exploited without authentication. This includes open ports, outdated software, and misconfigurations visible to the outside world.

  Comparison with Other Scans:

  SAST (Static Application Security Testing): Analyzes source code for vulnerabilities, typically used during the development phase and not suitable for external vulnerability scanning.

  Sidecar: This term is generally associated with microservices architecture and is not relevant to the context of vulnerability scanning.

  Host-based: Involves scanning from within the network and often requires authenticated access to the host to identify vulnerabilities. It is not suitable for determining external vulnerabilities.

  References:

  External Vulnerability Assessment: Conducting unauthenticated scans helps identify the attack surface exposed to external threats and prioritizes vulnerabilities that are accessible from the internet.

  Tools: Common tools for unauthenticated scanning include Nessus, OpenVAS, and Nmap.

  By performing an unauthenticated scan, the penetration tester can identify vulnerabilities that an external attacker could exploit without needing any credentials or internal access.

• Question 233:

  During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections.

  Which of the following command-line utilities built into Windows is most likely to disable the firewall?

  A. certutil.exe
  B. bitsadmin.exe
  C. msconfig.exe
  D. netsh.exe
  D. netsh.exe

  ---

  Explanation

  Understanding netsh.exe:

  Purpose: Configures network settings, including IP addresses, DNS, and firewall settings.

  Firewall Management: Can enable, disable, or modify firewall rules.

  Disabling the Firewall:

  Command: Use netsh.exe to disable the firewall.

  netsh advfirewall set allprofiles state off

  Usage in Penetration Testing:

  Pivoting: Disabling the firewall can help the penetration tester pivot from one system to another by removing network restrictions.

  Command Execution: Ensure the command is executed with appropriate privileges.

  References from Pentesting Literature:

  netsh.exe is commonly mentioned in penetration testing guides for configuring network settings and managing firewalls.

  HTB write-ups often reference the use of netsh.exe for managing firewall settings during network-based penetration tests.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 234:

  A penetration tester is performing an assessment focused on attacking the authentication identity provider hosted within a cloud provider. During the reconnaissance phase, the tester finds that the system is using OpenID Connect with OAuth and has dynamic registration enabled.

  Which of the following attacks should the tester try first?

  A. A password-spraying attack against the authentication system
  B. A brute-force attack against the authentication system
  C. A replay attack against the authentication flow in the system
  D. A mask attack against the authentication system
  C. A replay attack against the authentication flow in the system

  ---

  Explanation

  OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.

  Replay attack (Option C):

  Attackers capture legitimate authentication tokens and reuse them to impersonate users.

  OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Attacking Identity Providers and OAuth"

  Incorrect options:

  Option A (Password spraying): Effective against user accounts, but this attack targets authentication tokens.

  Option B (Brute-force attack): Less effective against OAuth-based authentication since tokens replace passwords.

  Option D (Mask attack): Related to password cracking, not OAuth authentication attacks.

• Question 235:

  Severity: HIGH

  Vulnerability: ABC Load Balancer: Alpha OS httpd TLS vulnerability

  An Nmap scan of the affected device produces the following results:

  Host is up (0.0000040s latency).

  Not shown: 98 closed tcp ports (reset)

  PORT STATE SERVICE

  22/tcp open ssh

  80/tcp open http

  443/tcp closed https

  Which of the following best describes this scenario?

  A. True negative
  B. True positive
  C. False negative
  D. False positive
  D. False positive

  ---

  Explanation

  The vulnerability report identifies a TLS vulnerability on port 443 (HTTPS). However, the Nmap scan shows port 443 as closed, meaning the service is not running or reachable.

  If the service associated with the vulnerability is not active, the reported issue cannot be valid. Therefore, the scan result contradicts the finding -- making it a false positive (the scanner incorrectly flagged a vulnerability that doesn't exist).

  Why not the others:

  Option A: True negative: Would mean no vulnerability exists and none was reported.

  Option B: True positive: Would mean both the scan and vulnerability report agree that the service is running and vulnerable -- not the case here.

  Option C: False negative: Would mean a vulnerability exists but was not detected -- also not the case.

  CompTIA PT0-003 Mapping:

  Domain 2.0: Information Gathering and Vulnerability Scanning

  Interpret scan results and distinguish between true/false positives and negatives.

• Question 236:

  During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

  sql> xp_cmdshell whoami /all

  Which of the following is the tester trying to do?

  A. List database tables
  B. Show logged-in database users
  C. Enumerate privileges
  D. Display available SQL commands
  C. Enumerate privileges

  ---

  Explanation

  The command xp_cmdshell executes system-level commands from SQL Server. The command whoami / all is used to enumerate user privileges , group memberships, and security contexts on Windows systems.

  From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 ?Post-Exploitation Techniques) : "Using xp_cmdshell and system commands like whoami /all allows testers to identify the privilege level of the database user and system access level."

  References:

  Chapter 8, CompTIA PenTest+ PT0-003 Official Study Guide

• Question 237:

  During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng.

  Which of the following should be recommended to the client to remediate this issue?

  A. Changing to Wi-Fi equipment that supports strong encryption
  B. Using directional antennae
  C. Using WEP encryption
  D. Disabling Wi-Fi
  A. Changing to Wi-Fi equipment that supports strong encryption

  ---

  Explanation

  If a penetration tester was able to access the organization's wireless network from outside of the building using Aircrack-ng, then it means that the wireless network was not secured with strong encryption or authentication methods. Aircrack-ng is a tool that can crack weak wireless encryption schemes such as WEP or WPA-PSK using various techniques such as packet capture, injection, replay, and brute force. To remediate this issue, the client should change to Wi-Fi equipment that supports strong encryption such as WPA2 or WPA3, which are more resistant to cracking attacks. Using directional antennae may reduce the signal range of the wireless network, but it would not prevent an attacker who is within range from cracking the encryption. Using WEP encryption is not a good recommendation, as WEP is known to be insecure and vulnerable to Aircrack-ng attacks. Disabling Wi-Fi may eliminate the risk of wireless attacks, but it would also eliminate the benefits of wireless connectivity for the organization.

• Question 238:

  During a security assessment, a penetration tester wants to compromise user accounts without triggering

  IDS/IPS detection rules.

  Which of the following is the most effective way for the tester to accomplish this task?

  A. Crack user accounts using compromised hashes.
  B. Brute force accounts using a dictionary attack.
  C. Bypass authentication using SQL injection.
  D. Compromise user accounts using an XSS attack.
  A. Crack user accounts using compromised hashes.

  ---

  Explanation

  To avoid triggering IDS/IPS alerts, the attacker should use offline cracking on compromised hashes rather than direct brute-force attempts.

  Crack user accounts using compromised hashes (Option A):

  Hashes can be cracked offline using tools like Hashcat or John the Ripper.

  No direct login attempts, avoiding detection by security systems.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Password Cracking Techniques and Evasion"

  Incorrect options:

  Option B (Brute force): Generates excessive failed logins, triggering IDS/IPS alerts.

  Option C (SQL injection): Exploits database vulnerabilities, not direct account compromise.

  Option D (XSS attack): Can steal cookies but does not directly compromise accounts.

• Question 239:

  During an assessment, a penetration tester obtains access to an internal server and would like to perform further reconnaissance by capturing LLMNR traffic.

  Which of the following tools should the tester use?

  A. Burp Suite
  B. Netcat
  C. Responder
  D. Nmap
  C. Responder

• Question 240:

  A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services.

  Which of the following commands should the tester use?

  A. nmap -sU -sW -p 1-65535 example.com
  B. nmap -sU -sY -p 1-65535 example.com
  C. nmap -sU -sT -p 1-65535 example.com
  D. nmap -sU -sN -p 1-65535 example.com
  C. nmap -sU -sT -p 1-65535 example.com

  ---

  Explanation

  To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:

  Understanding the Options:

  -sU: Performs a UDP scan.

  -sT: Performs a TCP connect scan.

  Command Explanation:

  Command: nmap -sU -sT -p 1-65535 example.com

  This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com. Combining - sU and -sT ensures that both types of services are scanned.

  Comparison with Other Options:

  -sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.

  -sY: Initiates a SCTP INIT scan, not relevant for this context.

  -sN: Initiates a TCP Null scan, which is not used for discovering UDP services.