CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 241:

  A penetration tester needs to confirm the version number of a client's web application server.

  Which of the following techniques should the penetration tester use?

  A. SSL certificate inspection
  B. URL spidering
  C. Banner grabbing
  D. Directory brute forcing
  C. Banner grabbing

  ---

  Explanation

  Banner grabbing is a technique used to gather information about a service running on an open port, which often includes the version number of the application or server. Here's why banner grabbing is the correct answer:

  Banner Grabbing: It involves connecting to a service and reading the welcome banner or response, which typically includes version information. This is a direct method to identify the version number of a web application server.

  SSL Certificate Inspection: While it can provide information about the server, it is not reliable for identifying specific application versions.

  URL Spidering: This is used for discovering URLs and resources within a web application, not for version identification.

  Directory Brute Forcing: This is used to discover hidden directories and files, not for identifying version information.

  References from Pentest:

  Luke HTB: Shows how banner grabbing can be used to identify the versions of services running on a server.

  Writeup HTB: Demonstrates the importance of gathering version information through techniques like banner grabbing during enumeration phases.

  Conclusion:

  Option C, banner grabbing, is the most appropriate technique for confirming the version number of a web application server.

• Question 242:

  A company provided the following network scope for a penetration test:

  169.137.1.0/24

  221.10.1.0/24

  149.14.1.0/24

  A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party.

  Which of the following stakeholders is responsible for this mistake?

  A. The company that requested the penetration test
  B. The penetration testing company
  C. The target host's owner
  D. The penetration tester
  E. The subcontractor supporting the test
  A. The company that requested the penetration test

  ---

  Explanation

  The company that requested the penetration test is responsible for providing the correct and accurate network scope for the test. The network scope defines the boundaries and limitations of the test, such as which IP addresses, domains, systems, or networks are in scope or out of scope. If the company provided an incorrect network scope that included an IP address that belongs to a third party, then it is responsible for this mistake. The penetration testing company, the target host's owner, the penetration tester, and the subcontractor supporting the test are not responsible for this mistake, as they relied on the network scope provided by the company that requested the penetration test.

• Question 243:

  During a routine penetration test, the client's security team observes logging alerts that indicate several ID badges were reprinted after working hours without authorization.

  Which of the following is the penetration tester most likely trying to do?

  A. Obtain long-term, valid access to the facility
  B. Disrupt the availability of facility access systems
  C. Change access to the facility for valid users
  D. Revoke access to the facility for valid users
  A. Obtain long-term, valid access to the facility

  ---

  Explanation

  The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.

  Option A (Obtain long-term, valid access): Correct. Cloning or reprinting badges allows persistent access past security checks.

  Option B (Disrupt availability): There is no indication of a denial-of-service attack.

  Option C (Change access for valid users): The goal is not modifying user access, but rather gaining unauthorized access.

  Option D (Revoke access for valid users): The logs show new badges being printed, not revocation.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Physical Security Testing

• Question 244:

  A penetration tester gains access to a host with many applications that load at startup and run as SYSTEM. The penetration tester runs a command and receives the following output:

  User accounts for \\COMPTIA-Host

  --------------------------------CompTIA

  User

  DefaultAccount

  Guest

  CompTIA Admin

  CompTIA Accountant

  The command completed successfully.

  Which of the following attacks will most likely allow the penetration tester to escalate privileges?

  A. Credential dumping
  B. Local file inclusion
  C. Unquoted service path injection
  D. Process hijacking
  C. Unquoted service path injection

  ---

  Explanation

  The scenario highlights a Windows host where many applications load at startup and run as SYSTEM, which points directly to Windows services and auto-start components executing with high privileges. In PenTest+ privilege escalation techniques, unquoted service path injection is a common and effective method when a service runs as SYSTEM and its executable path contains spaces but is not enclosed in quotes.

  Windows may parse the path incorrectly and attempt to execute a malicious binary placed earlier in the interpreted path (for example, C:\Program.exe), as long as the attacker has write permissions to a directory in that search order. This can result in the attacker's payload being executed as SYSTEM when the service starts or restarts, achieving privilege escalation reliably and with clear evidentiary output.

  Credential dumping may help lateral movement, but it does not inherently escalate privileges if the tester does not already have higher-privileged credentials. Local file inclusion is a web vulnerability and is not applicable to host startup services. Process hijacking can work in some cases, but unquoted service paths are a specifically documented, high-probability Windows misconfiguration when many SYSTEM services exist.

• Question 245:

  During an external penetration test, a tester receives the following output from a tool:

  test.comptia.org

  info.comptia.org

  vpn.comptia.org

  exam.comptia.org

  Which of the following commands did the tester most likely run to get these results?

  A. nslookup -type=SOA comptia.org
  B. amass enum -passive -d comptia.org
  C. nmap -Pn -sV -vv -A comptia.org
  D. shodan host comptia.org
  B. amass enum -passive -d comptia.org

  ---

  Explanation

  The tool and command provided by option B are used to perform passive DNS enumeration, which can uncover subdomains associated with a domain. Here's why

  option B is correct:

  amass enum -passive -d comptia.org: This command uses the Amass tool to perform passive DNS enumeration, effectively identifying subdomains of the target domain. The output provided (subdomains) matches what this tool and command would produce.

  nslookup -type=SOA comptia.org: This command retrieves the Start of Authority (SOA) record, which does not list subdomains.

  nmap -Pn -sV -vv -A comptia.org: This Nmap command performs service detection and aggressive scanning but does not enumerate subdomains.

  shodan host comptia.org: Shodan is an internet search engine for connected devices, but it does not perform DNS enumeration to list subdomains.

  References from Pentest:

  Writeup HTB: Demonstrates the use of DNS enumeration tools like Amass to uncover subdomains during external assessments.

  Horizontall HTB: Highlights the effectiveness of passive DNS enumeration in identifying subdomains and associated information.

• Question 246:

  A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client.

  The client authorized spear phishing in the rules of engagement.

  Which of the following should the tester do first when developing the phishing campaign?

  A. Shoulder surfing
  B. Recon-ng
  C. Social media
  D. Password dumps
  C. Social media

  ---

  Explanation

  When developing a phishing campaign, the tester should first use social media to gather information about the targets.

  Social Media:

  Purpose: Social media platforms like LinkedIn, Facebook, and Twitter provide valuable information about individuals, including their job roles, contact details, interests, and connections.

  Reconnaissance: This information helps craft convincing and targeted phishing emails, increasing the likelihood of success.

  Process:

  Gathering Information: Collect details about the target employees, such as their names, job titles, email addresses, and any personal information that can make the phishing email more credible.

  Crafting Phishing Emails: Use the gathered information to personalize phishing emails, making them appear legitimate and relevant to the recipients.

  Other Options:

  Shoulder Surfing: Observing someone's screen or keyboard input to gain information, not suitable for gathering broad information for a phishing campaign.

  Recon-ng: A tool for automated reconnaissance, useful but more general. Social media is specifically targeted for gathering personal information.

  Password Dumps: Using previously leaked passwords to find potential targets is more invasive and less relevant to the initial stage of developing a phishing campaign.

  References:

  Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email.

  OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media.

  By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.

• Question 247:

  A client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity.

  Which of the following is the MOST important action to take before starting this type of assessment?

  A. Ensure the client has signed the SOW.
  B. Verify the client has granted network access to the hot site.
  C. Determine if the failover environment relies on resources not owned by the client.
  D. Establish communication and escalation procedures with the client.
  A. Ensure the client has signed the SOW.

  ---

  Explanation

  The statement of work (SOW) is a document that defines the scope, objectives, deliverables, and timeline of a penetration testing engagement. It is important to have the client sign the SOW before starting the assessment to avoid any legal or contractual issues.

• Question 248:

  A penetration tester reviewing proxy logs finds:

  User-Agent: sqlmap/1.5.12#stable

  Which issue does this MOST likely indicate?

  A. A tester misconfigured passive reconnaissance tools
  B. A threat actor is actively performing SQL injection scanning
  C. The WAF is blocking authenticated user sessions
  D. The target database is misconfigured
  B. A threat actor is actively performing SQL injection scanning

  ---

  Explanation

  The presence of sqlmap's default User-Agent strongly suggests someone is performing automated SQL injection scanning, likely an attacker.

  Why not the others: Option A - This is active, not passive reconnaissance.

  Option C - User-Agent does not indicate WAF behavior.

  Option D - No evidence of DB misconfiguration.

  PT0-003 Mapping: Domain 2 - Recognizing automated scanning activity.

• Question 249:

  During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:

  Import-Module .\PrintNightmare.ps1

  Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print"

  The tester then attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low.

  Which of the following actions should the penetration tester take next?

  A. Log off and log on with "hacker".
  B. Attempt to add another user.
  C. Bypass the execution policy.
  D. Add a malicious printer driver.
  A. Log off and log on with "hacker".

  ---

  Explanation

  In the scenario where a penetration tester uses the PrintNightmare exploit to create a new user with administrative privileges but still experiences low-privilege access, the tester should log off and log on with the new "hacker" account to escalate privileges correctly.

  PrintNightmare Exploit:

  PrintNightmare (CVE-2021-34527) is a vulnerability in the Windows Print Spooler service that allows remote code execution and local privilege escalation.

  The provided commands are intended to exploit this vulnerability to create a new user with administrative privileges.

  Commands Breakdown:

  Import-Module .\PrintNightmare.ps1: Loads the PrintNightmare exploit script.

  Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print": Executes the exploit, creating a new user "hacker" with administrative privileges.

  Issue:

  The tester still experiences low privileges despite running the exploit successfully.

  This could be due to the current session not reflecting the new privileges.

  Solution:

  Logging off and logging back on with the new "hacker" account will start a new session with the updated administrative privileges.

  This ensures that the new privileges are applied correctly.

  References:

  Privilege Escalation: After gaining initial access, escalating privileges is crucial to gain full control over the target system.

  Session Management: Understanding how user sessions work and ensuring that new privileges are recognized by starting a new session.

  The use of the PrintNightmare exploit highlights a specific technique for privilege escalation within Windows environments.

  By logging off and logging on with the new "hacker" account, the penetration tester can ensure the new administrative privileges are fully applied, allowing for further enumeration and exploitation of the target system.

• Question 250:

  Which of the following BEST describes why a client would hold a lessons-learned meeting with the penetration-testing team?

  A. To provide feedback on the report structure and recommend improvements
  B. To discuss the findings and dispute any false positives
  C. To determine any processes that failed to meet expectations during the assessment
  D. To ensure the penetration-testing team destroys all company data that was gathered during the test
  C. To determine any processes that failed to meet expectations during the assessment