Practice Free PT0-003 Exam Online Questions
Question #11
A penetration tester downloads a JAR file that is used in an organization’s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit.
Which of the following describes the tester’s activities?
- A . SAST
- B . SBOM
- C . ICS
- D . SCA
Correct Answer: D
D
Explanation:
The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).
Here’s why: Understanding SCA:
Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.
Purpose: To detect and manage risks associated with third-party software components.
Comparison with Other Terms:
SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.
SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.
ICS (C): Industrial Control Systems, not relevant to the context of software analysis.
The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.
D
Explanation:
The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).
Here’s why: Understanding SCA:
Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.
Purpose: To detect and manage risks associated with third-party software components.
Comparison with Other Terms:
SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.
SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.
ICS (C): Industrial Control Systems, not relevant to the context of software analysis.
The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.
Question #12
During an assessment, a penetration tester runs the following command:
dnscmd.exe /config /serverlevelplugindll C:usersnecad-TADocumentsadduser.dll
Which of the following is the penetration tester trying to achieve?
- A . DNS enumeration
- B . Privilege escalation
- C . Command injection
- D . A list of available users
Correct Answer: B
B
Explanation:
The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.
Privilege escalation (Option B):
The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.
By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.
This technique is a DLL hijacking attack.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Windows Privilege Escalation Techniques"
Incorrect options:
Option A (DNS enumeration): The command modifies DNS settings rather than querying them.
Option C (Command injection): The attacker is not injecting arbitrary shell commands.
Option D (List of users): The command does not retrieve user information.et unauthorized access to
B
Explanation:
The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.
Privilege escalation (Option B):
The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.
By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM-level privileges.
This technique is a DLL hijacking attack.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Windows Privilege Escalation Techniques"
Incorrect options:
Option A (DNS enumeration): The command modifies DNS settings rather than querying them.
Option C (Command injection): The attacker is not injecting arbitrary shell commands.
Option D (List of users): The command does not retrieve user information.et unauthorized access to
Question #13
A penetration tester writes the following script to enumerate a 1724 network:
1 #!/bin/bash
2 for i in {1..254}; do
3 ping -c1 192.168.1.$i
4 done
The tester executes the script, but it fails with the following error:
-bash: syntax error near unexpected token `ping’
Which of the following should the tester do to fix the error?
- A . Add do after line 2.
- B . Replace {1..254} with $(seq 1 254).
- C . Replace bash with tsh.
- D . Replace $i with ${i}.
Correct Answer: B
B
Explanation:
The syntax (1..254) is incorrect in Bash, as it uses brace expansion or seq for looping.
The correct syntax should be:
for i in $(seq 1 254)
Also, the missing do is an issue, but the syntax error mentioned points specifically to the loop structure. Fixing the sequence format resolves it.
Corrected script:
#!/bin/bash
for i in $(seq 1 254); do
ping -c1 192.168.1.$i
done
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 C Scanning & Enumeration): “Bash scripting is commonly used for automation in enumeration. The ‘seq’ command generates a sequence of numbers for iteration in loops.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 4
B
Explanation:
The syntax (1..254) is incorrect in Bash, as it uses brace expansion or seq for looping.
The correct syntax should be:
for i in $(seq 1 254)
Also, the missing do is an issue, but the syntax error mentioned points specifically to the loop structure. Fixing the sequence format resolves it.
Corrected script:
#!/bin/bash
for i in $(seq 1 254); do
ping -c1 192.168.1.$i
done
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 4 C Scanning & Enumeration): “Bash scripting is commonly used for automation in enumeration. The ‘seq’ command generates a sequence of numbers for iteration in loops.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 4
Question #14
A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.
Based on the targets’ EPSS and CVSS scores, which of the following targets is the most likely to get attacked?
- A . Target 1: EPSS Score = 0.6 and CVSS Score = 4
- B . Target 2: EPSS Score = 0.3 and CVSS Score = 2
- C . Target 3: EPSS Score = 0.6 and CVSS Score = 1
- D . Target 4: EPSS Score = 0.4 and CVSS Score = 4.5
Correct Answer: A
A
Explanation:
EPSS and CVSS Analysis:
EPSS (Exploit Prediction Scoring System) indicates the likelihood of exploitation.
CVSS (Common Vulnerability Scoring System) represents the severity of the vulnerability.
Rationale:
Target 1 has the highest EPSS score (0.6) combined with a moderately high CVSS score (4), making it the most likely to be attacked.
Other options either have lower EPSS or CVSS scores, reducing their likelihood of being exploited.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
A
Explanation:
EPSS and CVSS Analysis:
EPSS (Exploit Prediction Scoring System) indicates the likelihood of exploitation.
CVSS (Common Vulnerability Scoring System) represents the severity of the vulnerability.
Rationale:
Target 1 has the highest EPSS score (0.6) combined with a moderately high CVSS score (4), making it the most likely to be attacked.
Other options either have lower EPSS or CVSS scores, reducing their likelihood of being exploited.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Question #15
A tester wants to pivot from a compromised host to another network with encryption and the least amount of interaction with the compromised host.
Which of the following is the best way to accomplish this objective?
- A . Create an SSH tunnel using sshuttle to forward all the traffic to the compromised computer.
- B . Configure a VNC server on the target network and access the VNC server from the compromised computer.
- C . Set up a Metasploit listener on the compromised computer and create a reverse shell on the target network.
- D . Create a Netcat connection to the compromised computer and forward all the traffic to the target network.
Correct Answer: A
A
Explanation:
Pivoting allows attackers to use a compromised host as a gateway to access internal resources.
Create an SSH tunnel using sshuttle (Option A):
sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.
Advantages:
Provides encryption, preventing IDS/IPS detection.
Requires minimal interaction with the compromised host.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Lateral Movement Techniques"
Incorrect options:
Option B (VNC server): VNC lacks encryption and is easily detectable.
Option C (Metasploit listener): Reverse shells can be detected by EDR solutions.
Option D (Netcat connection): Netcat is plaintext, making it highly detectable.
A
Explanation:
Pivoting allows attackers to use a compromised host as a gateway to access internal resources.
Create an SSH tunnel using sshuttle (Option A):
sshuttle creates a transparent VPN-like connection over SSH, allowing the tester to forward traffic securely.
Advantages:
Provides encryption, preventing IDS/IPS detection.
Requires minimal interaction with the compromised host.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Pivoting and Lateral Movement Techniques"
Incorrect options:
Option B (VNC server): VNC lacks encryption and is easily detectable.
Option C (Metasploit listener): Reverse shells can be detected by EDR solutions.
Option D (Netcat connection): Netcat is plaintext, making it highly detectable.
Question #16
A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target.
Which of the following should the tester use?
- A . tcprelay
- B . Bluecrack
- C . Scapy
- D . tcpdump
Correct Answer: C
C
Explanation:
Scapy is a powerful interactive Python-based packet manipulation tool used by penetration testers to create, modify, send, and analyze custom packets. It supports many protocols and allows you to set TCP flags, sequence numbers, and more.
tcprelay is used to redirect TCP traffic, not to craft packets.
Bluecrack is used for cracking Bluetooth encryption, irrelevant in this context.
tcpdump is a packet capture tool, not suitable for crafting or injecting packets.
Reference: PT0-003 Objective 3.4 C Tools for manipulating traffic, including Scapy for custom packet creation.
C
Explanation:
Scapy is a powerful interactive Python-based packet manipulation tool used by penetration testers to create, modify, send, and analyze custom packets. It supports many protocols and allows you to set TCP flags, sequence numbers, and more.
tcprelay is used to redirect TCP traffic, not to craft packets.
Bluecrack is used for cracking Bluetooth encryption, irrelevant in this context.
tcpdump is a packet capture tool, not suitable for crafting or injecting packets.
Reference: PT0-003 Objective 3.4 C Tools for manipulating traffic, including Scapy for custom packet creation.
Question #17
A penetration tester successfully gained access to manage resources and services within the company’s cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network.
Which of the following credentials was the tester able to obtain?
- A . IAM credentials
- B . SSH key for cloud instance
- C . Cloud storage credentials
- D . Temporary security credentials (STS)
Correct Answer: A
A
Explanation:
IAM (Identity and Access Management) credentials are used to control and manage access to cloud services and resources. When a penetration tester obtains IAM credentials, especially those with administrative privileges, they can perform high-level operations such as provisioning services, modifying configurations, or accessing sensitive data across the cloud environment. SSH keys would only grant access to a specific instance, not cloud-wide services.
Cloud storage credentials are limited to storage access, not administrative capabilities.
Temporary security credentials (STS) provide limited-time access and are not typically used for broad administrative tasks.
Reference: PT0-003 Objective 1.3 C Exploit cloud-based vulnerabilities, including credential abuse and privilege escalation via IAM.
A
Explanation:
IAM (Identity and Access Management) credentials are used to control and manage access to cloud services and resources. When a penetration tester obtains IAM credentials, especially those with administrative privileges, they can perform high-level operations such as provisioning services, modifying configurations, or accessing sensitive data across the cloud environment. SSH keys would only grant access to a specific instance, not cloud-wide services.
Cloud storage credentials are limited to storage access, not administrative capabilities.
Temporary security credentials (STS) provide limited-time access and are not typically used for broad administrative tasks.
Reference: PT0-003 Objective 1.3 C Exploit cloud-based vulnerabilities, including credential abuse and privilege escalation via IAM.
Question #18
A penetration tester is trying to get unauthorized access to a web application and executes the following command:
GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
Which of the following web application attacks is the tester performing?
- A . Insecure Direct Object Reference
- B . Cross-Site Request Forgery
- C . Directory Traversal
- D . Local File Inclusion
Correct Answer: C
C
Explanation:
The attacker is attempting to access restricted files by navigating directories beyond their intended scope.
Directory Traversal (Option C):
The request uses encoded "../" sequences (%2e%2e%2f = ../) to move up directories and access /etc/passwd.
This is a classic directory traversal attack aimed at accessing system files.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Directory Traversal Attacks"
Incorrect options:
Option A (Insecure Direct Object Reference – IDOR): IDOR exploits direct access to objects (e.g., changing user_id=123 to user_id=456), not directory navigation.
Option B (CSRF): CSRF forces users to execute unwanted actions, unrelated to directory access.
Option D (Local File Inclusion – LFI): LFI involves including local files (e.g., executing PHP scripts), but this attack only reads a file.
C
Explanation:
The attacker is attempting to access restricted files by navigating directories beyond their intended scope.
Directory Traversal (Option C):
The request uses encoded "../" sequences (%2e%2e%2f = ../) to move up directories and access /etc/passwd.
This is a classic directory traversal attack aimed at accessing system files.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Directory Traversal Attacks"
Incorrect options:
Option A (Insecure Direct Object Reference – IDOR): IDOR exploits direct access to objects (e.g., changing user_id=123 to user_id=456), not directory navigation.
Option B (CSRF): CSRF forces users to execute unwanted actions, unrelated to directory access.
Option D (Local File Inclusion – LFI): LFI involves including local files (e.g., executing PHP scripts), but this attack only reads a file.
Question #19
A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester’s machine.
Which of the following commands should the tester use to do this task from the tester’s host?
- A . attacker_host$ nmap -sT <target_cidr> | nc -n <compromised_host> 22
- B . attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0<backpipe | nc <target_cidr> 80 | tee backpipe
- C . attacker_host$ nc -nlp 8000 | nc -n <target_cidr> attacker_host$ nmap -sT 127.0.0.1 8000
- D . attacker_host$ proxychains nmap -sT <target_cidr>
Correct Answer: D
D
Explanation:
ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.
Understanding ProxyChains:
Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).
Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.
Command Breakdown:
proxychains nmap -sT <target_cidr>: This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.
Nmap Scan (-sT): This option specifies a TCP connect scan.
Setting Up ProxyChains:
Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.
Adding Proxy: Add the compromised host as a SOCKS proxy.
Step-by-Step Explanationplaintext
Copy code
socks4 127.0.0.1 1080
Execution:
Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).
Run ProxyChains with Nmap: Execute the command on the attacker’s host.
proxychains nmap -sT <target_cidr>
Reference from Pentesting Literature:
ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.
HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate systems.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.
Understanding ProxyChains:
Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).
Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.
Command Breakdown:
proxychains nmap -sT <target_cidr>: This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.
Nmap Scan (-sT): This option specifies a TCP connect scan.
Setting Up ProxyChains:
Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.
Adding Proxy: Add the compromised host as a SOCKS proxy.
Step-by-Step Explanationplaintext
Copy code
socks4 127.0.0.1 1080
Execution:
Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).
Run ProxyChains with Nmap: Execute the command on the attacker’s host.
proxychains nmap -sT <target_cidr>
Reference from Pentesting Literature:
ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.
HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate systems.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #20
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
- A . Database
- B . Remote access
- C . Email
- D . File sharing
Correct Answer: D
D
Explanation:
Based on the Nmap scan results, the services identified on the target server are as follows:
22/tcp open ssh:
Service: SSH (Secure Shell)
Function: Provides encrypted remote access.
Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations.
However, it is generally considered secure if properly configured.
25/tcp filtered smtp:
Service: SMTP (Simple Mail Transfer Protocol)
Function: Email transmission.
Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall. 111/tcp open rpcbind:
Service: RPCBind (Remote Procedure Call Bind)
Function: Helps in mapping RPC program numbers to network addresses.
Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.
2049/tcp open nfs:
Service: NFS (Network File System)
Function: Allows for file sharing over a network.
Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services. Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.
D
Explanation:
Based on the Nmap scan results, the services identified on the target server are as follows:
22/tcp open ssh:
Service: SSH (Secure Shell)
Function: Provides encrypted remote access.
Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations.
However, it is generally considered secure if properly configured.
25/tcp filtered smtp:
Service: SMTP (Simple Mail Transfer Protocol)
Function: Email transmission.
Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall. 111/tcp open rpcbind:
Service: RPCBind (Remote Procedure Call Bind)
Function: Helps in mapping RPC program numbers to network addresses.
Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.
2049/tcp open nfs:
Service: NFS (Network File System)
Function: Allows for file sharing over a network.
Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services. Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.