CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 321:

  A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine.

  Which of the following MOST likely caused the attack to fail?

  A. The injection was too slow.
  B. The DNS information was incorrect.
  C. The DNS cache was not refreshed.
  D. The client did not receive a trusted response.
  C. The DNS cache was not refreshed.

  ---

  Explanation

  A DNS poisoning attack is an attack that exploits a vulnerability in the DNS protocol or system to redirect traffic from legitimate websites to malicious ones. A DNS poisoning attack works by injecting false DNS records into a DNS server or resolver's cache, which is a temporary storage of DNS information. However, if the DNS cache was not refreshed, then the attack would fail, as the target machine would still use the old and valid DNS records from its cache. The other options are not likely causes of the attack failure.

• Question 322:

  During post-engagement cleanup, a penetration tester discovers that a reverse shell used during the assessment is still present on the target system and could allow continued access.

  To properly return the environment to its pre-test state and eliminate any remaining backdoors, which action should the tester take?

  A. Removing persistence mechanisms
  B. Uninstalling tools
  C. Preserving artifacts
  D. Reverting configuration changes
  A. Removing persistence mechanisms

  ---

  Explanation

  A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described -- removing the reverse shell at the end of the engagement -- is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.

  Why not the others:

  Option B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).

  Option C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident response -- not removing access.

  Option D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is "removing persistence mechanisms." PT0-003 mapping: Domain 5 -- post-engagement cleanup and returning environment to baseline.

• Question 323:

  During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result.

  Which of the following is the best tool to use for this task?

  A. Nikto
  B. Burp Suite
  C. smbclient
  D. theHarvester
  C. smbclient

  ---

  Explanation

  The smbclient tool is used to access SMB/CIFS resources on a network. It allows penetration testers to connect to shared resources and enumerate users on a network, particularly in Windows environments.

  While finger and rwho are more common on Unix/Linux systems, smbclient provides better functionality for enumerating users across a network.

  Understanding smbclient:

  Purpose: smbclient is used to access and manage files and directories on SMB/CIFS servers.

  Capabilities: It allows for browsing shared resources, listing directories, downloading and uploading files, and enumerating users.

  User Enumeration:

  Command: Use smbclient with the -L option to list available shares and users.

  Step-by-Step Explanationsmbclient -L //target_ip -U username

  Example: Enumerating users on a target system.

  smbclient -L //192.168.50.2 -U anonymous

  Advantages:

  Comprehensive: Provides detailed information about shared resources and users.

  Cross-Platform: Can be used on both Linux and Windows systems.

  References from Pentesting Literature:

  SMB enumeration is a common practice discussed in penetration testing guides for identifying shared resources and users in a network environment.

  HTB write-ups frequently mention the use of smbclient for enumerating network shares and users.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

• Question 324:

  Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?

  A. procdump.exe
  B. msbuild.exe
  C. bitsadmin.exe
  D. cscript.exe
  C. bitsadmin.exe

  ---

  Explanation

  In PenTest+ tradecraft, "living off the land binaries" (LOLbins) are legitimate, built-in Windows utilities that can be repurposed to blend in with normal administrative activity. For exfiltration, the key requirement is a native capability to transfer data out over common network channels without introducing obvious third-party tools. bitsadmin.exe (Background Intelligent Transfer Service administration) is widely associated with this because it can create and manage BITS jobs that upload or download files using HTTP/HTTPS in a way that often appears similar to routine Windows background traffic. This makes it a common choice for stealthy file movement and staged transfers during post-exploitation.

  By comparison, procdump.exe is typically used for process memory dumping (often credential-related) rather than transporting files off-host. msbuild.exe is commonly abused for code execution via inline tasks or project files, not primarily for exfiltration. cscript.exe runs scripts (VBScript/JScript) and could be used to script many actions, but it is not as directly aligned with built-in, job-based network file transfer as bitsadmin. Therefore, bitsadmin.exe best fits the exfiltration objective.

• Question 325:

  A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org.

  Which of the following should the tester do to accomplish the assessment objective?

  A. Perform information-gathering techniques to review internet-facing assets for the company.
  B. Perform a phishing assessment to try to gain access to more resources and users' computers.
  C. Perform a physical security review to identify vulnerabilities that could affect the company.
  D. Perform a vulnerability assessment over the main domain address provided by the client.
  A. Perform information-gathering techniques to review internet-facing assets for the company.

  ---

  Explanation

  An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.

  Option A is correct because it aligns with the assessment goal--finding public-facing systems and their vulnerabilities before an attacker does.

  Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.

  Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.

  Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Chapter 4 (Information Gathering and OSINT).

• Question 326:

  During a testing engagement, a penetration tester compromises a host and locates data for exfiltration.

  Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).

  A. Move the data using a USB flash drive.
  B. Compress and encrypt the data.
  C. Rename the file name extensions.
  D. Use FTP for exfiltration.
  E. Encode the data as Base64.
  F. Send the data to a commonly trusted service.
  B. Compress and encrypt the data.
  E. Encode the data as Base64.

  ---

  Explanation

  Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration. The two best options to bypass DLP are:

  Compress and encrypt the data (Option B): Compression reduces file size, making detection harder.

  Encryption further protects the data by making it unreadable without a key.

  DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords).

  Encrypted files bypass content inspection since DLP cannot analyze encrypted data.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Data Exfiltration Techniques" Encode the data as Base64 (Option E):

  Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.

  Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.

  CompTIA PenTest+ PT0-003 Official Study Guide - "Encoding and Obfuscation in Exfiltration"

  Incorrect options:

  Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.

  Option C (Rename file extensions): DLP systems analyze content, not just filenames.

  Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.

  Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.

• Question 327:

  A penetration tester completes a scan and sees the following Nmap output on a host:

  Nmap scan report for victim (10.10.10.10) Host is up (0.0001s latency) PORT STATE SERVICE

  161/udp open snmp

  445/tcp open microsoft-ds

  3389/tcp open ms-wbt-server

  Running Microsoft Windows 7

  OS CPE: cpe:/o:microsoft:windows_7::sp0 The tester wants to obtain shell access.

  Which of the following related exploits should the tester try first?

  A. exploit/windows/smb/psexec
  B. exploit/windows/smb/ms08_067_netapi
  C. exploit/windows/smb/ms17_010_eternalblue
  D. auxiliary/scanner/snmp/snmp_login
  C. exploit/windows/smb/ms17_010_eternalblue

  ---

  Explanation

  Since the system is running Windows 7 SP0, it is highly likely to be vulnerable to MS17-010 (EternalBlue), a critical SMB vulnerability used for remote code execution (RCE).

  Option A (psexec): PsExec requires valid credentials, which we do not have yet.

  Option B (ms08_067_netapi): MS08-067 targets Windows XP/Server 2003, but the system is Windows 7.

  Option C (ms17_010_eternalblue): Correct.

  EternalBlue allows remote exploitation of SMBv1 in Windows 7/Server 2008.

  Option D (snmp_login scanner) #: Only checks default SNMP credentials, not an exploit.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?SMB Exploitation&

  EternalBlue

• Question 328:

  A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled.

  Which of the following is the best procedure for maintaining client data privacy?

  A. Remove configuration changes and any tools deployed to compromised systems.
  B. Securely destroy or remove all engagement-related data from testing systems.
  C. Search through configuration files changed for sensitive credentials and remove them.
  D. Shut down C2 and attacker infrastructure on premises and in the cloud.
  B. Securely destroy or remove all engagement-related data from testing systems.

  ---

  Explanation

  At the end of a penetration test, handling sensitive data properly ensures compliance with legal, regulatory, and ethical guidelines.

  Securely destroy or remove all engagement-related data (Option B):

  Ensures confidentiality of test results.

  Prevents unauthorized access to client information.

  Methods include secure wiping tools (shred, sdelete), and encrypted storage deletion.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Post-Engagement Data Handling"

  Incorrect options:

  Option A (Remove configuration changes): Necessary but does not ensure complete data destruction.

  Option C (Search for sensitive credentials): Important but does not address all artifacts.

  Option D (Shut down C2 infrastructure): Important for OPSEC but does not address client data privacy.

• Question 329:

  SIMULATION

  A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

  INSTRUCTIONS

  Select the appropriate answer(s), given the output from each section.

  

  

  

  Explanation

• Question 330:

  A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system.

  Which of the following attacks is the tester performing?

  A. Kiosk escape
  B. Arbitrary code execution
  C. Process hollowing
  D. Library injection
  A. Kiosk escape

  ---

  Explanation

  A kiosk escape involves breaking out of a restricted environment, such as a kiosk or a single application interface, to access the underlying operating system. Here's why option A is correct:

  Kiosk Escape: This attack targets environments where user access is intentionally limited, such as a kiosk or a dedicated application. The goal is to break out of these restrictions and gain access to the full operating system.

  Arbitrary Code Execution: This involves running unauthorized code on the system, but the scenario described is more about escaping a restricted environment.

  Process Hollowing: This technique involves injecting code into a legitimate process, making it appear benign while executing malicious activities.

  Library Injection: This involves injecting malicious code into a running process by loading a malicious library, which is not the focus in this scenario.

  References from Pentest:

  Forge HTB: Demonstrates techniques to escape restricted environments and gain broader access to the system.

  Horizontall HTB: Shows methods to break out of limited access environments, aligning with the concept of kiosk escape.

  Conclusion:

  Option A, Kiosk escape, accurately describes the type of attack where a tester breaks out of a restricted environment to access the underlying operating system.