CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 21:

  A penetration tester is assessing a Linux host and discovers the following cron job owned by root:

  */5 * * * * /usr/local/bin/backup.sh

  The tester also finds that the script /usr/local/bin/backup.sh is world-writable.

  Which of the following is the MOST likely outcome if the tester modifies the script?

  A. The script will fail to execute due to permission mismatch
  B. The tester can achieve privilege escalation to root
  C. The cron daemon will remove the writable script
  D. System logs will automatically revert the script
  B. The tester can achieve privilege escalation to root

  ---

  Explanation

  References:

  A world-writable script executed by root via cron means any local user can insert arbitrary commands into that script. When cron runs it with root privileges, the attacker-added commands execute as root, leading to privilege escalation.

  This misconfiguration is a classic privilege-escalation vector involving writable cron-executed binaries.

  Why not the others: Option A - Cron will still execute the script if its permissions remain executable.

  Option C - Cron does not sanitize or remove writable files.

  Option D - Logs do not revert files. No such mechanism exists by default.

  PT0-003 Mapping: Domain 3 - Local privilege escalation via misconfigured scheduled tasks.

• Question 22:

  A penetration tester is assessing the security of a web application. When the tester attempts to access the application, the tester receives an HTTP 403 response.

  Which of the following should the penetration tester do to overcome this issue?

  A. Reset file and folder permissions on the web server.
  B. Obtain a valid X.509 certificate.
  C. Spoof the server's MAC address.
  D. Use a legacy browser to access the page.
  B. Obtain a valid X.509 certificate.

  ---

  Explanation

  An HTTP 403 Forbidden response indicates the server understood the request but is refusing to authorize it. In PenTest+ web assessment context, a common cause is an access control requirement at the web server or reverse proxy layer-such as mutual TLS (mTLS) / client certificate authentication, IP allowlisting, or other authorization gates-preventing the tester from reaching the application content. When a site is configured to require a client certificate, the server may return a 403-class error if the request does not include a trusted certificate chain, because the client cannot be authenticated to an approved identity.

  Therefore, obtaining and presenting a valid X.509 client certificate (issued by a trusted CA for that environment or provided by the client as part of the engagement) is the appropriate step to satisfy the access requirement and proceed with testing.

  Resetting server file permissions is an administrative remediation action outside a tester's role and scope.

  Spoofing a server MAC address is not meaningful for HTTP access and typically not possible across routed networks. Using a legacy browser addresses client-side compatibility, not server-side authorization decisions that produce 403.

• Question 23:

  A penetration tester attempts unauthorized entry to the company's server room as part of a security assessment.

  Which of the following is the best technique to manipulate the lock pins and open the door without the original key?

  A. Plug spinner
  B. Bypassing
  C. Decoding
  D. Raking
  D. Raking

  ---

  Explanation

  Lock picking techniques are used in physical security assessments to test access control mechanisms.

  Option D: Raking is a lock-picking technique where a rake pick is inserted and rapidly moved in and out to manipulate multiple pins simultaneously.

  It is faster but less precise than single-pin picking.

  Used when speed is prioritized over precision.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Physical Security Testing Methods"

  Incorrect options:

  Option A (Plug spinner): Used after a lock is picked to rotate the plug in the correct direction.

  Option B (Bypassing): Uses methods like shimming or card sliding, which do not manipulate pins.

  Option C (Decoding): Involves reading lock components (e.g., key cuts) to generate a working key rather than picking.

• Question 24:

  Which of the following is a reason to use a template when creating a penetration testing report?

  A. To articulate risks accurately
  B. To enhance the testing approach
  C. To contextualize collected data
  D. To standardize needed information
  E. To improve testing time
  D. To standardize needed information

  ---

  Explanation

  A template ensures consistency across reports by defining the required sections (scope, methodology, findings, risk ratings, remediation, evidence, executive summary, and appendices). Standardization helps reviewers and clients quickly find required information, supports quality assurance, and ensures compliance with contractual/reporting requirements. While templates also help articulate risks and contextualize data (A and C) and may indirectly save time (E), their primary purpose is to standardize needed information so every engagement includes the same baseline content and structure.

  CompTIA PT0-003 Mapping:

  Domain 5.0 Reporting and Communication -- produce consistent, repeatable reports and use templates to ensure completeness and QA.

• Question 25:

  During a penetration test, the tester gains full access to the application's source code. The application repository includes thousands of code files.

  Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

  A. Run TruffleHog against a local clone of the application
  B. Scan the live web application using Nikto
  C. Perform a manual code review of the Git repository
  D. Use SCA software to scan the application source code
  A. Run TruffleHog against a local clone of the application

  ---

  Explanation

  Given a short assessment timeline and the need to identify hard-coded credentials in a large codebase, using an automated tool designed for this specific purpose is the most effective approach. Here's an explanation of each option:

  Option A: TruffleHog is a specialized tool that scans for hard-coded secrets such as passwords, API keys, and other sensitive data within the code repositories.

  Effectiveness: It quickly and automatically identifies potential credentials and other sensitive information across thousands of files, making it the most efficient choice under time constraints.

  References:

  TruffleHog is widely recognized for its ability to uncover hidden secrets in code repositories, making it a valuable tool for penetration testers.

  Option B: Nikto is a web server scanner that identifies vulnerabilities in web applications.

  Drawbacks: It is not designed to scan source code for hard-coded credentials. Instead, it focuses on web application vulnerabilities such as outdated software and misconfigurations.

  Option C: Manually reviewing code can be thorough but is extremely time-consuming, especially with thousands of files.

  Drawbacks: Given the short timeline, this approach is impractical and inefficient for identifying hard-coded credentials quickly.

  Option D: Software Composition Analysis (SCA) tools are used to analyze open source and third-party components within the code for vulnerabilities and license compliance.

  Drawbacks: While SCA tools are useful for dependency analysis, they are not specifically tailored for finding hard-coded credentials.

  Conclusion: Running TruffleHog against a local clone of the application is the most effective approach for quickly identifying hard-coded credentials in a large codebase within a limited timeframe.

• Question 26:

  DRAG DROP

  You are a penetration tester reviewing a client's website through a web browser.

  INSTRUCTIONS

  Review all components of the website through the browser to determine if vulnerabilities are present.

  Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  Select and Place:

  

  

• Question 27:

  While performing an internal assessment, a tester uses the following command:

  crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@

  Which of the following is the main purpose of the command?

  A. To perform a pass-the-hash attack over multiple endpoints within the internal network
  B. To perform common protocol scanning within the internal network
  C. To perform password spraying on internal systems
  D. To execute a command in multiple endpoints at the same time
  C. To perform password spraying on internal systems

  ---

  Explanation

  The command crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ is used to perform password spraying on internal systems. CrackMapExec (CME) is a post-exploitation tool that helps automate the process of assessing large Active Directory networks. It supports multiple protocols, including SMB, and can perform various actions like password spraying, command execution, and more.

  CrackMapExec:

  CrackMapExec: A versatile tool designed for pentesters to facilitate the assessment of large Active Directory networks. It supports various protocols such as SMB, WinRM, and LDAP.

  Purpose: Commonly used for tasks like password spraying, credential validation, and command execution.

  Command Breakdown:

  crackmapexec smb: Specifies the protocol to use, in this case, SMB (Server Message Block), which is commonly used for file sharing and communication between nodes in a network.

  192.168.1.0/24: The target IP range, indicating a subnet scan across all IP addresses in the range.

  -u user.txt: Specifies the file containing the list of usernames to be used for the attack.

  -p Summer123@: Specifies the password to be used for all usernames in the user.txt file.

  Password Spraying:

  Definition: A technique where a single password (or a small number of passwords) is tried against a large number of usernames to avoid account lockouts that occur when brute-forcing a single account.

  Goal: To find valid username-password combinations without triggering account lockout mechanisms.

  References:

  Password Spraying: An effective method for gaining initial access during penetration tests, particularly against organizations that have weak password policies or commonly used passwords. CrackMapExec: Widely used in penetration testing for its ability to automate and streamline the process of credential validation and exploitation across large networks.

  By using the specified command, the tester performs a password spraying attack, attempting to log in with a common password across multiple usernames, identifying potential weak accounts.

• Question 28:

  A penetration tester gains access to the target network and observes a running SSH server.

  Which of the following techniques should the tester use to obtain the version of SSH running on the target server?

  A. Network sniffing
  B. IP scanning
  C. Banner grabbing
  D. DNS enumeration
  C. Banner grabbing

  ---

  Explanation

  Banner grabbing is used to extract version information from services, including SSH, FTP, and web servers.

  Option A (Network sniffing) #: Captures packets, but does not directly reveal service versions.

  Option B (IP scanning) #: Identifies active hosts, but not SSH versions.

  Option C (Banner grabbing) #: Correct.

  Can be performed with:

  nc <target> 22

  or

  telnet <target> 22 Option D (DNS enumeration) #: Retrieves domain name records, not SSH versions. # Reference:

  CompTIA PenTest+ PT0-003 Official Guide ?Service Enumeration&; Banner Grabbing

• Question 29:

  A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application's end users.

  Which of the following tools should the tester use for this task?

  A. Browser Exploitation Framework
  B. Maltego
  C. Metasploit
  D. theHarvester
  A. Browser Exploitation Framework

  ---

  Explanation

  Cross-Site Request Forgery (CSRF) vulnerabilities can be leveraged to trick authenticated users into performing unwanted actions on a web application. The right tool for this task would help in exploiting web-based vulnerabilities, particularly those related to web browsers and interactions.

  Option A: Browser Exploitation Framework (BeEF) is a powerful tool specifically designed for exploiting web browser vulnerabilities. It can hook web browsers and perform a wide range of attacks, including CSRF.

  Capabilities: BeEF is equipped with modules to create CSRF attacks, capture session tokens, and gather sensitive information from the target user's browser session.

  References:

  BeEF is widely used in penetration testing for its extensive capabilities in exploiting web application vulnerabilities and manipulating browser sessions.

  Option B: Maltego is an open-source intelligence (OSINT) tool used for information gathering and visualizing relationships between data.

  Drawbacks: While useful for reconnaissance, Maltego is not designed for exploiting web vulnerabilities like CSRF.

  Option C: Metasploit is a versatile exploitation framework that can be used for various types of penetration testing tasks, including web application exploitation.

  Capabilities: While Metasploit can exploit some web vulnerabilities, it is not specifically tailored for CSRF attacks as effectively as BeEF.

  References: Metasploit's strength lies in its comprehensive exploitation modules, but for specific browser-based attacks, BeEF is more focused and effective.

  Option D: theHarvester is a tool for gathering open-source intelligence (OSINT) about a target, primarily used for reconnaissance.

  Drawbacks: It does not provide capabilities for exploiting CSRF vulnerabilities.

  Conclusion: The Browser Exploitation Framework (BeEF) is the most suitable tool for leveraging a CSRF vulnerability to gather sensitive details from an application's end users. It is specifically designed for browser-based exploitation, making it the best choice for this task.

• Question 30:

  A security analyst needs to perform an on-path attack on BLE smart devices.

  Which of the following tools would be BEST suited to accomplish this task?

  A. Wireshark
  B. Gattacker
  C. tcpdump
  D. Netcat
  B. Gattacker

  ---

  Explanation

  The best tool for performing an on-path attack on BLE smart devices is Gattacker. Gattacker is a Bluetooth Low Energy (BLE) pentesting and fuzzing framework specifically designed for on-path attacks. It allows security analysts to perform a variety of tasks, including man-in-the-middle attacks, passive and active scans, fuzzing of BLE services, and more. Gattacker also provides an interactive command-line interface that makes it easy to interact with the target BLE device and execute various commands.