CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 361:

  A penetration tester is trying to restrict searches on Google to a specific domain.

  Which of the following commands should the penetration tester consider?

  A. inurl:
  B. link:
  C. site:
  D. intitle:
  C. site:

  ---

  Explanation

  The site: command can be used to restrict searches on Google to a specific domain. For example, site:company.com will return only results from the company.com domain. This can help the penetration tester to find information or pages related to the target domain.

• Question 362:

  A penetration tester wants to automatically enumerate all ciphers permitted on TLS/SSL configurations across a client's internet-facing and internal web servers.

  Which of the following tools or frameworks best supports this objective?

  A. Nmap Scripting Engine
  B. Shodan
  C. Impacket
  D. Netcat
  E. Burp Suite
  A. Nmap Scripting Engine

  ---

  Explanation

  The Nmap Scripting Engine (NSE) best supports automated enumeration of permitted TLS/SSL ciphers across many targets because it enables repeatable, script-driven service interrogation during scanning. In PenTest+ vulnerability scanning and enumeration tasks, Nmap is used not only for port/service discovery but also for deeper service assessment using scripts such as those that enumerate SSL/TLS protocol versions and the cipher suites a server will negotiate. This directly matches the requirement to "automatically enumerate all ciphers permitted" on both internet-facing and internal web servers, since Nmap can be pointed at IP ranges and host lists and run the same TLS enumeration consistently across the environment, producing comparable results for analysis and reporting.

  Shodan is primarily an external internet-wide search engine and is not suitable for internal-only hosts and controlled, comprehensive enumeration. Impacket targets Windows/AD and network protocol operations rather than TLS cipher auditing. Netcat can connect to services but does not provide scalable, structured cipher enumeration. Burp Suite is excellent for web application testing, but it is not the most direct or scalable choice for environment-wide TLS cipher inventory compared to scripted Nmap scanning.

• Question 363:

  A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client's current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers.

  Which of the following actions would the tester most likely take?

  A. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.
  B. Perform an internal vulnerability assessment with credentials to review the internal attack surface.
  C. Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.
  D. Perform a full internal penetration test to review all the possible exploits that could affect the systems.
  A. Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

  ---

  Explanation

  BAS (Breach and Attack Simulation) tools are specifically designed to emulate multiple TTPs (Tactics, Techniques, and Procedures) used by adversaries. These tools can simulate various attack vectors in a controlled manner to test the effectiveness of an organization's security defenses and response mechanisms.

  Here's why option A is the best choice:

  Controlled Testing Environment: BAS tools provide a controlled environment where multiple TTPs can be tested without causing unintended damage to the internal systems and servers. This is critical when the threat-modeling team indicates potential impacts on internal systems.

  Comprehensive Coverage: BAS tools are designed to cover a wide range of TTPs, allowing the penetration tester to simulate various attack scenarios. This helps in assessing the reactions (alerted, blocked, and others) by the client's security tools comprehensively.

  Feedback and Reporting: These tools provide detailed feedback and reporting on the effectiveness of the security measures in place, including which TTPs were detected, blocked, or went unnoticed. This information is invaluable for the threat-modeling team to understand the current security posture and areas for improvement.

  References from Pentest:

  Anubis HTB: This write-up highlights the importance of using controlled tools and methods for testing security mechanisms. BAS tools align with this approach by providing a controlled and systematic way to assess security defenses.

  Forge HTB: Emphasizes the use of various testing tools and techniques to simulate real-world attacks and measure the effectiveness of security controls. BAS tools are mentioned as a method to ensure comprehensive coverage and minimal risk to internal systems.

  Conclusion:

  Using a BAS tool to test multiple TTPs allows for a thorough and controlled assessment of the client's security tools' effectiveness. This approach ensures that the testing is systematic, comprehensive, and minimally disruptive, making it the best choice.

• Question 364:

  A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

  Host: 192.168.55.23

  Open Ports:

  22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 80/tcp Open Apache httpd 2.4.18 (Ubuntu) 111/tcp Open rpcbind 2-4 (RPC #100000)

  Additional notes:

  Directory listing enabled on /admin Apache mod_cgi enabled

  No authentication required to access /cgi-bin/debug.sh

  X-Powered-By: PHP/5.6.40-0+deb8u12

  Which of the following is the most effective action to take?

  A. Launch a payload using msfvenom and upload it to the /admin directory.
  B. Review the contents of /cgi-bin/debug.sh.
  C. Use Nikto to scan the host and port 80.
  D. Attempt a brute-force attack against OpenSSH 7.2p2.
  B. Review the contents of /cgi-bin/debug.sh.

  ---

  Explanation

  The most effective next action is to investigate /cgi-bin/debug.sh because it is a direct, high-signal finding: a server-side script in a CGI-enabled directory that is reachable without authentication. In PenTest+ enumeration methodology, testers prioritize items that are both accessible and likely to yield immediate impact, such as unauthenticated administrative or debug endpoints, exposed scripts, and functionality that could enable command execution or information disclosure. A debug shell script exposed through cgi-bin is a classic candidate for sensitive data leakage (paths, environment variables, credentials) or unsafe parameter handling that can lead to remote command execution--especially when mod_cgi is enabled and the file is callable over HTTP.

  By comparison, uploading an msfvenom payload assumes a write primitive to /admin and an execution path, neither of which is established by the findings. Nikto can be useful, but it is redundant compared to the specific, actionable lead already identified. Brute-forcing SSH is noisy, may violate rules of engagement, and is less efficient than testing an unauthenticated web-exposed script first.

• Question 365:

  A penetration tester wants to gather the names of potential phishing targets who have access to sensitive data.

  Which of the following would best meet this goal?

  A. WHOIS
  B. Censys.io
  C. SpiderFoot
  D. theHarvester
  D. theHarvester

  ---

  Explanation

  theHarvester is purpose-built for reconnaissance that supports social engineering and phishing assessments by collecting email addresses, employee names, and related identity information from public sources (for example, search engines, PGP key servers, and other OSINT repositories). In a PenTest+ workflow, this aligns directly with the objective of identifying specific people who could be targeted in a phishing simulation-especially when the tester needs a list of likely corporate users and roles to validate awareness controls and email security.

  By contrast, WHOIS primarily reveals domain registration details (often privacy-protected) and is not optimized for enumerating a broad set of internal users. Censys.io focuses on internet-exposed hosts, certificates, and services, which is valuable for attack surface mapping but not for building a human target list. SpiderFoot is a general OSINT automation platform, but theHarvester most directly matches the stated goal of harvesting names/emails suitable for phishing target identification.

• Question 366:

  A penetration tester executes multiple enumeration commands to find a path to escalate privileges. Given the following command:

  find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

  Which of the following is the penetration tester attempting to enumerate?

  A. Attack path mapping
  B. API keys
  C. Passwords
  D. Permission
  D. Permission

  ---

  Explanation

  The command find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null is used to find files with the SUID bit set. SUID (Set User ID) permissions allow a file to be executed with the permissions of the file owner (root), rather than the permissions of the user running the file.

  Understanding the Command:

  find /: Search the entire filesystem.

  -user root: Limit the search to files owned by the root user.

  -perm -4000: Look for files with the SUID bit set.

  -exec ls -ldb {} \;: Execute ls -ldb on each found file to list it in detail.

  2>/dev/null: Redirect error messages to /dev/null to avoid cluttering the output.

  Purpose:

  Enumerating SUID Files: The command is used to identify files with elevated privileges that might be exploited for privilege escalation.

  Security Risks: SUID files can pose security risks if they are vulnerable, as they can be used to execute code with root privileges.

  Why Enumerate Permissions:

  Identifying SUID files is a crucial step in privilege escalation as it reveals potential attack vectors that can be exploited to gain root access.

  References from Pentesting Literature:

  Enumeration of SUID files is a common practice in penetration testing, as discussed in various guides and write-ups.

  HTB write-ups often detail how finding and exploiting SUID binaries can lead to root access on a target system.

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 367:

  A tester pivots into an internal network and wants to verify whether a discovered internal API leaks sensitive information.

  Which tool is BEST suited to perform structured API request testing?

  A. Burp Suite
  B. Hydra
  C. Netcat
  D. Nmap
  A. Burp Suite

  ---

  Explanation

  Burp Suite provides robust features for API testing, including replaying requests, parameter manipulation, automated scanning, and JSON/XML inspection.

  Why not others:

  Option B - Hydra is for brute forcing.

  Option C - Netcat can send raw requests but lacks structure and analysis.

  Option D - Nmap identifies services but does not test API logic.

  PT0-003 Mapping: Domain 4 - Using the correct tool to assess application endpoints.

• Question 368:

  A penetration tester needs to recursively search through a large Windows file repository to locate all occurrences of the string "ProjectX" within file contents and return both file paths and matching lines.

  Which PowerShell command would BEST accomplish this task?

  A. gc * | select "ProjectX"
  B. dir /R | findstr "ProjectX"
  C. Get-ChildItem * | Select-String "ProjectX"
  D. gci -Path . -Recurse | Select-String -Pattern "ProjectX"
  D. gci -Path . -Recurse | Select-String -Pattern "ProjectX"

  ---

  Explanation

  On Windows PowerShell, gci is an alias for Get-ChildItem. To search recursively through all files and return matches for the string "ProjectX", the combination gci -Path . -Recurse | Select-String -Pattern "ProjectX" is efficient and returns file paths and matching lines. This handles large repositories and searches file contents rather than just file names.

  Why Option D over Option C/B/A:

  Option C (Get-ChildItem * | Select-String "ProjectX"): Works but lacks -Recurse so it may not descend into subdirectories unless Get-ChildItem is invoked with -Recurse.

  Option B (dir /R | findstr): dir /R lists alternate data streams; it does not reliably search file contents and is less robust for large repos.

  A (gc * | select "ProjectX"): gc (Get-Content) on * could attempt to load huge files into memory and select "ProjectX" is not a correct PowerShell pattern for searching content. PT0-003 mapping: Domain 4 -- using scripting/PowerShell to efficiently locate sensitive strings in large code /data sets.

• Question 369:

  A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network.

  Which of the following tools is the most suitable for establishing a robust and stealthy connection?

  A. ProxyChains
  B. Covenant
  C. PsExec
  D. sshuttle
  B. Covenant

  ---

  Explanation

  C2 servers are used to remotely control compromised systems while avoiding detection.

  Covenant (Option B): Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.

  Supports encrypted communication, privilege escalation, and evasion techniques.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "C2 Frameworks in Post-Exploitation"

  Incorrect options:

  Option A (ProxyChains): Used for proxying connections, but not a C2 framework.

  Option C (PsExec): A Windows command-line tool for remote execution, but not a C2 tool.

  Option D (sshuttle): Used for network tunneling, not full C2.

• Question 370:

  A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client's blue team.

  Which of the following exfiltration methods most likely remain undetected?

  A. Cloud storage
  B. Email
  C. Domain Name System
  D. Test storage sites
  C. Domain Name System

  ---

  Explanation

  The Domain Name System (DNS) is commonly used for covert exfiltration because it is an essential protocol in most networks and is less likely to be scrutinized compared to other methods. Here's how DNS exfiltration works:

  Mechanism:

  Data is encoded into DNS queries or responses, such as using subdomain fields to transmit sensitive information.

  These queries are sent to a malicious DNS server controlled by the attacker, allowing data to bypass traditional detection mechanisms.

  Why It Remains Undetected:

  DNS traffic is frequently allowed and not as heavily monitored compared to other channels like HTTP or email.

  Network security tools often prioritize operational DNS traffic, making detection of anomalies more challenging.

  References:

  Domain 3.0 (Attacks and Exploits)

  Domain 5.0 (Reporting and Communication)