Practice Free PT0-003 Exam Online Questions
Question #11
A penetration tester successfully gains access to a Linux system and then uses the following command:
find / -type f -ls > /tmp/recon.txt
Which of the following best describes the tester’s goal?
- A . Permission enumeration
- B . Secrets enumeration
- C . User enumeration
- D . Service enumeration
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
The find command shown here recursively searches the entire filesystem (/) for files (-type f) and lists them with detailed information (-ls), including file ownership, group, size, and permissions. The results are then redirected into /tmp/recon.txt.
This is typically performed as part of post-exploitation local enumeration to gather information on:
Files and their permission settings.
Potential world-writable or sensitive files (e.g., /etc/shadow, SSH keys, config files).
Misconfigurations that could lead to privilege escalation.
Thus, the tester’s main objective is permission enumeration ― identifying files and directories with insecure permissions that could be exploited.
Why not the others:
B. Secrets enumeration: While secrets might later be found in files, the command’s intent is general permission/file listing, not targeted secret extraction.
C. User enumeration: The command doesn’t list users or accounts (no /etc/passwd or who queries).
D. Service enumeration: This doesn’t inspect running services or open ports.
CompTIA PT0-003 Objective Mapping:
Domain 2.0: Information Gathering and Vulnerability Scanning
A
Explanation:
Comprehensive and Detailed
The find command shown here recursively searches the entire filesystem (/) for files (-type f) and lists them with detailed information (-ls), including file ownership, group, size, and permissions. The results are then redirected into /tmp/recon.txt.
This is typically performed as part of post-exploitation local enumeration to gather information on:
Files and their permission settings.
Potential world-writable or sensitive files (e.g., /etc/shadow, SSH keys, config files).
Misconfigurations that could lead to privilege escalation.
Thus, the tester’s main objective is permission enumeration ― identifying files and directories with insecure permissions that could be exploited.
Why not the others:
B. Secrets enumeration: While secrets might later be found in files, the command’s intent is general permission/file listing, not targeted secret extraction.
C. User enumeration: The command doesn’t list users or accounts (no /etc/passwd or who queries).
D. Service enumeration: This doesn’t inspect running services or open ports.
CompTIA PT0-003 Objective Mapping:
Domain 2.0: Information Gathering and Vulnerability Scanning
Question #12
While conducting a reconnaissance activity, a penetration tester extracts the following information:
Emails: – [email protected] – [email protected] – [email protected]
Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?
- A . Unauthorized access to the network
- B . Exposure of sensitive servers to the internet
- C . Likelihood of SQL injection attacks
- D . Indication of a data breach in the company
Correct Answer: A
A
Explanation:
When a penetration tester identifies email addresses during reconnaissance, the most immediate risk to leverage for an attack is unauthorized access to the network.
Here’s why: Phishing Attacks:
Email addresses are often used to conduct phishing attacks. By crafting a convincing email, an attacker can trick the recipient into revealing their login credentials or downloading malicious software, thereby gaining unauthorized access to the network.
Spear Phishing:
With specific email addresses (like [email protected]), attackers can perform spear phishing, targeting key individuals within the organization to gain access to more sensitive parts of the network.
Comparison with Other Risks:
Exposure of sensitive servers to the internet (B): This is unrelated to the email addresses and more about network configuration.
Likelihood of SQL injection attacks (C): SQL injection targets web applications and databases, not email addresses.
Indication of a data breach in the company (D): The presence of email addresses alone does not indicate a data breach.
Email addresses are a starting point for phishing attacks, making unauthorized access to the network the most relevant risk.
A
Explanation:
When a penetration tester identifies email addresses during reconnaissance, the most immediate risk to leverage for an attack is unauthorized access to the network.
Here’s why: Phishing Attacks:
Email addresses are often used to conduct phishing attacks. By crafting a convincing email, an attacker can trick the recipient into revealing their login credentials or downloading malicious software, thereby gaining unauthorized access to the network.
Spear Phishing:
With specific email addresses (like [email protected]), attackers can perform spear phishing, targeting key individuals within the organization to gain access to more sensitive parts of the network.
Comparison with Other Risks:
Exposure of sensitive servers to the internet (B): This is unrelated to the email addresses and more about network configuration.
Likelihood of SQL injection attacks (C): SQL injection targets web applications and databases, not email addresses.
Indication of a data breach in the company (D): The presence of email addresses alone does not indicate a data breach.
Email addresses are a starting point for phishing attacks, making unauthorized access to the network the most relevant risk.
Question #13
A company that uses an insecure corporate wireless network is concerned about security.
Which of the following is the most likely tool a penetration tester could use to obtain initial access?
- A . Responder
- B . Metasploit
- C . Netcat
- D . Nmap
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients ― a typical and effective initial-access method in such scenarios.
Why not the others:
B. Metasploit ― a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.
C. Netcat ― a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.
D. Nmap ― a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.
CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).
A
Explanation:
Comprehensive and Detailed
Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients ― a typical and effective initial-access method in such scenarios.
Why not the others:
B. Metasploit ― a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.
C. Netcat ― a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.
D. Nmap ― a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.
CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).
Question #14
While conducting an assessment, a penetration tester identifies the details for several unreleased products announced at a company-wide meeting.
Which of the following attacks did the tester most likely use to discover this information?
- A . Eavesdropping
- B . Bluesnarfing
- C . Credential harvesting
- D . SQL injection attack
Correct Answer: A
A
Explanation:
Eavesdropping:
Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.
Why Not Other Options?
B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.
C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.
D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Techniques for Intercepting Communication
A
Explanation:
Eavesdropping:
Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.
Why Not Other Options?
B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.
C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.
D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Techniques for Intercepting Communication
Question #15
Which of the following describes the process of determining why a vulnerability scanner is not providing results?
- A . Root cause analysis
- B . Secure distribution
- C . Peer review
- D . Goal reprioritization
Correct Answer: A
A
Explanation:
Root cause analysis involves identifying the underlying reasons why a problem is occurring. In the context of a vulnerability scanner not providing results, performing a root cause analysis would help determine why the scanner is failing to deliver the expected output.
Here’s why option A is correct: Root Cause Analysis: This is a systematic process used to identify the fundamental reasons for a problem. It involves investigating various potential causes and pinpointing the exact issue that is preventing the vulnerability scanner from working correctly.
Secure Distribution: This refers to the secure delivery and distribution of software or updates, which is not relevant to troubleshooting a vulnerability scanner.
Peer Review: This involves evaluating work by others in the same field to ensure quality and accuracy, but it is not directly related to identifying why a tool is malfunctioning.
Goal Reprioritization: This involves changing the priorities of goals within a project, which does not address the technical issue of the scanner not working.
Reference from Pentest:
Horizontall HTB: Demonstrates the process of troubleshooting and identifying issues with tools and their configurations to ensure they work correctly.
Writeup HTB: Emphasizes the importance of thorough analysis to understand why certain security tools may fail during an assessment.
A
Explanation:
Root cause analysis involves identifying the underlying reasons why a problem is occurring. In the context of a vulnerability scanner not providing results, performing a root cause analysis would help determine why the scanner is failing to deliver the expected output.
Here’s why option A is correct: Root Cause Analysis: This is a systematic process used to identify the fundamental reasons for a problem. It involves investigating various potential causes and pinpointing the exact issue that is preventing the vulnerability scanner from working correctly.
Secure Distribution: This refers to the secure delivery and distribution of software or updates, which is not relevant to troubleshooting a vulnerability scanner.
Peer Review: This involves evaluating work by others in the same field to ensure quality and accuracy, but it is not directly related to identifying why a tool is malfunctioning.
Goal Reprioritization: This involves changing the priorities of goals within a project, which does not address the technical issue of the scanner not working.
Reference from Pentest:
Horizontall HTB: Demonstrates the process of troubleshooting and identifying issues with tools and their configurations to ensure they work correctly.
Writeup HTB: Emphasizes the importance of thorough analysis to understand why certain security tools may fail during an assessment.
Question #16
Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?
- A . Remove the persistence mechanisms.
- B . Spin down the infrastructure.
- C . Preserve artifacts.
- D . Perform secure data destruction.
Correct Answer: A
A
Explanation:
Web shells provide remote access and persistence for attackers. The best mitigation is to remove persistence mechanisms.
Remove the persistence mechanisms (Option A):
Attackers often modify startup scripts, cron jobs, or registry keys to maintain access.
If persistence is not removed, even after the web shell is deleted, attackers can reinstall or reaccess it.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Removing Persistent Web Shells"
Incorrect options:
Option B (Spin down the infrastructure): Shutting down servers does not remove the persistence.
Option C (Preserve artifacts): Important for forensics but does not prevent exploitation.
Option D (Perform secure data destruction): Secure wipe is useful but not always feasible for a production system.
A
Explanation:
Web shells provide remote access and persistence for attackers. The best mitigation is to remove persistence mechanisms.
Remove the persistence mechanisms (Option A):
Attackers often modify startup scripts, cron jobs, or registry keys to maintain access.
If persistence is not removed, even after the web shell is deleted, attackers can reinstall or reaccess it.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Removing Persistent Web Shells"
Incorrect options:
Option B (Spin down the infrastructure): Shutting down servers does not remove the persistence.
Option C (Preserve artifacts): Important for forensics but does not prevent exploitation.
Option D (Perform secure data destruction): Secure wipe is useful but not always feasible for a production system.
Question #17
A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system.
Which of the following attacks is the tester performing?
- A . Kiosk escape
- B . Arbitrary code execution
- C . Process hollowing
- D . Library injection
Correct Answer: A
A
Explanation:
A kiosk escape involves breaking out of a restricted environment, such as a kiosk or a single application interface, to access the underlying operating system.
Here’s why option A is correct: Kiosk Escape: This attack targets environments where user access is intentionally limited, such as a kiosk or a dedicated application. The goal is to break out of these restrictions and gain access to the full operating system.
Arbitrary Code Execution: This involves running unauthorized code on the system, but the scenario described is more about escaping a restricted environment.
Process Hollowing: This technique involves injecting code into a legitimate process, making it appear benign while executing malicious activities.
Library Injection: This involves injecting malicious code into a running process by loading a malicious
library, which is not the focus in this scenario.
Reference from Pentest:
Forge HTB: Demonstrates techniques to escape restricted environments and gain broader access to the system.
Horizontall HTB: Shows methods to break out of limited access environments, aligning with the concept of kiosk escape.
Conclusion:
Option A, Kiosk escape, accurately describes the type of attack where a tester breaks out of a restricted environment to access the underlying operating system.
A
Explanation:
A kiosk escape involves breaking out of a restricted environment, such as a kiosk or a single application interface, to access the underlying operating system.
Here’s why option A is correct: Kiosk Escape: This attack targets environments where user access is intentionally limited, such as a kiosk or a dedicated application. The goal is to break out of these restrictions and gain access to the full operating system.
Arbitrary Code Execution: This involves running unauthorized code on the system, but the scenario described is more about escaping a restricted environment.
Process Hollowing: This technique involves injecting code into a legitimate process, making it appear benign while executing malicious activities.
Library Injection: This involves injecting malicious code into a running process by loading a malicious
library, which is not the focus in this scenario.
Reference from Pentest:
Forge HTB: Demonstrates techniques to escape restricted environments and gain broader access to the system.
Horizontall HTB: Shows methods to break out of limited access environments, aligning with the concept of kiosk escape.
Conclusion:
Option A, Kiosk escape, accurately describes the type of attack where a tester breaks out of a restricted environment to access the underlying operating system.
Question #18
A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week.
Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).
- A . schtasks.exe
- B . rundll.exe
- C . cmd.exe
- D . chgusr.exe
- E . sc.exe
- F . netsh.exe
Correct Answer: A,E
A,E
Explanation:
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
schtasks.exe:
Purpose: Used to create, delete, and manage scheduled tasks on Windows systems. Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.
Example:
schtasks /create /tn "Backdoor" /tr "C:pathtobackdoor.exe" /sc daily /ru SYSTEM sc.exe:
Purpose: Service Control Manager command-line tool used to manage Windows services.
Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.
Example:
sc create backdoor binPath= "C:pathtobackdoor.exe" start= auto
Other Utilities:
rundll.exe: Used to run DLLs as applications, not typically used for persistence.
cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.
chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.
netsh.exe: Used for network configuration, not typically used for persistence.
Pentest
Reference: Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation. Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
A,E
Explanation:
To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.
schtasks.exe:
Purpose: Used to create, delete, and manage scheduled tasks on Windows systems. Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.
Example:
schtasks /create /tn "Backdoor" /tr "C:pathtobackdoor.exe" /sc daily /ru SYSTEM sc.exe:
Purpose: Service Control Manager command-line tool used to manage Windows services.
Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.
Example:
sc create backdoor binPath= "C:pathtobackdoor.exe" start= auto
Other Utilities:
rundll.exe: Used to run DLLs as applications, not typically used for persistence.
cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.
chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.
netsh.exe: Used for network configuration, not typically used for persistence.
Pentest
Reference: Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation. Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.
By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.
Question #19
A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.
Based on the targets’ EPSS and CVSS scores, which of the following targets is the most likely to get attacked?
- A . Target 1: EPSS Score = 0.6 and CVSS Score = 4
- B . Target 2: EPSS Score = 0.3 and CVSS Score = 2
- C . Target 3: EPSS Score = 0.6 and CVSS Score = 1
- D . Target 4: EPSS Score = 0.4 and CVSS Score = 4.5
Correct Answer: A
A
Explanation:
EPSS and CVSS Analysis:
EPSS (Exploit Prediction Scoring System) indicates the likelihood of exploitation.
CVSS (Common Vulnerability Scoring System) represents the severity of the vulnerability.
Rationale:
Target 1 has the highest EPSS score (0.6) combined with a moderately high CVSS score (4), making it the most likely to be attacked.
Other options either have lower EPSS or CVSS scores, reducing their likelihood of being exploited.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
A
Explanation:
EPSS and CVSS Analysis:
EPSS (Exploit Prediction Scoring System) indicates the likelihood of exploitation.
CVSS (Common Vulnerability Scoring System) represents the severity of the vulnerability.
Rationale:
Target 1 has the highest EPSS score (0.6) combined with a moderately high CVSS score (4), making it the most likely to be attacked.
Other options either have lower EPSS or CVSS scores, reducing their likelihood of being exploited.
CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification)
Question #20
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
Correct Answer: C
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)